Certbot 1.32 dns challenge with CNAME to acme/dynamic zone allowing updates

ah, okay...it was my understanding that I was making mistakes in a method that is known to work and supported. It sounds like the alternative client or some other manual intervention is required. I can also do it other ways using the web server that already exists on this VM...however, I was hoping it could be a bit more generic in case I move the mail server away from the web server in the future.

Seems like alot to do for something that should just work "out of the box" though.

A "simpler" (already tested/proven) ACME DNS client may be a better choice.

7 Likes

maybe still a lesser of two evils...now that I know it isn't an out of the box request, my efforts may be better invested elsewhere.

If you have any tips or tricks, I'm happy to try them out!

2 Likes

What happens now with the new CNAMEs?
use -vv or more detail

6 Likes

it's the same problem here...before this is the nonce/key exchange with the acme servers which doesn't show any issues.

Performing the following challenges:
dns-01 challenge for mail.rfsmiths.com
dns-01 challenge for smtp.rfsmiths.com
No authoritative SOA record found for _acme-challenge.mail.rfsmiths.com
No authoritative SOA record found for mail.rfsmiths.com
Received authoritative SOA response for rfsmiths.com
Encountered exception:
Traceback (most recent call last):
  File "/usr/lib/python3.9/site-packages/certbot/_internal/auth_handler.py", line 86, in handle_authorizations
    resps = self.auth.perform(achalls)
  File "/usr/lib/python3.9/site-packages/certbot/plugins/dns_common.py", line 76, in perform
    self._perform(domain, validation_domain_name, validation)
  File "/usr/lib/python3.9/site-packages/certbot_dns_rfc2136/_internal/dns_rfc2136.py", line 84, in _perform
    self._get_rfc2136_client().add_txt_record(validation_name, validation, self.ttl)
  File "/usr/lib/python3.9/site-packages/certbot_dns_rfc2136/_internal/dns_rfc2136.py", line 146, in add_txt_record
    raise errors.PluginError('Received response from server: {0}'
certbot.errors.PluginError: Received response from server: REFUSED

Calling registered functions
Cleaning up challenges
No authoritative SOA record found for _acme-challenge.mail.rfsmiths.com
No authoritative SOA record found for mail.rfsmiths.com
Received authoritative SOA response for rfsmiths.com
Encountered exception during recovery: certbot.errors.PluginError: Received response from server: REFUSED
Exiting abnormally:
Traceback (most recent call last):
  File "/bin/certbot", line 8, in <module>
    sys.exit(main())
  File "/usr/lib/python3.9/site-packages/certbot/main.py", line 19, in main
    return internal_main.main(cli_args)
  File "/usr/lib/python3.9/site-packages/certbot/_internal/main.py", line 1744, in main
    return config.func(config, plugins)
  File "/usr/lib/python3.9/site-packages/certbot/_internal/main.py", line 1591, in certonly
    lineage = _get_and_save_cert(le_client, config, domains, certname, lineage)
  File "/usr/lib/python3.9/site-packages/certbot/_internal/main.py", line 141, in _get_and_save_cert
    lineage = le_client.obtain_and_enroll_certificate(domains, certname)
  File "/usr/lib/python3.9/site-packages/certbot/_internal/client.py", line 530, in obtain_and_enroll_certificate
    cert, chain, key, _ = self.obtain_certificate(domains)
  File "/usr/lib/python3.9/site-packages/certbot/_internal/client.py", line 442, in obtain_certificate
    orderr = self._get_order_and_authorizations(csr.data, self.config.allow_subset_of_names)
  File "/usr/lib/python3.9/site-packages/certbot/_internal/client.py", line 510, in _get_order_and_authorizations
    authzr = self.auth_handler.handle_authorizations(orderr, self.config, best_effort)
  File "/usr/lib/python3.9/site-packages/certbot/_internal/auth_handler.py", line 86, in handle_authorizations
    resps = self.auth.perform(achalls)
  File "/usr/lib/python3.9/site-packages/certbot/plugins/dns_common.py", line 76, in perform
    self._perform(domain, validation_domain_name, validation)
  File "/usr/lib/python3.9/site-packages/certbot_dns_rfc2136/_internal/dns_rfc2136.py", line 84, in _perform
    self._get_rfc2136_client().add_txt_record(validation_name, validation, self.ttl)
  File "/usr/lib/python3.9/site-packages/certbot_dns_rfc2136/_internal/dns_rfc2136.py", line 146, in add_txt_record
    raise errors.PluginError('Received response from server: {0}'
certbot.errors.PluginError: Received response from server: REFUSED
Received response from server: REFUSED

and I can see the refusal in the named logs, as it is trying to update rfsmiths.com instead of the acme.raysee.net zone.

3 Likes

on this topic, it seems like something like this could work, that does the nsupdate on the side, but that just points to using another client perhaps. For now, setting up another virtual host in apache is easy and solves my issue for now.

1 Like

I don't see the CNAME there ...

6 Likes

sorry, my bad. I removed it while I worked on some other things. I have placed it back as it doesn't interfere with my other modifications.

1 Like

I hope that you are testing against staging - LOL

5 Likes

that's what --dry-run does...right? Pretty sure the logs showed "staging" in the acme server name...

1 Like

Yes, "--dry-run" is good for that.

5 Likes

Yes, I had to look all the way up.
None of the logs shown showed staging.

4 Likes

I didn't include the earlier parts of the log since that had nonces and such which I didn't know were sensitive or not...

1 Like

You're good.
--dy-run is for testing
You can hammer away at it!

5 Likes

I was testing locally on an example with SiteA CNAME to SiteB.
But I fear that not all DNS servers are created equal - and they may not react in the same way.
In my test, I can get the fake DNS server to respond via the CNAME; As it has both zones [fake and real one] and although it does return the "CNAME" and the "TXT" record, it should be authoritative response and meet the challenge.

But I'm a glutton for punishment and like to reinvent perfectly good working wheels as often as possible - LOL

My best advice is to use another client.

6 Likes

I guess the short answer is that certbot and the corresponding rfc2136 plugin don't support this use case with CNAMEs (yet)? I'm glad I posted instead of spending another 12 hours working on it!

2 Likes

Yeah, acme.sh calls this DNS alias mode, and there's nothing like it built into Certbot that I know of. But that may be a term that other clients might use, too. But like the forum post you linked to in your first message says, you may be able to just write your own certbot manual authentication script to do whatever you need to, if you want to stick with tried-and-known certbot.

7 Likes

and this is the piece I was still missing...I'll take a look at the acme.sh script...I didn't know how to pick from the long list, but you've provided enough of a nugget to look into.

through my reading, I learned that dnssec requires additional hoops for these dynamic updates to continue working. I've already modified my "flow" (it's not significant) to do http challenges for these names. That said, I'm still interested in this overall approach.

2 Likes

See also this as of yet unfixed issued at Certbots github repo: Allow updating domain pointed to by CNAME in DNS plugins · Issue #6566 · certbot/certbot · GitHub

7 Likes

yes! That's another one...started 4 years ago...it probably isn't happening :rofl:

2 Likes