extern/zrok
1
1
Fork 0
mirror of https://github.com/openziti/zrok.git synced 2025-05-31 07:07:14 +02:00
Code Issues Packages Projects Releases Wiki Activity

Merge pull request #845 from openziti/843-ssl-not-being-generated-caddy-godaddy

Browse Source 
docker instance - document troubleshooting slow dns
This commit is contained in:
Kenneth Bingham 2025-01-29 10:09:26 -05:00 committed by GitHub
commit 73e66c3ef6
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
2 changed files with 20 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
CHANGELOG.md
View File

@ -2,6 +2,8 @@
## v0.4.47
CHANGE: Document solving the DNS propagation timeout for Docker instances that are using Caddy to manage the wildcard certificate.
CHANGE: Add usage hint in `zrok config get --help` to clarify how to list all valid `configName` and their current values by running `zrok status`.
CHANGE: The Python SDK's `Overview()` function was refactored as a class method (https://github.com/openziti/zrok/pull/846).

19
docker/compose/zrok-instance/README.md
View File

@ -190,7 +190,7 @@ See "My internet connection can only send traffic to common ports" below about c
docker compose logs zrok-controller
```
1. Check the caddy logs.
1. Check the Caddy logs.
It can take a few minutes for Caddy to obtain the wildcard certificate. You can check the logs to see if there were any errors completing the DNS challenge which involves using the Caddy DNS plugin to create a TXT record in your DNS zone. This leverages the API token you provided in the `.env` file, which must have permission to create DNS records in the zrok DNS zone.
@ -198,6 +198,23 @@ See "My internet connection can only send traffic to common ports" below about c
docker compose logs caddy
```
1. Caddy keeps failing to obtain a wildcard certificate because it timed out waiting for DNS.
Symptom: the Caddy log contains "timed out waiting for record to fully propagate." This means that Caddy added a DNS record with your DNS provider's API to prove to the CA it controls the zrok DNS zone, but it wasn't able to verify the record was created successfully with a DNS query.
Solutions:
- Add `propagation_delay` in your `Caddyfile` to delay the first DNS verification query. This avoids caching a verification query failure by waiting a few minutes for the record to become available so the verification query will succeed on the first attempt. Caddy will be unable to verify the DNS record if the failure remains in the cache too long.
- If the prior solution fails, you can override the default resolves/nameservers with `resolvers`, a space-separated list of DNS servers. This gives you more control over if and where the verification query result is cached.
```
tls {
dns {CADDY_DNS_PLUGIN} {CADDY_DNS_PLUGIN_TOKEN}
propagation_timeout 60m # default 2m
propagation_delay 5m # default 0m
}
```
1. `zrok enable` fails certificate verification: ensure you are not using the staging API for Let's Encrypt.
If you are using the staging API, you will see an error about the API certificate when you use the zrok CLI. You can switch to the production API by removing the overriding assignment of the `CADDY_ACME_API` variable.