This particular domain expired today but it successfully auto-renewed multiple times up until now. This is a renewal for a wildcard cert, so it goes through DNS challenge.
From my DNS logs, I can see the TXT record was indeed added, but as certbot queries for it afterwards and tries to verify the TSIG, it fails. No values in my rfc2136.ini file have changed in a very long time.
Does anybody know what may be going on?
Thanks!
My details:
My domain is: mgmt.kraychete.com
I ran this command: certbot renew
It produced this output:
Renewing an existing certificate for mgmt.kraychete.com and *.mgmt.kraychete.com
Encountered exception during recovery: certbot.errors.PluginError: Encountered error deleting TXT record: local variable 'received_time' referenced before assignment
Failed to renew certificate mgmt.kraychete.com with error: Encountered error adding TXT record: local variable 'received_time' referenced before assignment
The logs include these lines:
2024-09-06 20:00:25,558:INFO:certbot._internal.auth_handler:Performing the following challenges:
2024-09-06 20:00:25,559:INFO:certbot._internal.auth_handler:dns-01 challenge for mgmt.kraychete.com
2024-09-06 20:00:25,559:INFO:certbot._internal.auth_handler:dns-01 challenge for mgmt.kraychete.com
2024-09-06 20:00:25,562:DEBUG:certbot_dns_rfc2136._internal.dns_rfc2136:No authoritative SOA record found for _acme-challenge.mgmt.kraychete.com
2024-09-06 20:00:25,564:DEBUG:certbot_dns_rfc2136._internal.dns_rfc2136:Received authoritative SOA response for mgmt.kraychete.com
2024-09-06 20:00:25,586:DEBUG:certbot._internal.error_handler:Encountered exception:
Traceback (most recent call last):
File "/usr/lib/python3.6/site-packages/dns/query.py", line 519, in tcp
q.keyring, q.request_mac)
File "/usr/lib/python3.6/site-packages/dns/query.py", line 461, in receive_tcp
one_rr_per_rrset=one_rr_per_rrset)
File "/usr/lib/python3.6/site-packages/dns/message.py", line 807, in from_wire
reader.read()
File "/usr/lib/python3.6/site-packages/dns/message.py", line 748, in read
self._get_section(self.message.additional, adcount)
File "/usr/lib/python3.6/site-packages/dns/message.py", line 700, in _get_section
self.message.first)
File "/usr/lib/python3.6/site-packages/dns/tsig.py", line 198, in validate
raise BadSignature
dns.tsig.BadSignature: The TSIG signature fails to verify.
During handling of the above exception, another exception occurred:
Traceback (most recent call last):
File "/usr/lib/python3.6/site-packages/certbot_dns_rfc2136/_internal/dns_rfc2136.py", line 134, in add_txt_record
response = dns.query.tcp(update, self.server, self._default_timeout, self.port)
File "/usr/lib/python3.6/site-packages/dns/query.py", line 521, in tcp
if begin_time is None or received_time is None:
UnboundLocalError: local variable 'received_time' referenced before assignment
During handling of the above exception, another exception occurred:
Traceback (most recent call last):
File "/usr/lib/python3.6/site-packages/certbot/_internal/auth_handler.py", line 85, in handle_authorizations
resps = self.auth.perform(achalls)
File "/usr/lib/python3.6/site-packages/certbot/plugins/dns_common.py", line 76, in perform
self._perform(domain, validation_domain_name, validation)
File "/usr/lib/python3.6/site-packages/certbot_dns_rfc2136/_internal/dns_rfc2136.py", line 81, in _perform
self._get_rfc2136_client().add_txt_record(validation_name, validation, self.ttl)
File "/usr/lib/python3.6/site-packages/certbot_dns_rfc2136/_internal/dns_rfc2136.py", line 137, in add_txt_record
.format(e))
certbot.errors.PluginError: Encountered error adding TXT record: local variable 'received_time' referenced before assignment
My web server is (include version): N/A
The operating system my web server runs on is (include version): openSUSE 15.5
My hosting provider, if applicable, is: not applicable
I can login to a root shell on my machine (yes or no, or I don't know): yes
I'm using a control panel to manage my site (no, or provide the name and version of the control panel): no
The version of my client is (e.g. output of certbot --version
or certbot-auto --version
if you're using Certbot): certbot 1.22.0