There's a PR in progress to make this the behavior of --dry-run: Prevent authorization re-use for --dry-run/--staging/--deactivate-authorizations (#5116) by alexzorin · Pull Request #7266 · certbot/certbot · GitHub. You can wait for that to be released, or try applying it locally. It sounded like you had trouble setting up your Certbot dev environment. If you'd like to start another thread with the details of that, we might be able to figure out what's wrong.
@Fabrice2016 You mean to give the bind9 server an additional IP where a separate DNS service is listening on? That would make it needlessly complex, plus don’t forget I already found a way to get certs issued. ;] I just need to do a final test by forcing LetsEncrypt to do the challenges again. I don’t mind having to reload all zones and bring bind9 down for about a minute, everything important/production stuff is replicated to the secondaries anyways.
@mnordhoff Yeah I realise that, I was simply clarifying that just having a CNAME might not be enough, depending on the setup.
@jsha I removed the entire dev environment and might try again to apply that patch. If it still doesn’t play nice I’ll make a new thread.
1 Like
@jsha For some reason the dev env now works properly right away, not sure what I did differently but at least I could apply that patch. The first couple of certbot runs succeeded without issues, so I think the initial issue is resolved. But it seems that sometimes LetsEncrypt reports a SERVFAIL error (“The following errors were reported by the server”). Is this a performance limitation of the staging environment or should I look somewhere on my end? My bind9 is reloaded well before LetsEncrypt should check for the TXT record though.
The patch seems to work well, by the way. =]
1 Like
The SERVFAIL is most likely a problem on your end that you should check into. One common cause is having dead authoritative nameservers in your config. Another is misconfigured DNSSEC.
2 Likes
This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.