Hello, I'm using certbot and rfc2136 with a bind9 server on debian. certbot is correctly adding and removing the DNS proofs but LetsEncrypt CA doesn't seem to care.
I can run:
sudo certbot certonly --dns-rfc2136 --dns-rfc2136-credentials /path/to/rfc2136.ini --domain ki9.gf4.pw --domain '*.ki9.gf4.pw'
And the process starts.
named logs report that the text record has been set:
Oct 11 11:40:45 myhost named: client @0x7f97f4045568 <LOCAL_IP> #58478/key letsencrypt: updating zone 'gf4.pw/IN': adding an RR at '_acme-challenge.ki9.gf4.pw' TXT "FShM6LHSWAu0n4J8Komjn764BlhsEj5phDPm_Fb89jk"
The certbot command says
Waiting 60 seconds for DNS changes to propagate. During this time, I can log on to any machine on the internet (not necessarily the server running bind), and dig the record:
$ dig _acme-challenge.ki9.gf4.pw TXT | grep TXT ; <<>> DiG 9.16.1-Ubuntu <<>> _acme-challenge.ki9.gf4.pw TXT ;_acme-challenge.ki9.gf4.pw. IN TXT _acme-challenge.ki9.gf4.pw. 120 IN TXT "FShM6LHSWAu0n4J8Komjn764BlhsEj5phDPm_Fb89jk"
Cool! There it is, for the world to see. But after 65 seconds, certbot fails thusly:
Waiting for verification... Challenge failed for domain ki9.gf4.pw dns-01 challenge for ki9.gf4.pw Cleaning up challenges Some challenges have failed. IMPORTANT NOTES: - The following errors were reported by the server: Domain: ki9.gf4.pw Type: unauthorized Detail: No TXT record found at _acme-challenge.ki9.gf4.pw To fix these errors, please make sure that your domain name was entered correctly and the DNS A/AAAA record(s) for that domain contain(s) the right IP address.
What do you mean "No TXT record found at _acme-challenge.ki9.gf4.pw"? We all fucking saw it.
Despite failing, certbot cleans up its old record successfully:
Oct 11 11:41:50 myhost named: client @0x7f97f404b318 <LOCAL_IP>#58656/key letsencrypt: updating zone 'gf4.pw/IN': deleting an RR at _acme-challenge.ki9.gf4.pw TXT