Cert renewal failure: DNS challenge fails with "TSIG signature fails to verify"

This particular domain expired today but it successfully auto-renewed multiple times up until now. This is a renewal for a wildcard cert, so it goes through DNS challenge.

From my DNS logs, I can see the TXT record was indeed added, but as certbot queries for it afterwards and tries to verify the TSIG, it fails. No values in my rfc2136.ini file have changed in a very long time.

Does anybody know what may be going on?

Thanks!

My details:

My domain is: mgmt.kraychete.com

I ran this command: certbot renew

It produced this output:
Renewing an existing certificate for mgmt.kraychete.com and *.mgmt.kraychete.com
Encountered exception during recovery: certbot.errors.PluginError: Encountered error deleting TXT record: local variable 'received_time' referenced before assignment
Failed to renew certificate mgmt.kraychete.com with error: Encountered error adding TXT record: local variable 'received_time' referenced before assignment

The logs include these lines:

2024-09-06 20:00:25,558:INFO:certbot._internal.auth_handler:Performing the following challenges:
2024-09-06 20:00:25,559:INFO:certbot._internal.auth_handler:dns-01 challenge for mgmt.kraychete.com
2024-09-06 20:00:25,559:INFO:certbot._internal.auth_handler:dns-01 challenge for mgmt.kraychete.com
2024-09-06 20:00:25,562:DEBUG:certbot_dns_rfc2136._internal.dns_rfc2136:No authoritative SOA record found for _acme-challenge.mgmt.kraychete.com
2024-09-06 20:00:25,564:DEBUG:certbot_dns_rfc2136._internal.dns_rfc2136:Received authoritative SOA response for mgmt.kraychete.com
2024-09-06 20:00:25,586:DEBUG:certbot._internal.error_handler:Encountered exception:
Traceback (most recent call last):
  File "/usr/lib/python3.6/site-packages/dns/query.py", line 519, in tcp
    q.keyring, q.request_mac)
  File "/usr/lib/python3.6/site-packages/dns/query.py", line 461, in receive_tcp
    one_rr_per_rrset=one_rr_per_rrset)
  File "/usr/lib/python3.6/site-packages/dns/message.py", line 807, in from_wire
    reader.read()
  File "/usr/lib/python3.6/site-packages/dns/message.py", line 748, in read
    self._get_section(self.message.additional, adcount)
  File "/usr/lib/python3.6/site-packages/dns/message.py", line 700, in _get_section
    self.message.first)
  File "/usr/lib/python3.6/site-packages/dns/tsig.py", line 198, in validate
    raise BadSignature
dns.tsig.BadSignature: The TSIG signature fails to verify.

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
  File "/usr/lib/python3.6/site-packages/certbot_dns_rfc2136/_internal/dns_rfc2136.py", line 134, in add_txt_record
    response = dns.query.tcp(update, self.server, self._default_timeout, self.port)
  File "/usr/lib/python3.6/site-packages/dns/query.py", line 521, in tcp
    if begin_time is None or received_time is None:
UnboundLocalError: local variable 'received_time' referenced before assignment

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
  File "/usr/lib/python3.6/site-packages/certbot/_internal/auth_handler.py", line 85, in handle_authorizations
    resps = self.auth.perform(achalls)
  File "/usr/lib/python3.6/site-packages/certbot/plugins/dns_common.py", line 76, in perform
    self._perform(domain, validation_domain_name, validation)
  File "/usr/lib/python3.6/site-packages/certbot_dns_rfc2136/_internal/dns_rfc2136.py", line 81, in _perform
    self._get_rfc2136_client().add_txt_record(validation_name, validation, self.ttl)
  File "/usr/lib/python3.6/site-packages/certbot_dns_rfc2136/_internal/dns_rfc2136.py", line 137, in add_txt_record
    .format(e))
certbot.errors.PluginError: Encountered error adding TXT record: local variable 'received_time' referenced before assignment

My web server is (include version): N/A

The operating system my web server runs on is (include version): openSUSE 15.5

My hosting provider, if applicable, is: not applicable

I can login to a root shell on my machine (yes or no, or I don't know): yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): no

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): certbot 1.22.0

1 Like

Hi @brunokc, and welcome to the LE community forum :slight_smile:

Has anything changed within Python?:
/usr/lib/python3.6/site-packages/certbot/

Is there any way you can upgrade that to the latest version?

1 Like

Hmm, this sounds familiar, something to do with updating bind dns and having to change the TSIG algorithm choice because the previous selection is no longer supported maybe?

5 Likes

Thank you for your help, @rg305.

Not that I know of. This is the same openSuSE 15.5 I've been using since last year. Having said that, the issue seems to be originating from the dns Python package (/usr/lib/python3.6/site-packages/dns/tsig.py). I'll check to see if anything changed on certbot or dns.

This is the latest from openSUSE 15.5. Even the next version, 15.6 release this past June, seems to be still using version 1.22 (not sure why). If I can't get this fixed any other way, I'll look into my options of updating it.

Thanks!

1 Like

Good insight, thank you @webprofusion. However, as I mentioned, I do see the updating going through and a TXT record is added. It's just when it tries to validate the TSIG of the record it gets back that it fails. Also, I've used dig and nsupdate manually using the same key, and the same algorithm, and it all seems to work fine. I assume that certbot would continue to be fine as well.

Well, what do you know! The python3-dnsbind package was updated in 7/30 (version 1.15.0-150000.3.5.1) and again on 8/14 (version 1.15.0-150000.3.7.1).

2024-07-30 20:31:21|install|python3-dnspython|1.15.0-150000.3.5.1|noarch||repo-sle-update|e005cf5354813c454cc50a575ca96971a33f5c8d39
97945e9075d8a9e8d2bbe1|
[...]
2024-08-14 20:30:41|install|python3-dnspython|1.15.0-150000.3.7.1|noarch||repo-sle-update|0538de60e6c8fa5a07c078b180e5c5ae44097f6be7
437cf391524cddccf17663|

Checking available version, I get:

sun:/var/log/zypp # zypper se -v python3-dnspython
Loading repository data...
Reading installed packages...

S  | Name              | Type    | Version             | Arch   | Repository
---+-------------------+---------+---------------------+--------+-------------------------------------------------------------
v  | python3-dnspython | package | 1.15.0-150000.3.2.1 | noarch | Main Repository
    name: python3-dnspython
i+ | python3-dnspython | package | 1.15.0-150000.3.5.1 | noarch | Update repository with updates from SUSE Linux Enterprise 15
    name: python3-dnspython
v  | python3-dnspython | package | 1.15.0-150000.3.7.1 | noarch | Update repository with updates from SUSE Linux Enterprise 15
    name: python3-dnspython

I downgraded that package all the way back to version 3.2.1 and everything worked! There's still the issue of why the 2 newer versions fail the TSIG check on a regular query. I'll have to look into that separately.

Thanks again, @rg305 and @webprofusion!

3 Likes

Glad you got it working but best to look into the rfc2136.ini settings to see if you can change the algorithm choice to a modern setting etc, as just not updating isn't ideal!

3 Likes

I'm definitely open to updating it. I'm currently using HMAC-SHA512. I assumed this was "modern enough". What would you suggest I use instead?

1 Like

Sounds good enough to me, but I don't use RFC2136, maybe it's not the algorithm that's the problem.

2 Likes

A quick update: a bug was found in the python3-dnspython package of openSuSE 15.5, which is the OS I'm using. It looks like the latest version picked up a big refactoring on that package but missed a couple of fixes that were applied later. They're looking into it. More details at 1230353 – Certbot DNS update (RFC2136) stopped working after upgrade to python3-dnspython version 1.15.0-150000.3.5.1 (opensuse.org).

3 Likes