Certbot dns-rfc2136 but REFUSED error

Help
1

Hi, i tried to use certbot with dns-rfc2136. I take a look the issues in the community. Follow steps i know to fix. But still have the error. No idea. Please help.

the /var/named folder already give named user right

etc/named.conf

acl allowed {
	192.168.1.0/24;
	};
options {
	listen-on port 53 { any; };
	directory 	"/var/named";
	dump-file 	"/var/named/data/cache_dump.db";
	statistics-file "/var/named/data/named_stats.txt";
	memstatistics-file "/var/named/data/named_mem_stats.txt";
	recursing-file  "/var/named/data/named.recursing";
	secroots-file   "/var/named/data/named.secroots";
	allow-query     { any; };
	recursion no;

	dnssec-enable no;
	dnssec-validation no;

	/* Path to ISC DLV key */
	bindkeys-file "/etc/named.root.key";

	managed-keys-directory "/var/named/dynamic";

	pid-file "/run/named/named.pid";
	session-keyfile "/run/named/session.key";
	forwarders {
		192.168.1.1;
		8.8.8.8;
	};
};

logging {
	channel querylog {
		file "/var/named/data/named-querylog";
		print-category yes;
		print-time yes;
		};
	category queries {
		querylog;
		};
};

zone "." IN {
	type hint;
	file "named.ca";
};

include "/etc/named.rfc1912.zones";
include "/etc/named.root.key";

zone "dev.example.com" {
	type master;
	file "/var/named/dev.example.com.hosts";
	};

key "certbot." {
        algorithm hmac-sha512;
        secret "xxxx";
};

zone "_acme-challenge.dev.example.com" {
	type master;
	file "/var/named/_acme-challenge.dev.example.com.hosts";
	check-names ignore;
        allow-query { any; };
        update-policy {
                grant certbot. name _acme-challenge.dev.example.com. txt;
	};
};

certbot-credentials.ini (Already run chmod 777)

dns_rfc2136_server = 127.0.0.1
dns_rfc2136_port = 53
dns_rfc2136_name = certbot.
dns_rfc2136_secret = "xxxxx"
dns_rfc2136_algorithm = HMAC-SHA512

2022-06-27 16:22:10,264:INFO:certbot._internal.auth_handler:Performing the following challenges:
2022-06-27 16:22:10,265:INFO:certbot._internal.auth_handler:dns-01 challenge for dev.example.com
2022-06-27 16:22:10,265:WARNING:certbot.plugins.dns_common:Unsafe permissions on credentials configuration file: /var/named/certbot-credentials.ini
2022-06-27 16:22:10,272:DEBUG:certbot_dns_rfc2136._internal.dns_rfc2136:No authoritative SOA record found for _acme-challenge.dev.example.com
2022-06-27 16:22:10,279:DEBUG:certbot_dns_rfc2136._internal.dns_rfc2136:Received authoritative SOA response for dev.example.com
2022-06-27 16:22:10,285:DEBUG:certbot._internal.error_handler:Encountered exception:
Traceback (most recent call last):
  File "/var/lib/snapd/snap/certbot/2133/lib/python3.8/site-packages/certbot/_internal/auth_handler.py", line 86, in handle_authorizations
    resps = self.auth.perform(achalls)
  File "/var/lib/snapd/snap/certbot/2133/lib/python3.8/site-packages/certbot/plugins/dns_common.py", line 76, in perform
    self._perform(domain, validation_domain_name, validation)
  File "/snap/certbot-dns-rfc2136/current/lib/python3.8/site-packages/certbot_dns_rfc2136/_internal/dns_rfc2136.py", line 84, in _perform
    self._get_rfc2136_client().add_txt_record(validation_name, validation, self.ttl)
  File "/snap/certbot-dns-rfc2136/current/lib/python3.8/site-packages/certbot_dns_rfc2136/_internal/dns_rfc2136.py", line 146, in add_txt_record
    raise errors.PluginError('Received response from server: {0}'
certbot.errors.PluginError: Received response from server: REFUSED

Command to run
certbot certonly --dns-rfc2136 --dns-rfc2136-credentials /var/named/certbot-credentials.ini -d dev.example.com -d *.dev.example.com

2

I run BIND myself and also use the dns-rfc2136 plugin, but must confess I'm not that well versed in BIND to be honest..

In my situation, and what I think also makes sense, is that you don't use an entire separate zone for the _acme-challenge label, but integrate it into the existing zone. It's just adding/removing a subdomain, so that doesn't require an entire zone.

A working example for the dns-rfc2136 plugin from my system is:

named.conf:

zone "example.com" IN {
        type master;
        file "pri/example.com.zone";
        key-directory "/etc/bind/keys";
        auto-dnssec maintain;
        inline-signing yes;
        update-policy {
                grant certbot. name _acme-challenge.example.com. TXT;
        };
        allow-query {
                any;
        };
};
1 Like
3

@Osiris Thanks for your help. I changed the named.conf. it works.
But, i just maintain the existing networking setting. The networking setting worked before. No idea why not work now.

acl allowed {
	192.168.1.0/24;
	};
options {
	listen-on port 53 { any; };
	directory 	"/var/named";
	dump-file 	"/var/named/data/cache_dump.db";
	statistics-file "/var/named/data/named_stats.txt";
	memstatistics-file "/var/named/data/named_mem_stats.txt";
	recursing-file  "/var/named/data/named.recursing";
	secroots-file   "/var/named/data/named.secroots";
	allow-query     { any; };
	recursion no;

	dnssec-enable no;
	dnssec-validation no;

	/* Path to ISC DLV key */
	bindkeys-file "/etc/named.root.key";

	managed-keys-directory "/var/named/dynamic";

	pid-file "/run/named/named.pid";
	session-keyfile "/run/named/session.key";
	forwarders {
		192.168.1.1;
		8.8.8.8;
	};
};

logging {
	channel querylog {
		file "/var/named/data/named-querylog";
		print-category yes;
		print-time yes;
		};
	category queries {
		querylog;
		};
};

zone "." IN {
	type hint;
	file "named.ca";
};

include "/etc/named.rfc1912.zones";
include "/etc/named.root.key";

zone "dev.example.com" {
	type master;
	file "/var/named/dev.example.com.hosts";
check-names ignore;
        allow-query { any; };
        update-policy {
                grant certbot. name _acme-challenge.dev.example.com. txt;
	};
};

key "certbot." {
        algorithm hmac-sha512;
        secret "xxxx";
};
4

I'm not sure I understand. In the same post you say "it works" and" "not work now".. So I'm confused.

1 Like
5

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.