[Bug]: Doesn't recognize (*.subdomain.domain.com) as valid

[ZaxLofful]

Steps to Reproduce

1. Use Adguard "Filters->DNS Rewrites", add the wildcard A entry. (*.subdomain.domain.com)
2. Send a TLS cert request using the DNS name anything.subdomain.domain.com (traefik auto-request)

Note: As soon as that initial domain fully fails, it proceeds to get a cert for subdomain.domain.com just fine.
Note2: Other machines (including the Smallstep docker host) can ping anything.subdomain.domain.com, including my browser. Thus it's not a failure of Adguard to publish the DNS wildcard.

Your Environment

• OS - Ubuntu Server 20.04
• step-ca Version - 0.25.2

Expected Behavior

Give out cert immediately and not get an error

Actual Behavior

Smallstep responds with "The server could not connect to validation target"

Additional Context

It takes about 5+ mins for Smallstep to finally give up and reject the Traefik request (during this time my Traefik container cannot proceed and the cert requests are stalled for other domains, making them inaccessible)

Contributing

Vote on this issue by adding a 👍 reaction.
To contribute a fix for this issue, leave a comment (and link to your pull request, if you've opened one already).

[hslatman]

Hey @ZaxLofful, can the machine/container running step-ca successfully connect to anything.subdomain.domain.com itself? Assuming you're running it in Docker (since you mentioned the Docker host), it's possible the container uses a different DNS server and thus doesn't get the right answer. With Docker it's possible to set the DNS server to use: https://docs.docker.com/network/#dns-services. You can also run step-ca with --resolver=<ip:port> to specify a DNS server.

[ZaxLofful]

@hslatman : I already give it the docker-compose DNS options. I will try running it with --resolver to see if that fixes the issue.