1. caddy_manager: embed ddns.token (registration bearer token) in Caddyfile, not DDNS_TOTP_SECRET. The pic_ngo plugin sends the token to POST /api/v1/dns-challenge; using the TOTP secret caused 401 on every attempt. 2. firewall_manager: add _acme-challenge.<zone> forwarding block before each split-horizon zone in the Corefile. Without this, CoreDNS was authoritative for the challenge name and returned NODATA for TXT queries (wildcard A record matches but wrong type), blocking Caddy's internal DNS pre-verification step. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
This commit is contained in:
@@ -286,8 +286,11 @@ class CaddyManager(BaseServiceManager):
|
||||
# Resolve credentials at write time — Caddy runs in its own container
|
||||
# and does not inherit the API's environment variables, so we embed the
|
||||
# actual values instead of {$VAR} placeholders.
|
||||
ddns_token = (os.environ.get('DDNS_TOTP_SECRET') or '').strip()
|
||||
ddns_api = (os.environ.get('DDNS_URL') or 'https://ddns.pic.ngo/api/v1').strip()
|
||||
# Use the registration bearer token (ddns.token), NOT the TOTP secret —
|
||||
# the pic_ngo plugin authenticates to POST /api/v1/dns-challenge with this token.
|
||||
ddns_cfg = self.config_manager.configs.get('ddns', {})
|
||||
ddns_token = (ddns_cfg.get('token') or os.environ.get('DDNS_TOKEN') or '').strip()
|
||||
ddns_api = (os.environ.get('DDNS_URL') or ddns_cfg.get('url') or 'https://ddns.pic.ngo/api/v1').strip()
|
||||
|
||||
return (
|
||||
f"{self._global_acme_block(email)}\n"
|
||||
|
||||
Reference in New Issue
Block a user