You could also try updating to the latest certbot and latest plugin, which I assume is this: Welcome to certbot-dns-rfc2136’s documentation! — certbot-dns-rfc2136 0 documentation then review those docs to make sure everything is configured OK.
2 Likes
After much wrestling both with acme.sh and with nsupdate I eventually found the TSIG issue. With recent updates to BIND, dnssec-keygen no longer supports the HMAC-MD5 algorithm used in TSIGs, you need to use tsig-keygen instead. tsig-keygen is is, in effect, no more than a link to ddns--confgen, but the link was not there in my updated OS installations. Absolutely nothing in error messages pointed to that.
My wildcard certificate expired yesterday, before I worked this out, and my acme.sh setup is now hanging at a different place. I suspect I would be better off with a new clean install. Is there anything (apart from the update key that's in named.conf) that I really ought to hang on to? And will there be anything about the old certificate that might get in the way of issuing a new one?
[updated]
1 Like
Correction, ddns--confgen not dnssec-confgen
If your cert has expired I'd say there's no problem in just starting again (renewed certificates are new certificates, the difference is you don't have to configure your web server to use the cert file every time, just the first time).
Skimming through the thread I didn't catch which web server software you are using (nginx etc) but you will need to update your web server config to point to the correct certificate files, once you have your certificate.
1 Like
This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.