Yes, no I know - BIND 9 - <= 9.10 has that problem - because when I remove the external view and restart the server the error message is then " DNS problem: SERVFAIL looking up TXT for _acme-challenge.xxxxxxx.com " - and this bug issue is documented in post 26 at DNS challenge failing: NXDOMAIN looking up TXT
I can see the TXT file with a DIG - and the solution which as documented that works is to use Google’s public server as documented in post 26 above - which originally is how I had it set up
The problem is the solution is to upgrade to BIND 9.11 - which is not available officially for CentOS 7, and I would have to use Fedora files - which would mean also having to install Python 3.4 - and possibly screw up the entire server
I am researching if upgrade to BIND 9.11 or above can safely be done on a Centos 7 box.
The problem then right now becomes needing to configure a Fedora repository so that yum will be able to keep the Centos 7 server up to date on the BIND and dependency files - and I am not sure what other files yum might see in the Fedora repo that it thinks are upgrades to the EL 7 or Centos 7 files
I could of course abandon the views setup for BIND - which might be the easiest thing to do
The real issue is that without a separate zone for _acme-challenge.xxxxxxx.com - the dns-rfc2136 authenticator will screw up the domain to be renewed by replacing all the subdomain DNS entries with a $ORIGIN command in place of the subdomain name.xxxxxxxx.com - and it still fails
AND the letsencrypt log shows a complaint about no SOA for _acme-challenge.xxxxxxx.com
Since there is already wildcard cert configured in place it seems it is what is actually causing the DNS fail
I am not sure I am setting up the CNAME configuration as shown at https://github.com/Neilpang/acme.sh/wiki/DNS-alias-mode for certbot so the rfc_dns_2136 authenticator can use it. That guide is of course for the acme.sh method.
Is there some way to troubleshoot that using the rfc_dns_2136 authenticator or does someone know how to do this as shown at Renew using dns-01 challenge as shown by sahsanu and schoen
should it be
xxxxxxxx.com. 14400 IN CNAME _acme-challenge.xxxxxxxx.com.
OR
_acme-challenge.xxxxxxxx.com. 14400 IN CNAME xxxxxxxx.com.
in the zone file of the domain to be renewed as to how the rest of the server is setup authenticated because it is not clear how to do this for a wildcard cert request??
Steps 1 and 2 at Renew using dns-01 challenge leaves me a bit confused on how to set up the rest of the server authentication process