Certbot rfc2136 error

domain:
norvester . ru

run:
certbot certonly --dns-rfc2136 --dns-rfc2136-credentials /usr/local/etc/letsencrypt/ns.norvester.ru-rfc2136.ini -d "norvester.ru" -d "*.norvester.ru"

Certbot failed to authenticate some domains (authenticator: dns-rfc2136). The Certificate Authority reported these problems:
Domain: norvester.ru
Type: dns
Detail: DNS problem: looking up TXT for _acme-challenge.norvester.ru: DNSSEC: RRSIGs Missing

Domain: norvester.ru
Type: dns
Detail: DNS problem: looking up TXT for _acme-challenge.norvester.ru: DNSSEC: RRSIGs Missing

Hint: The Certificate Authority failed to verify the DNS TXT records created by --dns-rfc2136. Ensure the above domains are hosted by this DNS provider, or try increasing --dns-rfc2136-propagation-seconds (currently 60 seconds).

OS FreeBSD 12
Bind 9.18+DNSSEC
key "keyname." {
algorithm hmac-sha512;
secret ......;
};

key "rndc-key" {
algorithm hmac-sha256;
secret "....";
};

controls {
inet 127.0.0.1 port 953
allow { 127.0.0.1; } keys { "rndc-key"; };
};

acl certbot-keys { key keyname.; };

dnssec-policy "mypolicy" {
keys {
ksk lifetime unlimited algorithm ECDSAP256SHA256;
zsk lifetime unlimited algorithm ECDSAP256SHA256;
};
};
view "external" {

match-clients { certbot-keys; !internal; any; };
allow-recursion { localhost; };

zone "norvester.ru" {
type master;
file "/usr/local/etc/namedb/master/norvester.ru";
allow-transfer { };
allow-query { any; };
inline-signing yes;
dnssec-policy mypolicy;
update-policy {
grant keyname. name _acme-challenge.norvester.ru. txt;
};
};

Help me

Say "please" first?

This part of the error message is pretty clear: your DNSSEC is messed up.

That said, I have very little knowledge of BIND (although I run it myself on my server..), so I wouldn't know where to start to debug it. Maybe it has something to do with "dynamic DNSSEC updates" or something like that? As the TXT RR is added "dynamically", BIND needs to be able to update/add the DNSSEC stuff for these dynamic RRs too.

4 Likes

Hi @lexanic, and welcome to the LE community forum :slight_smile:

If you can't fix that yourself, you should find someone who can [your DSP].
[we can't]

3 Likes

Well, if they're running Bind then they're probably their own DNS provider.

And it seems reasonable to ask here if anyone has experience setting up the Certbot RFC2136 plugin to connect to Bind and configure Bind to properly sign the responses. Someone just might.

But it's not me.

7 Likes

@lexanic There might be a more officially correct solution to this, but you could consider making a CNAME record for _acme-challenge within your DNS zone. (The CNAME record could be signed with DNSSEC.) It could then point to a different DNS zone which is not, itself, DNSSEC-signed. Then you could use the --dns-rfc2136 method to update that (unsigned) zone. In that case, Let's Encrypt would not need to validate DNSSEC signatures on the target zone.

This is just a theoretical workaround from my point of view, as I've never used this exact setup.

It's also possible that the "officially correct" solution would require updating the code of the --dns-rfc2136 implementation to add some more functionality to it. I think this is very likely to be the case, but I'm not certain.

5 Likes

It's perfectly possible to use the dns-rfc2136 plugin with DNSSEC, I run it myself. But as I said earlier, it requires dynamic DNSSEC updates from BINDs part, which, I believe, needs special configuration. I can look into that later today on my own BIND configuration, but configuring BIND is, well, not the easiest thing to do, so my own config might not actually help OP.

5 Likes

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.