Certbot ignores --dns-rfc2136-propagation-seconds

My domain is:

I ran this command:
certbot certonly --dns-rfc2136 --dns-rfc2136-credentials “/etc/bind/certbot/rfc2136.ini” --dns-rfc2136-propagation-seconds 90 --server https://acme-v02.api.letsencrypt.org/directory -i apache -d windyshore.com -d *.windyshore.com

It produced this output:
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator dns-rfc2136, Installer apache
Cert is due for renewal, auto-renewing…
Renewing an existing certificate
Performing the following challenges:
dns-01 challenge for windyshore.com
dns-01 challenge for windyshore.com
Cleaning up challenges
Received response from server: SERVFAIL

My web server is (include version):
Server version: Apache/2.4.38 (Debian)
Server built: 2019-04-07T18:15:40
The operating system my web server runs on is (include version):
debian 10.0

My hosting provider, if applicable, is:

I can login to a root shell on my machine (yes or no, or I don’t know):

I’m using a control panel to manage my site (no, or provide the name and version of the control panel):

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot):
certbot 0.31.0


As you can see, I am having difficulty renewing a certificate. The problem seems to be that certbot is not waiting the specified 90 secs for the dns changes to propagate, it immediately fails (it used to produce a message to say it was waiting.) This is the first time I have tried to renew a certificate since updating to debian 10 (buster) so that could be related. Any ideas?


Hi @pmlco

please share that log.

I can’t upload (new user) and I can’t paste it here either (max 20 links…)
Any other way?

Checking your domain via https://check-your-website.server-daten.de/?q=windyshore.com#txt there is no TXT entry visible.

Perhaps use

--debug-challenges    After setting up challenges, wait for user input
                        before submitting to CA (default: False)

before that user input recheck your domain to see, if there is an entry.

Check the log (the date / time output) to see, if there is a time span of 90 seconds.

Or use pastebin or another online tool to share the content.

The log is here: https://pastebin.com/xPpp8PWJ

Adding --debug-challenges has no effect.


Looks like the plugin doesn’t work:

2019-08-21 14:52:06,111:INFO:certbot.auth_handler:Performing the following challenges:

2019-08-21 14:52:06,111:INFO:certbot.auth_handler:dns-01 challenge for windyshore.com

2019-08-21 14:52:06,111:INFO:certbot.auth_handler:dns-01 challenge for windyshore.com

2019-08-21 14:52:06,122:DEBUG:certbot_dns_rfc2136.dns_rfc2136:No authoritative SOA record found for _acme-challenge.windyshore.com

2019-08-21 14:52:06,127:DEBUG:certbot_dns_rfc2136.dns_rfc2136:Received authoritative SOA response for windyshore.com

2019-08-21 14:52:06,132:DEBUG:certbot.error_handler:Encountered exception:

What are the parameters you use? Correct name server?

The name servers in https://check-your-website.server-daten.de/?q=windyshore.com#txt are correct. The bind parameters for this zone are:

zone “windyshore.com” {
type master;
inline-signing yes;
auto-dnssec maintain;
key-directory “/etc/bind/dnssec/windyshore.com/”;
file “/etc/bind/external/db.windyshore.com”;
update-policy {
grant certbot. name _acme-challenge.windyshore.com. txt;

I have found the problem.
Debian 10 (buster) installs apparmor. I had to modify named to grant access to the zone files, in my case:
/etc/bind/external/ rw,
/etc/bind/external/** rw,

in /etc/apparmor.d/usr.sbin.named

Thanks for your help.


Ah, thanks, good to know.

So the “not waiting” -> the plugin didn’t work, stopped.

Thanks for reporting back!

And happy to read you have found a solution :+1:

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.