OVH DNS : Could not determine zone for domain

[rockandska]

Hi,

Not sure if it is related directly to "lego" or specifically to this image or OVH API (no one complain on ML).

Certificates created with v0.4.0
Multiple domains was specified at the creation but removed after
Upgrade to v0.5.0

Nothing changed since, not even the credentials or rights give to the OVH account, domain exist

Domain / token redacted

10/30/2017 4:27:45 PMtime="2017-10-30T15:27:45Z" level=info msg="Starting Let's Encrypt Certificate Manager v0.5.0 0913231"
10/30/2017 4:27:46 PMtime="2017-10-30T15:27:46Z" level=info msg="Using locally stored Let's Encrypt account for mail@domain.com"
10/30/2017 4:27:46 PMtime="2017-10-30T15:27:46Z" level=info msg="Using Let's Encrypt Production API"
10/30/2017 4:27:46 PMtime="2017-10-30T15:27:46Z" level=info msg="Found locally stored certificate 'sub.domain.com'"
10/30/2017 4:27:46 PMtime="2017-10-30T15:27:46Z" level=info msg="Found existing certificate 'sub.domain.com' in Rancher"
10/30/2017 4:27:46 PMtime="2017-10-30T15:27:46Z" level=info msg="Managing renewal of certificate 'sub.domain.com'"
10/30/2017 4:27:46 PMtime="2017-10-30T15:27:46Z" level=info msg="Certificate renewal scheduled for 2017/10/30 12:00 UTC"
10/30/2017 4:27:56 PMtime="2017-10-30T15:27:56Z" level=info msg="Trying to obtain renewed SSL certificate (sub.domain.com) from Let's Encrypt Production CA"
10/30/2017 4:27:56 PMtime="2017-10-30T15:27:56Z" level=info msg="[INFO][sub.domain.com] acme: Trying renewal with 479 hours remaining"
10/30/2017 4:27:56 PMtime="2017-10-30T15:27:56Z" level=info msg="[INFO][sub.domain.com] acme: Obtaining bundled SAN certificate"
10/30/2017 4:27:57 PMtime="2017-10-30T15:27:56Z" level=info msg="[INFO][sub.domain.com] AuthURL: https://acme-v01.api.letsencrypt.org/acme/authz/xxxxxxxxxxxxxxxxxxxxxxxxxxx"
10/30/2017 4:27:57 PMtime="2017-10-30T15:27:56Z" level=info msg="[INFO][sub.domain.com] acme: Could not find solver for: http-01"
10/30/2017 4:27:57 PMtime="2017-10-30T15:27:57Z" level=info msg="[INFO][sub.domain.com] acme: Could not find solver for: tls-sni-01"
10/30/2017 4:27:57 PMtime="2017-10-30T15:27:57Z" level=info msg="[INFO][sub.domain.com] acme: Trying to solve DNS-01"
10/30/2017 4:27:57 PMtime="2017-10-30T15:27:57Z" level=fatal msg="Failed to renew certificate: Error presenting token: Could not determine zone for domain: 'sub.domain.com'. Could not find the start of authority"

[rockandska]

After reading this comment , i changed one thing on my platform and didn't think than it could be a problem, but could it be ?

All my servers are behind a pfsense , and for different purpose, I had a DNS override on this domain to let the internal servers use the private IP instead of the public one.

I will give it a try with DNS_RESOLVERS to see if it solve my problem

[rockandska]

it seems that it was the problem indeed.
Glad than i've found the solution in time, but not easy to find it and lost many time.

Could you please add a section in the README for this kind of configuration please ? (it is not related to the provider)
Is it possible to use more than 1 DNS server in this env variable ?

Best regards,