Certbot dns-rfc2136 plugin without TSIG

How can I use the dns-rfc2136 plugin to update my DNS without using TSIG?

I edited the dns-rfc2136-credentials file and commented all TSIG related lines, but then certbot complains not being able to verify TSIG credentials (rightfully). However, I do not want the burden to create/configure TSIG on my Windows DNS server. It is locked in to a private network for security.

My domain is:

I ran this command:
c:\Users\ckl-root\pip>certbot certonly --dns-rfc2136 --email ckl@innovaphone.com,vgr@innovaphone.com --dns-rfc2136-credentials c:\certbot\dns.conf

It produced this output:
Saving debug log to C:\Certbot\log\letsencrypt.log
Please enter the domain name(s) you would like on your certificate (comma and/or
space separated) (Enter 'c' to cancel): training.innovaphone.com
Requesting a certificate for training.innovaphone.com
Encountered exception during recovery: certbot.errors.PluginError: Encountered error deleting TXT record: The TSIG signature fails to verify.
Encountered error adding TXT record: The TSIG signature fails to verify.

The operating system my web server runs on is (include version):
Windows Server 2022

I can login to a root shell on my machine (yes or no, or I don't know):

I'm using a control panel to manage my site (no, or provide the name and version of the control panel):

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):
certbot 2.8.0

1 Like

I'm not sure it's even possible to send update commands to BIND without a key. Even the nsupdate -l (for localhost) seems to use a key, but that key is fetched from the session key file. See:

Note that only one session key is generated by named; all zones configured to use update-policy local accept the same key.

The command nsupdate -l implements this feature, sending requests to localhost and signing them using the key retrieved from the session key file.

(8. Configuration Reference — BIND 9 9.19.20-dev documentation)

1 Like

It is definitely possible and even somewhat common I'd say. Plenty of folks running BIND and using unauthenticated RFC2136 with only IP whitelisting as a layer of protection.


Thanks for the replies!

... but ...

I am not using bind, but the Windows DNS service (which definitely allows - with proper configuration - unauthenticated updates).

It is certbot that complains about not being able to verify the TSIG signature. So I need to know if and how it is possible to stop certbot from using TSIG.

Would anyone know and share with me?

1 Like

Since you appear to be running both your client and DNS server on Windows, you might want to consider an using ACME client other than certbot especially since it will be dropping support for Windows in 2024.

I think most of the Windows clients can also interact with Windows DNS directly via Windows auth rather than using RFC2136.

If you're looking for another CLI option, I'm partial to Posh-ACME as the author. But win-acme is also popular. And if you'd rather have a more polished GUI, Certify Certificate Manager is a great choice.


Ryan, thanks for making my day! Avoids me going further in the wrong direction.


This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.