Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.
My domain is: backprod.de (same error on other domains)
I ran this command: sudo certbot certonly --dns-rfc2136 --dns-rfc2136-credentials /etc/letsencrypt/renewal/rfc2136.ini -d 'backprod.de' -d '*.backprod.de' or
service certbot restart (this will also try to renew the abovementioned domain)
The operating system my web server runs on is (include version):
Ubuntu 22.04
I can login to a root shell on my machine (yes or no, or I don't know):
Yes
I'm using a control panel to manage my site (no, or provide the name and version of the control panel):
No
I'm running a bind server on my VPS as primary nameserver with several secondaries.
Since update to ubuntu 22.04 (and with this also to a newer bind version) certbot wildcard url dns update does not work anymore. Currently I assume a change in bind but I'm not sure about this.
Log entry in certbot log:
2022-08-21 23:26:30,677:DEBUG:certbot_dns_rfc2136._internal.dns_rfc2136:No authoritative SOA record found for _acme-challenge.mydomain.de
Update command:
service certbot restart (auto) or manual
sudo certbot certonly --dns-rfc2136 --dns-rfc2136-credentials /etc/letsencrypt/renewal/rfc2136.ini -d 'backprod.de' -d '*.backprod.de'
Setup in Bind:
Static Zone: backprod.de (no updates allowed)
Dynamic Zone auto.backprod.de (updates allowed)
The idea of this setup is that only the auto zone will be changed where all static entries in the main zone will not be modified automatically.
Alias in static zone: _acme-challenge.backprod.de. real name _acme-challenge.auto.backprod.de. (this is used for e.g. for dehydrated which is still working like before only with certbot I'm running into problems now)
This setup did work in past without problems with dehydrated script and certbot. Seems to be that an update of bind changed this.
If I take a look in the bind logs I will find this:
22-Aug-2022 22:10:12.712 update-security: info: client @0x7f4b9aedd768 127.0.0.1#49886/key mykey: update 'backprod.de/IN' denied
Well this message makes more sense. But I would assume that mydomain.de should not be updated because it's static and I never set the option in past that it is alowed to update this zone. Instead auto.mydomain.de should be updated. I'm not sure if this was handeled different by bind in past. But definately there was never an explicit authorization to update this zone. So the only zone which certbot should be able to update in past is the auto subzone.
Well after allowing updates in backprod.de for test purposes I'm getting the followin error messages which make no sense at all:
No authoritative SOA record found for _acme-challenge.backprod.de
Received authoritative SOA response for backprod.de - Well for me that sounds contradictionary to the message above. This is the SOA for every subdomain and _acme-challenge is included.
Successfully added TXT record _acme-challenge.backprod.de - Well that sounds good
DNS problem: NXDOMAIN looking up TXT for _acme-challenge.backprod.de - check that a DNS record exists for this domain - Well this should exist because certbot is telling me that the record is created. But this seems to be wrong. I don't see the "created" record in bind. So I assume there is no record created althoug the message above is a success message.
If I manually create the text record at _acme-challenge.auto.backprod.de. certbot is telling me:
Certbot failed to authenticate some domains (authenticator: dns-rfc2136). The Certificate Authority reported these problems:
- Domain: backprod.de*
- Type: unauthorized*
- Detail: Incorrect TXT record "test" found at _acme-challenge.backprod.de*
Yeah, sure. If this entry is not modyfied by certbot this could not be working - not a suprise. For me this is looking like in past certbot was able to change the entry in auto.backprod.de via the alias. Now it tries to change the previous static master zone and fails for whatever reason. Certbot should also delete this text entry with every run but this also does not happen.
I also tried to remove the alias entry but than I'm getting:
Received response from server: SERVFAIL
So all this error messages of certbot are not very helpful.
Certbot should create this entry. That's the main task of certbot and what it's purpose. But this does not seem to be working anymore. Not sure if a change in bind caused this and if this has to be fixed in bind or certbot. Any ideas why this worked in past and it's not working anymore?