DNS challenge failing: NXDOMAIN looking up TXT alludes to BIND setups that use internal and external views having issues and suggests the issues go away if using BIND 9.10 and above
I am using the split DNS way of defining an internal view and an external view in
named.conf , each incorporating identical zones and so before I go upgrading the BIND program with a non-CentOS 7 or Fedora file, I want to see if anyone knows something better
I turned my DNS into an authoritative server and dropped the Google servers as the authoritarian resolvers.
I have not found anyone who has the rfc_dns_2136 authenticator working using the
command which is the easiest and proper way to automate renewals for wildcard certs if one is using BIND - but the post above seems to show a bug.
Still from most posts I have seen no one has posted working authenticator and cleanup shell script either for the manual hook mode either.
Additionally it appears one must manually create an _acme-challenge.xxxxxxx.com domain and assign a key or there is a no SOA error in the var/log/letsencrypt log - and then presumably one needs a CNAME pointing to get the cert to issue without messing with the important zone one does not want to be dynamically screwed with.
I can see the delivery of the DNS-01 challenge TXT with a dig -t TXT _acme-challenge.xxxxxxx.com while the waiting period for propagation is happening and the var/log/letsencrypt log says it successfully writes the TXT record, but fails actually with a TXT not found and 403 error anyway.
Cleaning up challenges
Failed authorization procedure. xxxxxxxx.com (dns-01): urn:ietf:params:acme:error:unauthorized :: The client lacks sufficient authorization :: No TXT record found at _acme-challenge.xxxxxxxx.com, xxxxxxx.com (dns-01): urn:ietf:params:acme:error:unauthorized :: The client lacks sufficient authorization :: No TXT record found at _acme-challenge.xxxxxxx.com
The 403 is reported in the log, and this is a “generic” error
Does anyone have info that can be shared on this issue ??
or what a " urn:ietf:params:acme:error:unauthorized " error means ??
or . . . know of a definitive “step by step” setup guide using CNAMES and a dummy validation zone domain like this -> https://github.com/Neilpang/acme.sh/wiki/DNS-alias-mode but for the certbot client and can be used with the rfc_dns_2136 authenticator ??