I generated new keys - they all had a magical space in them - from nowhere -see the first answer at https://stackoverflow.com/questions/8745057/nsupdate-getting-badkey-error and followed the guide at https://certbot-dns-rfc2136.readthedocs.io/en/latest/. I think the problem is somewhere in BIND 9.11 in how it changed how it handles views directives Now I get
2019-12-01 09:36:57,472:INFO:certbot.auth_handler:dns-01 challenge for xxxxxxxxxxxxxxxx.com
2019-12-01 09:36:57,473:INFO:certbot.auth_handler:dns-01 challenge for xxxxxxxxxxxxxxxx.com
2019-12-01 09:36:57,490:DEBUG:certbot_dns_rfc2136.dns_rfc2136:No authoritative SOA record found for _acme-challenge.xxxxxxxxxxxxxxxx.com
2019-12-01 09:36:57,496:DEBUG:certbot_dns_rfc2136.dns_rfc2136:No authoritative SOA record found for xxxxxxxxxxxxxxxx.com
2019-12-01 09:36:57,499:DEBUG:certbot_dns_rfc2136.dns_rfc2136:No authoritative SOA record found for com
2019-12-01 09:36:57,500:DEBUG:certbot.error_handler:Encountered exception:
I do not get the third “com” domain - and then
PluginError: Unable to determine base domain for _acme-challenge.xxxxxxxxxxxxxxxx.com using names: [’_acme-challenge.xxxxxxxxxxxxxxxx.com’, ‘xxxxxxxxxxxxxxxx.com’, ‘com’].
I found this problem also at Problems with certbot dns challenge - Unable to determine base domain but even though
schoen
Certbot engineer / EFF
Mar '18
[said] If you tell me the domain name, I can try to investigate.
No solution was posted
If I update the named.conf and remove the domain from the intertnal view the error now remains the same but NO SOA records found -when I put it back it finds the main domain only
NSUPDATE works to verify the key but then fails on a tsig error
The plugin does not rely on NSUPDATE according to Sydney some months back.
I have a cname setup like this
_acme-challenge.xxxxxxxxx.com. 14400 IN CNAME xxxxxxxxx.com.
and then a zone file in var/named/dynamic (BIND 9.11) like this
$ORIGIN .
$TTL 86400 ; 1 day
_acme-challenge.xxxxxxxxxx.com IN SOA ns1.yyyyyyyyy.com. no-reply.main.yyyyyyyyyy.com. (
2016122352 ; serial
3600 ; refresh (1 hour)
7200 ; retry (2 hours)
2419200 ; expire (4 weeks)
86400 ; minimum (1 day)
)
NS ns1.yyyyyyyyy.com.
NS ns2.yyyyyyyyy.com.
$TTL 14400 ; 4 hours
A xxx.xxx.xxx.xxx.
A yyy.yyy.yyy.yyy.
$ORIGIN _acme-challenge.xxxxxxxxxx.com.
localhost A 127.0.0.1
The two $ORIGIN statements the certbot put in there
is the cname setup wrong ?? It worked for a year