DNS-01 with FreeBSD 11.2 + bind rfc2136 hanging

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: in.graphica.com.au

I ran this command: certbot certonly --dns-rfc2136 --debug-challenges

It produced this output:

Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator dns-rfc2136, Installer None
Please enter in your domain name(s) (comma and/or space separated) (Enter ‘c’
to cancel): *.in.graphica.com.au
Obtaining a new certificate
Performing the following challenges:
dns-01 challenge for in.graphica.com.au
Input the path to your RFC 2136 credentials INI file (Enter ‘c’ to cancel): /usr/local/etc/namedb/rfc2136.ini
AT THIS POINT certbot just hangs and never returns, so I have to CTL^ C to kill request.
In the log files there is no prior apparent errors that explain why it is hanging.

My web server is (include version): apache24

The operating system my web server runs on is (include version): FreeBSD 11.2

My hosting provider, if applicable, is: N/A

I can login to a root shell on my machine (yes or no, or I don’t know): Yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel): No

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot): certbot 0.39.0

RESULT:

certbot just hangs and there is no evidence of DNS TXT challenge ocuring, here is trace back from the CTL^ C:

^CCleaning up challenges
^CExiting abnormally:
Traceback (most recent call last):
File “/usr/local/lib/python3.6/site-packages/certbot/auth_handler.py”, line 69, in handle_authorizations
resps = self.auth.perform(achalls)
File “/usr/local/lib/python3.6/site-packages/certbot/plugins/dns_common.py”, line 58, in perform
self._perform(domain, validation_domain_name, validation)
File “/usr/local/lib/python3.6/site-packages/certbot_dns_rfc2136/dns_rfc2136.py”, line 76, in _perform
self._get_rfc2136_client().add_txt_record(validation_name, validation, self.ttl)
File “/usr/local/lib/python3.6/site-packages/certbot_dns_rfc2136/dns_rfc2136.py”, line 112, in add_txt_record
domain = self._find_domain(record_name)
File “/usr/local/lib/python3.6/site-packages/certbot_dns_rfc2136/dns_rfc2136.py”, line 186, in _find_domain
if self._query_soa(guess):
File “/usr/local/lib/python3.6/site-packages/certbot_dns_rfc2136/dns_rfc2136.py”, line 209, in _query_soa
response = dns.query.udp(request, self.server, port=self.port)
File “/usr/local/lib/python3.6/site-packages/dns/query.py”, line 325, in udp
q.keyring, q.mac, ignore_trailing)
File “/usr/local/lib/python3.6/site-packages/dns/query.py”, line 258, in receive_udp
_wait_for_readable(sock, expiration)
File “/usr/local/lib/python3.6/site-packages/dns/query.py”, line 156, in _wait_for_readable
_wait_for(s, True, False, True, expiration)
File “/usr/local/lib/python3.6/site-packages/dns/query.py”, line 131, in _wait_for
if not _polling_backend(fd, readable, writable, error, timeout):
File “/usr/local/lib/python3.6/site-packages/dns/query.py”, line 92, in _poll_for
event_list = pollable.poll()
KeyboardInterrupt

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
File “/usr/local/bin/certbot”, line 11, in
load_entry_point(‘certbot==0.39.0’, ‘console_scripts’, ‘certbot’)()
File “/usr/local/lib/python3.6/site-packages/certbot/main.py”, line 1378, in main
return config.func(config, plugins)
File “/usr/local/lib/python3.6/site-packages/certbot/main.py”, line 1265, in certonly
lineage = _get_and_save_cert(le_client, config, domains, certname, lineage)
File “/usr/local/lib/python3.6/site-packages/certbot/main.py”, line 121, in _get_and_save_cert
lineage = le_client.obtain_and_enroll_certificate(domains, certname)
File “/usr/local/lib/python3.6/site-packages/certbot/client.py”, line 405, in obtain_and_enroll_certificate
cert, chain, key, _ = self.obtain_certificate(domains)
File “/usr/local/lib/python3.6/site-packages/certbot/client.py”, line 348, in obtain_certificate
orderr = self._get_order_and_authorizations(csr.data, self.config.allow_subset_of_names)
File “/usr/local/lib/python3.6/site-packages/certbot/client.py”, line 384, in _get_order_and_authorizations
authzr = self.auth_handler.handle_authorizations(orderr, best_effort)
File “/usr/local/lib/python3.6/site-packages/certbot/auth_handler.py”, line 98, in handle_authorizations
return authzrs_validated
File “/usr/local/lib/python3.6/site-packages/certbot/error_handler.py”, line 105, in exit
self._call_registered()
File “/usr/local/lib/python3.6/site-packages/certbot/error_handler.py”, line 124, in _call_registered
self.funcs-1
File “/usr/local/lib/python3.6/site-packages/certbot/auth_handler.py”, line 220, in _cleanup_challenges
self.auth.cleanup(achalls)
File “/usr/local/lib/python3.6/site-packages/certbot/plugins/dns_common.py”, line 77, in cleanup
self._cleanup(domain, validation_domain_name, validation)
File “/usr/local/lib/python3.6/site-packages/certbot_dns_rfc2136/dns_rfc2136.py”, line 79, in _cleanup
self._get_rfc2136_client().del_txt_record(validation_name, validation)
File “/usr/local/lib/python3.6/site-packages/certbot_dns_rfc2136/dns_rfc2136.py”, line 147, in del_txt_record
domain = self._find_domain(record_name)
File “/usr/local/lib/python3.6/site-packages/certbot_dns_rfc2136/dns_rfc2136.py”, line 186, in _find_domain
if self._query_soa(guess):
File “/usr/local/lib/python3.6/site-packages/certbot_dns_rfc2136/dns_rfc2136.py”, line 209, in _query_soa
response = dns.query.udp(request, self.server, port=self.port)
File “/usr/local/lib/python3.6/site-packages/dns/query.py”, line 325, in udp
q.keyring, q.mac, ignore_trailing)
File “/usr/local/lib/python3.6/site-packages/dns/query.py”, line 258, in receive_udp
_wait_for_readable(sock, expiration)
File “/usr/local/lib/python3.6/site-packages/dns/query.py”, line 156, in _wait_for_readable
_wait_for(s, True, False, True, expiration)
File “/usr/local/lib/python3.6/site-packages/dns/query.py”, line 131, in _wait_for
if not _polling_backend(fd, readable, writable, error, timeout):
File “/usr/local/lib/python3.6/site-packages/dns/query.py”, line 92, in _poll_for
event_list = pollable.poll()
KeyboardInterrupt

The traceback suggests that it was waiting for a response from your DNS2136 server.

What values are you using for:

dns_rfc2136_server = ...
dns_rfc2136_port = ...

Can you successfully send a query to it using dig or better yet, nsupdate? (Or the FreeBSD equivalents).

_az, thanks for asking:

dns_rfc2136_server = 203.32.223.140
dns_rfc2136_port = 56
dns_rfc2136_name = tsig-key.in.graphica.com.au.

Also via web nslookup: http://www.kloth.net/services/nslookup.php
So its coming from outside my local network:

<using Local Host>
DNS server handling your query: localhost
DNS server’s address: 127.0.0.1#53

Non-authoritative answer:
_acme-challenge.in.graphica.com.au text = “placeholder”

Authoritative answers can be found from:
<End>

<Using target DNS Host>
DNS server handling your query: 203.32.223.140
DNS server’s address: 203.32.223.140#53

_acme-challenge.in.graphica.com.au text = “placeholder”
<End>

I have just come across another posting, then indicates that there might be a DNS UDP vs TCP issue with DNS-01 challenge…

Are you aware of this ?
I am pretty sure that fire to internet is set up on assumption that all DNS is UDP.

!!! EDIT !!!
Stupid me in cut/pasting port I see I have 56 !! not 53.

However I now have a new problem:

<Results>
dns-01 challenge for in.graphica.com.au
Cleaning up challenges
Encountered exception during recovery:
Traceback (most recent call last):
File “/usr/local/lib/python3.6/site-packages/certbot_dns_rfc2136/dns_rfc2136.py”, line 125, in add_txt_record
response = dns.query.tcp(update, self.server, port=self.port)
File “/usr/local/lib/python3.6/site-packages/dns/query.py”, line 491, in tcp
q.keyring, q.mac, ignore_trailing)
File “/usr/local/lib/python3.6/site-packages/dns/query.py”, line 425, in receive_tcp
ignore_trailing=ignore_trailing)
File “/usr/local/lib/python3.6/site-packages/dns/message.py”, line 823, in from_wire
reader.read()
File “/usr/local/lib/python3.6/site-packages/dns/message.py”, line 751, in read
self._get_section(self.message.additional, adcount)
File “/usr/local/lib/python3.6/site-packages/dns/message.py”, line 703, in _get_section
self.message.first)
File “/usr/local/lib/python3.6/site-packages/dns/tsig.py”, line 185, in validate
raise PeerBadKey
dns.tsig.PeerBadKey: The peer didn’t know the key we used

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
File “/usr/local/lib/python3.6/site-packages/certbot/auth_handler.py”, line 69, in handle_authorizations
resps = self.auth.perform(achalls)
File “/usr/local/lib/python3.6/site-packages/certbot/plugins/dns_common.py”, line 58, in perform
self._perform(domain, validation_domain_name, validation)
File “/usr/local/lib/python3.6/site-packages/certbot_dns_rfc2136/dns_rfc2136.py”, line 76, in _perform
self._get_rfc2136_client().add_txt_record(validation_name, validation, self.ttl)
File “/usr/local/lib/python3.6/site-packages/certbot_dns_rfc2136/dns_rfc2136.py”, line 128, in add_txt_record
.format(e))
certbot.errors.PluginError: Encountered error adding TXT record: The peer didn’t know the key we used

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
File “/usr/local/lib/python3.6/site-packages/certbot_dns_rfc2136/dns_rfc2136.py”, line 160, in del_txt_record
response = dns.query.tcp(update, self.server, port=self.port)
File “/usr/local/lib/python3.6/site-packages/dns/query.py”, line 491, in tcp
q.keyring, q.mac, ignore_trailing)
File “/usr/local/lib/python3.6/site-packages/dns/query.py”, line 425, in receive_tcp
ignore_trailing=ignore_trailing)
File “/usr/local/lib/python3.6/site-packages/dns/message.py”, line 823, in from_wire
reader.read()
File “/usr/local/lib/python3.6/site-packages/dns/message.py”, line 751, in read
self._get_section(self.message.additional, adcount)
File “/usr/local/lib/python3.6/site-packages/dns/message.py”, line 703, in _get_section
self.message.first)
File “/usr/local/lib/python3.6/site-packages/dns/tsig.py”, line 185, in validate
raise PeerBadKey
dns.tsig.PeerBadKey: The peer didn’t know the key we used

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
File “/usr/local/lib/python3.6/site-packages/certbot/error_handler.py”, line 124, in _call_registered
self.funcs-1
File “/usr/local/lib/python3.6/site-packages/certbot/auth_handler.py”, line 220, in _cleanup_challenges
self.auth.cleanup(achalls)
File “/usr/local/lib/python3.6/site-packages/certbot/plugins/dns_common.py”, line 77, in cleanup
self._cleanup(domain, validation_domain_name, validation)
File “/usr/local/lib/python3.6/site-packages/certbot_dns_rfc2136/dns_rfc2136.py”, line 79, in _cleanup
self._get_rfc2136_client().del_txt_record(validation_name, validation)
File “/usr/local/lib/python3.6/site-packages/certbot_dns_rfc2136/dns_rfc2136.py”, line 163, in del_txt_record
.format(e))
certbot.errors.PluginError: Encountered error deleting TXT record: The peer didn’t know the key we used
Encountered error adding TXT record: The peer didn’t know the key we used
<End Result>

Cheers,

Zebity.

_az and others,

to try to get this resolved I have done considerable dns configuration cleanup to try to get to bottom if of problem. To this end I have been doing some initial testing with nsupdate.

I am getting “322 BADKEY 0” failure with nsupdate …

He is log of nsupdate test:

<TEST>
root@inside:/usr/local/etc/namedb # nsupdate -y hmac-sha512:tsig-key.in.graphica.com.au.:SkBsA8Tcse/ZQt0jwRc0CMXO0cn5FwyuCrB4GxrwBGeDVyq2oNS4eQMyIc1pGfPrDCGyluwnldb104azXjlgog== -v test-nsupdate-01.txt
Outgoing update query:
;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id: 0
;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0
;; ZONE SECTION:
;in.graphica.com.au. IN SOA
;; UPDATE SECTION:
_acme-challenge.in.graphica.com.au. 0 NONE TXT “placeholder”
_acme-challenge.in.graphica.com.au. 10800 IN TXT “globber”
Sending update to 203.32.223.140#53
Outgoing update query:
;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id: 29322
;; flags:; ZONE: 1, PREREQ: 0, UPDATE: 2, ADDITIONAL: 1
;; ZONE SECTION:
;in.graphica.com.au. IN SOA
;; UPDATE SECTION:
_acme-challenge.in.graphica.com.au. 0 NONE TXT “placeholder”
_acme-challenge.in.graphica.com.au. 10800 IN TXT “globber”
;; TSIG PSEUDOSECTION:
tsig-key.in.graphica.com.au. 0 ANY TSIG hmac-sha512. 1570878747 300 64 KFyqqDH8neLUVkFyAi5XhdVkX59jTomDZ73gWHWIYlezy+HVgcApsNNC FhigCGjCyMzGsPVPQ4Kx9BsMG7PgNA== 29322 NOERROR 0
; TSIG error with server: tsig indicates error
Reply from update query:
;; ->>HEADER<<- opcode: UPDATE, status: NOTAUTH, id: 29322
;; flags: qr; ZONE: 1, PREREQ: 0, UPDATE: 0, ADDITIONAL: 1
;; ZONE SECTION:
;in.graphica.com.au. IN SOA
;; TSIG PSEUDOSECTION:
tsig-key.in.graphica.com.au. 0 ANY TSIG hmac-sha512. 1570878747 300 0 29322 BADKEY 0
<END>

Here is the contents of update require file

<CONTENTS>
server 203.32.223.140
debug yes
zone in.graphica.com.au.
update delete _acme-challenge.in.graphica.com.au. 10800 IN TXT “placeholder”
update add _acme-challenge.in.graphica.com.au. 10800 IN TXT “globber”
show
send
;lt;END OF CONTENT;gt;

Looking at log, it looks like the secret I am putting via command line is different from what is reported in TSIG PSEUDOSECTION.

Here is my named.conf section:

<SECTION>
#include “/usr/local/etc/namedb/tsig-key.in.graphica.com.au.key”
zone “in.graphica.com.au” {
type master;
file “/usr/local/etc/namedb/dynamic/db.in.graphica.com.au”;
allow-transfer {
203.11.73.20;
203.11.73.5;
};
update-policy {
grant tsig-key.in.graphica.com.au. name _acme-challenge.in.graphica.com.au. txt;
};
allow-query {
any;
};
};
<END SECTION>

An help with be appreciated. Thank you.

Ze Spring

Marking this as “solved” for initial problem (using wrong DNS port.).

Updated rfc2136.ini file:
dns_rfc2136_port = 56 (wrong)
dns_rfc2136_port = 53 (right)

Opening new item for outstanding issue with dns update.

Zebity