DNS-01 with FreeBSD 11.2 + bind rfc2136 crashing

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is:

in.graphica.com.au

I ran this command:

certbot certonly --dns-rfc2136 --dns-rfc2136-credentials /usr/local/etc/namedb/rfc2136.ini --dns-rfc2136-propagation-seconds 10 --debug-challenges

It produced this output:

Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator dns-rfc2136, Installer None
Please enter in your domain name(s) (comma and/or space separated)  (Enter 'c'
to cancel): *.in.graphica.com.au
Obtaining a new certificate
Performing the following challenges:
dns-01 challenge for in.graphica.com.au
Cleaning up challenges
Encountered exception during recovery: 
Traceback (most recent call last):
  File "/usr/local/lib/python3.6/site-packages/certbot_dns_rfc2136/dns_rfc2136.py", line 125, in add_txt_record
    response = dns.query.tcp(update, self.server, port=self.port)
  File "/usr/local/lib/python3.6/site-packages/dns/query.py", line 491, in tcp
    q.keyring, q.mac, ignore_trailing)
  File "/usr/local/lib/python3.6/site-packages/dns/query.py", line 425, in receive_tcp
    ignore_trailing=ignore_trailing)
  File "/usr/local/lib/python3.6/site-packages/dns/message.py", line 823, in from_wire
    reader.read()
  File "/usr/local/lib/python3.6/site-packages/dns/message.py", line 751, in read
    self._get_section(self.message.additional, adcount)
  File "/usr/local/lib/python3.6/site-packages/dns/message.py", line 703, in _get_section
    self.message.first)
  File "/usr/local/lib/python3.6/site-packages/dns/tsig.py", line 185, in validate
    raise PeerBadKey
dns.tsig.PeerBadKey: The peer didn't know the key we used

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
  File "/usr/local/lib/python3.6/site-packages/certbot/auth_handler.py", line 69, in handle_authorizations
    resps = self.auth.perform(achalls)
  File "/usr/local/lib/python3.6/site-packages/certbot/plugins/dns_common.py", line 58, in perform
    self._perform(domain, validation_domain_name, validation)
  File "/usr/local/lib/python3.6/site-packages/certbot_dns_rfc2136/dns_rfc2136.py", line 76, in _perform
    self._get_rfc2136_client().add_txt_record(validation_name, validation, self.ttl)
  File "/usr/local/lib/python3.6/site-packages/certbot_dns_rfc2136/dns_rfc2136.py", line 128, in add_txt_record
    .format(e))
certbot.errors.PluginError: Encountered error adding TXT record: The peer didn't know the key we used

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
  File "/usr/local/lib/python3.6/site-packages/certbot_dns_rfc2136/dns_rfc2136.py", line 160, in del_txt_record
    response = dns.query.tcp(update, self.server, port=self.port)
  File "/usr/local/lib/python3.6/site-packages/dns/query.py", line 491, in tcp
    q.keyring, q.mac, ignore_trailing)
  File "/usr/local/lib/python3.6/site-packages/dns/query.py", line 425, in receive_tcp
    ignore_trailing=ignore_trailing)
  File "/usr/local/lib/python3.6/site-packages/dns/message.py", line 823, in from_wire
    reader.read()
  File "/usr/local/lib/python3.6/site-packages/dns/message.py", line 751, in read
    self._get_section(self.message.additional, adcount)
  File "/usr/local/lib/python3.6/site-packages/dns/message.py", line 703, in _get_section
    self.message.first)
  File "/usr/local/lib/python3.6/site-packages/dns/tsig.py", line 185, in validate
    raise PeerBadKey
dns.tsig.PeerBadKey: The peer didn't know the key we used

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
  File "/usr/local/lib/python3.6/site-packages/certbot/error_handler.py", line 124, in _call_registered
    self.funcs[-1]()
  File "/usr/local/lib/python3.6/site-packages/certbot/auth_handler.py", line 220, in _cleanup_challenges
    self.auth.cleanup(achalls)
  File "/usr/local/lib/python3.6/site-packages/certbot/plugins/dns_common.py", line 77, in cleanup
    self._cleanup(domain, validation_domain_name, validation)
  File "/usr/local/lib/python3.6/site-packages/certbot_dns_rfc2136/dns_rfc2136.py", line 79, in _cleanup
    self._get_rfc2136_client().del_txt_record(validation_name, validation)
  File "/usr/local/lib/python3.6/site-packages/certbot_dns_rfc2136/dns_rfc2136.py", line 163, in del_txt_record
    .format(e))
certbot.errors.PluginError: Encountered error deleting TXT record: The peer didn't know the key we used
Encountered error adding TXT record: The peer didn't know the key we used

My web server is (include version):

Server version: Apache/2.4.41 (FreeBSD)
Server built: unknown

BIND 9.14.6 (Stable Release) id:efd3496

The operating system my web server runs on is (include version):

FreeBSD inside.in.graphica.com.au 11.2-RELEASE FreeBSD 11.2-RELEASE #0 r335510: Fri Jun 22 04:32:14 UTC 2018 root@releng2.nyi.freebsd.org:/usr/obj/usr/src/sys/GENERIC amd64

My hosting provider, if applicable, is:

N/A

I can login to a root shell on my machine (yes or no, or I don't know):

Yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel):

No

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):

certbot 0.39.0

Contents of rfc2136.ini

dns_rfc2136_server = 203.32.223.140
dns_rfc2136_port = 53
dns_rfc2136_name = tsig-key.acme.in.graphica.
dns_rfc2136_secret = REMOVED-SECRET
dns_rfc2136_algorithm = HMAC-SHA512

Contents of named.conf

#include "/usr/local/etc/namedb/tsig-key.acme.in.graphica.key"

zone "in.graphica.com.au" {
type master;
file "/usr/local/etc/namedb/dynamic/db.in.graphica.com.au";
allow-transfer {
203.11.73.20;
203.11.73.5;
};
update-policy {
grant tsig-key.acme.in.graphica. name _acme-challenge.in.graphica.com.au. TXT;
};
// allow-update {
// 127.0.0.1;
// graphica-pub-nets;
// graphica-priv-nets;
// };
allow-query {
any;
};
};

CONTENTS OF KEYFILE: tsig-key.acme.in.graphica.key

key "tsig-key.acme.in.graphica." {
algorithm hmac-sha512;
secret "REMOVED-SECRET";
};

Testing Done:

grep -l REMOVED-SECRET *
rfc2136.ini
tsig-key.acme.in.graphica.key

So REMOVED-SECRET is the same in both rfc2136.ini and trig-key.acme.in.graphica.key

NSUPDATE Testing:

I did two tests, one with:

  1. IP Based Check:

allow-update {
127.0.0.1;
graphica-pub-nets;
graphica-priv-nets;
};

Works!!

  1. The other test was with Access Control:

update-policy {
grant tsig-key.acme.in.graphica. name _acme-challenge.in.graphica.com.au. TXT;
};

This fails

nsupdate -y hmac-sha512:tsig-key.acme.in.graphica.:REMOVED-SECRET -v test-nsupdate-01.txt
Outgoing update query:
;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id: 0
;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0
;; ZONE SECTION:
;in.graphica.com.au. IN SOA
;; UPDATE SECTION:
_acme-challenge.in.graphica.com.au. 0 ANY TXT
_acme-challenge.in.graphica.com.au. 10800 IN TXT "globber3"
Sending update to 203.32.223.140#53
Outgoing update query:
;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id: 15138
;; flags:; ZONE: 1, PREREQ: 0, UPDATE: 2, ADDITIONAL: 1
;; ZONE SECTION:
;in.graphica.com.au. IN SOA
;; UPDATE SECTION:
_acme-challenge.in.graphica.com.au. 0 ANY TXT
_acme-challenge.in.graphica.com.au. 10800 IN TXT "globber3"
;; TSIG PSEUDOSECTION:
tsig-key.acme.in.graphica. 0 ANY TSIG hmac-sha512. 1570941710 300 64 wy5ZU0Tf2xWvqW7hrK6cLgOAynwFCjE7Ikmcec0S1AViMwGyz5KpDu+i /ga49Uqf7XsAyo7Qb75ATGNU/q8JiA== 15138 NOERROR 0
; TSIG error with server: tsig indicates error
Reply from update query:
;; ->>HEADER<<- opcode: UPDATE, status: NOTAUTH, id: 15138
;; flags: qr; ZONE: 1, PREREQ: 0, UPDATE: 0, ADDITIONAL: 1
;; ZONE SECTION:
;in.graphica.com.au. IN SOA
;; TSIG PSEUDOSECTION:
tsig-key.acme.in.graphica. 0 ANY TSIG hmac-sha512. 1570941710 300 0 15138 BADKEY 0

So I have isolated problem to update not appearing to recognise the key: BADKEY

But I cannot seem to find any configuration or data that is wrong.

Thank you for help.

Zebity

Wait, is that commented out? BIND syntax is just "include", not "#include" like C.

Edit: And it doesn't have a semicolon at the end, but I'm not sure how required that is.

1 Like

Agreed.
The key file never got included.

hi @mnordhoff & @rg305,

thanks for eagle eyes... my #include C programming habits got the better of me.

and yes I also missed semi-colon...

include "/usr/local/etc/namedb/tsig-key.acme.in.graphica.key";

Not surprised that problem was something pretty simple.

I now have my first wildcard certificate and can now get certificates for private hosts.

Cheers,

zebity.

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.