Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.
My domain is:
in.graphica.com.au
I ran this command:
certbot certonly --dns-rfc2136 --dns-rfc2136-credentials /usr/local/etc/namedb/rfc2136.ini --dns-rfc2136-propagation-seconds 10 --debug-challenges
It produced this output:
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator dns-rfc2136, Installer None
Please enter in your domain name(s) (comma and/or space separated) (Enter 'c'
to cancel): *.in.graphica.com.au
Obtaining a new certificate
Performing the following challenges:
dns-01 challenge for in.graphica.com.au
Cleaning up challenges
Encountered exception during recovery:
Traceback (most recent call last):
File "/usr/local/lib/python3.6/site-packages/certbot_dns_rfc2136/dns_rfc2136.py", line 125, in add_txt_record
response = dns.query.tcp(update, self.server, port=self.port)
File "/usr/local/lib/python3.6/site-packages/dns/query.py", line 491, in tcp
q.keyring, q.mac, ignore_trailing)
File "/usr/local/lib/python3.6/site-packages/dns/query.py", line 425, in receive_tcp
ignore_trailing=ignore_trailing)
File "/usr/local/lib/python3.6/site-packages/dns/message.py", line 823, in from_wire
reader.read()
File "/usr/local/lib/python3.6/site-packages/dns/message.py", line 751, in read
self._get_section(self.message.additional, adcount)
File "/usr/local/lib/python3.6/site-packages/dns/message.py", line 703, in _get_section
self.message.first)
File "/usr/local/lib/python3.6/site-packages/dns/tsig.py", line 185, in validate
raise PeerBadKey
dns.tsig.PeerBadKey: The peer didn't know the key we used
During handling of the above exception, another exception occurred:
Traceback (most recent call last):
File "/usr/local/lib/python3.6/site-packages/certbot/auth_handler.py", line 69, in handle_authorizations
resps = self.auth.perform(achalls)
File "/usr/local/lib/python3.6/site-packages/certbot/plugins/dns_common.py", line 58, in perform
self._perform(domain, validation_domain_name, validation)
File "/usr/local/lib/python3.6/site-packages/certbot_dns_rfc2136/dns_rfc2136.py", line 76, in _perform
self._get_rfc2136_client().add_txt_record(validation_name, validation, self.ttl)
File "/usr/local/lib/python3.6/site-packages/certbot_dns_rfc2136/dns_rfc2136.py", line 128, in add_txt_record
.format(e))
certbot.errors.PluginError: Encountered error adding TXT record: The peer didn't know the key we used
During handling of the above exception, another exception occurred:
Traceback (most recent call last):
File "/usr/local/lib/python3.6/site-packages/certbot_dns_rfc2136/dns_rfc2136.py", line 160, in del_txt_record
response = dns.query.tcp(update, self.server, port=self.port)
File "/usr/local/lib/python3.6/site-packages/dns/query.py", line 491, in tcp
q.keyring, q.mac, ignore_trailing)
File "/usr/local/lib/python3.6/site-packages/dns/query.py", line 425, in receive_tcp
ignore_trailing=ignore_trailing)
File "/usr/local/lib/python3.6/site-packages/dns/message.py", line 823, in from_wire
reader.read()
File "/usr/local/lib/python3.6/site-packages/dns/message.py", line 751, in read
self._get_section(self.message.additional, adcount)
File "/usr/local/lib/python3.6/site-packages/dns/message.py", line 703, in _get_section
self.message.first)
File "/usr/local/lib/python3.6/site-packages/dns/tsig.py", line 185, in validate
raise PeerBadKey
dns.tsig.PeerBadKey: The peer didn't know the key we used
During handling of the above exception, another exception occurred:
Traceback (most recent call last):
File "/usr/local/lib/python3.6/site-packages/certbot/error_handler.py", line 124, in _call_registered
self.funcs[-1]()
File "/usr/local/lib/python3.6/site-packages/certbot/auth_handler.py", line 220, in _cleanup_challenges
self.auth.cleanup(achalls)
File "/usr/local/lib/python3.6/site-packages/certbot/plugins/dns_common.py", line 77, in cleanup
self._cleanup(domain, validation_domain_name, validation)
File "/usr/local/lib/python3.6/site-packages/certbot_dns_rfc2136/dns_rfc2136.py", line 79, in _cleanup
self._get_rfc2136_client().del_txt_record(validation_name, validation)
File "/usr/local/lib/python3.6/site-packages/certbot_dns_rfc2136/dns_rfc2136.py", line 163, in del_txt_record
.format(e))
certbot.errors.PluginError: Encountered error deleting TXT record: The peer didn't know the key we used
Encountered error adding TXT record: The peer didn't know the key we used
My web server is (include version):
Server version: Apache/2.4.41 (FreeBSD)
Server built: unknown
BIND 9.14.6 (Stable Release) id:efd3496
The operating system my web server runs on is (include version):
FreeBSD inside.in.graphica.com.au 11.2-RELEASE FreeBSD 11.2-RELEASE #0 r335510: Fri Jun 22 04:32:14 UTC 2018 root@releng2.nyi.freebsd.org:/usr/obj/usr/src/sys/GENERIC amd64
My hosting provider, if applicable, is:
N/A
I can login to a root shell on my machine (yes or no, or I don't know):
Yes
I'm using a control panel to manage my site (no, or provide the name and version of the control panel):
No
The version of my client is (e.g. output of certbot --version
or certbot-auto --version
if you're using Certbot):
certbot 0.39.0
Contents of rfc2136.ini
dns_rfc2136_server = 203.32.223.140
dns_rfc2136_port = 53
dns_rfc2136_name = tsig-key.acme.in.graphica.
dns_rfc2136_secret = REMOVED-SECRET
dns_rfc2136_algorithm = HMAC-SHA512
Contents of named.conf
#include "/usr/local/etc/namedb/tsig-key.acme.in.graphica.key"
zone "in.graphica.com.au" {
type master;
file "/usr/local/etc/namedb/dynamic/db.in.graphica.com.au";
allow-transfer {
203.11.73.20;
203.11.73.5;
};
update-policy {
grant tsig-key.acme.in.graphica. name _acme-challenge.in.graphica.com.au. TXT;
};
// allow-update {
// 127.0.0.1;
// graphica-pub-nets;
// graphica-priv-nets;
// };
allow-query {
any;
};
};
CONTENTS OF KEYFILE: tsig-key.acme.in.graphica.key
key "tsig-key.acme.in.graphica." {
algorithm hmac-sha512;
secret "REMOVED-SECRET";
};
Testing Done:
grep -l REMOVED-SECRET *
rfc2136.ini
tsig-key.acme.in.graphica.key
So REMOVED-SECRET is the same in both rfc2136.ini and trig-key.acme.in.graphica.key
NSUPDATE Testing:
I did two tests, one with:
- IP Based Check:
allow-update {
127.0.0.1;
graphica-pub-nets;
graphica-priv-nets;
};
Works!!
- The other test was with Access Control:
update-policy {
grant tsig-key.acme.in.graphica. name _acme-challenge.in.graphica.com.au. TXT;
};
This fails
nsupdate -y hmac-sha512:tsig-key.acme.in.graphica.:REMOVED-SECRET -v test-nsupdate-01.txt
Outgoing update query:
;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id: 0
;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0
;; ZONE SECTION:
;in.graphica.com.au. IN SOA
;; UPDATE SECTION:
_acme-challenge.in.graphica.com.au. 0 ANY TXT
_acme-challenge.in.graphica.com.au. 10800 IN TXT "globber3"
Sending update to 203.32.223.140#53
Outgoing update query:
;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id: 15138
;; flags:; ZONE: 1, PREREQ: 0, UPDATE: 2, ADDITIONAL: 1
;; ZONE SECTION:
;in.graphica.com.au. IN SOA
;; UPDATE SECTION:
_acme-challenge.in.graphica.com.au. 0 ANY TXT
_acme-challenge.in.graphica.com.au. 10800 IN TXT "globber3"
;; TSIG PSEUDOSECTION:
tsig-key.acme.in.graphica. 0 ANY TSIG hmac-sha512. 1570941710 300 64 wy5ZU0Tf2xWvqW7hrK6cLgOAynwFCjE7Ikmcec0S1AViMwGyz5KpDu+i /ga49Uqf7XsAyo7Qb75ATGNU/q8JiA== 15138 NOERROR 0
; TSIG error with server: tsig indicates error
Reply from update query:
;; ->>HEADER<<- opcode: UPDATE, status: NOTAUTH, id: 15138
;; flags: qr; ZONE: 1, PREREQ: 0, UPDATE: 0, ADDITIONAL: 1
;; ZONE SECTION:
;in.graphica.com.au. IN SOA
;; TSIG PSEUDOSECTION:
tsig-key.acme.in.graphica. 0 ANY TSIG hmac-sha512. 1570941710 300 0 15138 BADKEY 0
So I have isolated problem to update not appearing to recognise the key: BADKEY
But I cannot seem to find any configuration or data that is wrong.
Thank you for help.
Zebity