Certbot dns-rfc2136 server: REFUSED error


#1

Hi !

I try get wildcard certificate for may domain. And get server: REFUSED error when exec certbot certonly --dns-rfc2136 --dns-rfc2136-credentials /home/sysadmin/.certbot_dns -d tech32.com command.

This is my bind config:

view “internal” {
match-clients { company; };
match-destinations { any; };
recursion yes;
notify yes;

zone “tech32.com.” {
type master;
file “/etc/bind/tech32.com.lan”;
};

view “external” {
match-clients { any; };
match-destinations { any; };
recursion no;
notify no;

zone “tech32.com” {
type master;
file “/etc/bind/tech32.com”;
update-policy {
grant tsigkey. name _acme-challenge.tech32.com. txt;
};
};

key “tsigkey.” {
algorithm hmac-sha512;
secret “super_secret_key”;
};

log:

Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator dns-rfc2136, Installer None
Starting new HTTPS connection (1): acme-v01.api.letsencrypt.org
Obtaining a new certificate
Performing the following challenges:
dns-01 challenge for tech32.com
Cleaning up challenges
Encountered exception during recovery: 
Traceback (most recent call last):
  File "/usr/lib/python2.7/site-packages/certbot/error_handler.py", line 108, in _call_registered
    self.funcs[-1]()
  File "/usr/lib/python2.7/site-packages/certbot/auth_handler.py", line 310, in _cleanup_challenges
    self.auth.cleanup(achalls)
  File "/usr/lib/python2.7/site-packages/certbot/plugins/dns_common.py", line 76, in cleanup
    self._cleanup(domain, validation_domain_name, validation)
  File "/usr/lib/python2.7/site-packages/certbot_dns_rfc2136/dns_rfc2136.py", line 79, in _cleanup
    self._get_rfc2136_client().del_txt_record(validation_name, validation)
  File "/usr/lib/python2.7/site-packages/certbot_dns_rfc2136/dns_rfc2136.py", line 170, in del_txt_record
    .format(dns.rcode.to_text(rcode)))
PluginError: Received response from server: REFUSED
Received response from server: REFUSED

Please help me.


#2

What’s the contents?

Maybe your internal/external views are screwing things up - you only have the ACL on the external view, but if the dynamic DNS update is coming from company, perhaps it is going to the internal view.

Based on https://lists.isc.org/pipermail/bind-users/2006-January/061063.html , you should be able to alter each view’s match-clients with your key, to cause the update to match to the correct view.


#3

contents of the /home/sysadmin/.certbot_dns:

# Target DNS server
dns_rfc2136_server = 10.10.10.31
# Target DNS port
dns_rfc2136_port = 53
# TSIG key name
dns_rfc2136_name = tsigkey.
# TSIG key secret
dns_rfc2136_secret = super_long_key
# TSIG key algorithm
dns_rfc2136_algorithm = HMAC-SHA512

Thks ! I will check my views and reply to you about result !


#4

I add
zone “tech32.com” {
type master;
file “/etc/bind/tech32.com”;
update-policy {
grant tsigkey. name _acme-challenge.tech32.com. txt;
};
};

in internal zone and get SERFAIL error, log:

2018-08-15 16:57:46,497:INFO:certbot.auth_handler:Performing the following challenges:
2018-08-15 16:57:46,497:INFO:certbot.auth_handler:dns-01 challenge for tech32.com
2018-08-15 16:57:46,512:DEBUG:certbot_dns_rfc2136.dns_rfc2136:No authoritative SOA record found for _acme-challenge.tech32.com
2018-08-15 16:57:46,515:DEBUG:certbot_dns_rfc2136.dns_rfc2136:Received authoritative SOA response for tech32.com
2018-08-15 16:57:46,521:DEBUG:certbot.error_handler:Encountered exception:
Traceback (most recent call last):
  File "/usr/lib/python2.7/site-packages/certbot/auth_handler.py", line 75, in handle_authorizations
    resp = self._solve_challenges(aauthzrs)
  File "/usr/lib/python2.7/site-packages/certbot/auth_handler.py", line 126, in _solve_challenges
    resp = self.auth.perform(all_achalls)
  File "/usr/lib/python2.7/site-packages/certbot/plugins/dns_common.py", line 57, in perform
    self._perform(domain, validation_domain_name, validation)
  File "/usr/lib/python2.7/site-packages/certbot_dns_rfc2136/dns_rfc2136.py", line 76, in _perform
    self._get_rfc2136_client().add_txt_record(validation_name, validation, self.ttl)
  File "/usr/lib/python2.7/site-packages/certbot_dns_rfc2136/dns_rfc2136.py", line 135, in add_txt_record
    .format(dns.rcode.to_text(rcode)))
PluginError: Received response from server: SERVFAIL

2018-08-15 16:57:46,521:DEBUG:certbot.error_handler:Calling registered functions
2018-08-15 16:57:46,521:INFO:certbot.auth_handler:Cleaning up challenges
2018-08-15 16:57:46,526:DEBUG:certbot_dns_rfc2136.dns_rfc2136:No authoritative SOA record found for _acme-challenge.tech32.com
2018-08-15 16:57:46,528:DEBUG:certbot_dns_rfc2136.dns_rfc2136:Received authoritative SOA response for tech32.com
2018-08-15 16:57:46,531:DEBUG:certbot_dns_rfc2136.dns_rfc2136:Successfully deleted TXT record
2018-08-15 16:57:46,532:DEBUG:certbot.log:Exiting abnormally:
Traceback (most recent call last):
  File "/usr/bin/certbot", line 9, in <module>
    load_entry_point('certbot==0.25.1', 'console_scripts', 'certbot')()
  File "/usr/lib/python2.7/site-packages/certbot/main.py", line 1323, in main
    return config.func(config, plugins)
  File "/usr/lib/python2.7/site-packages/certbot/main.py", line 1213, in certonly
    lineage = _get_and_save_cert(le_client, config, domains, certname, lineage)
  File "/usr/lib/python2.7/site-packages/certbot/main.py", line 120, in _get_and_save_cert
    lineage = le_client.obtain_and_enroll_certificate(domains, certname)
  File "/usr/lib/python2.7/site-packages/certbot/client.py", line 383, in obtain_and_enroll_certificate
    cert, chain, key, _ = self.obtain_certificate(domains)
  File "/usr/lib/python2.7/site-packages/certbot/client.py", line 326, in obtain_certificate
    orderr = self._get_order_and_authorizations(csr.data, self.config.allow_subset_of_names)
  File "/usr/lib/python2.7/site-packages/certbot/client.py", line 362, in _get_order_and_authorizations
    authzr = self.auth_handler.handle_authorizations(orderr, best_effort)
  File "/usr/lib/python2.7/site-packages/certbot/auth_handler.py", line 75, in handle_authorizations
    resp = self._solve_challenges(aauthzrs)
  File "/usr/lib/python2.7/site-packages/certbot/auth_handler.py", line 126, in _solve_challenges
    resp = self.auth.perform(all_achalls)
  File "/usr/lib/python2.7/site-packages/certbot/plugins/dns_common.py", line 57, in perform
    self._perform(domain, validation_domain_name, validation)
  File "/usr/lib/python2.7/site-packages/certbot_dns_rfc2136/dns_rfc2136.py", line 76, in _perform
    self._get_rfc2136_client().add_txt_record(validation_name, validation, self.ttl)
  File "/usr/lib/python2.7/site-packages/certbot_dns_rfc2136/dns_rfc2136.py", line 135, in add_txt_record
    .format(dns.rcode.to_text(rcode)))
PluginError: Received response from server: SERVFAIL

#5

In my BIND configuration, I only have a dot (.) after the keyname in the zone info (after grant). Not in the actual key statement, nor in the certbot DNS configuration file.

No clue if that’s what matters, but worth a try :stuck_out_tongue:

Also, you should enable logging in BIND (verbose/debug level) and try to find out why BIND refuses. Could be the above key issue, could be something different entirely.


#6

Like this ?

  update-policy {
    grant tsigkey .;
  };
};

#7

No. The dot is in the right place. I mean, in the other configuration statements, there’s no dot present in my BIND configuration files. Just leave the whole grant tsigkey. blahblah the same, but remove the dot after tsigkey in the other configuration parts, including that of certbot.

But as I said before, no clue if this matters. I’m just saying how my working configuration looks like, YMMV. Looking at the documentation, the dot shouldn’t matter. So I’d be looking into debug/verbose logging from your BIND to search for why the update fails.


#8

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.