I ran this command: certbot certonly --dns-rfc2136 --dns-rfc2136-credentials ~/.secrets/certbot/rfc2136.ini -d 'dc-le-test.rc.fas.harvard.edu'
It produced this output:
Requesting a certificate for dc-le-test.rc.fas.harvard.edu
Encountered exception during recovery: certbot.errors.PluginError: Encountered error when making query: The DNS operation timed out.
Encountered error when making query: The DNS operation timed out.
Ask for help or search for solutions at https://community.letsencrypt.org. See the logfile /var/log/letsencrypt/letsencrypt.log or re-run Certbot with -v for more details.
My web server is (include version): apache 2.4.6
The operating system my web server runs on is (include version): CentOS 7.9.2009 (Core)
My hosting provider, if applicable, is:
I can login to a root shell on my machine (yes or no, or I don't know): yes
I'm using a control panel to manage my site (no, or provide the name and version of the control panel): no
The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): certbot 1.32.0
I have set up my own DNS server for this, and I believe it is not being blocked at the networking level. I can connect to it on port 53 from everywhere that I've tried. I'm assuming this is a BIND config error, but if you are able to add any information from your end that may help locate the problem, that would be much appreciated.
Regarding the nslookup results, this is not a publicly accessible webserver. I intentionally set it up that way to test this rfc2136 method of certificate creation. Would that explain what you're seeing? And would that be expected?
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Requesting a certificate for dc-le-test.rc.fas.harvard.edu
Encountered exception during recovery: certbot.errors.PluginError: Unable to determine base domain for _acme-challenge.dc-le-test.rc.fas.harvard.edu using names: ['_acme-challenge.dc-le-test.rc.fas.harvard.edu', 'dc-le-test.rc.fas.harvard.edu', 'rc.fas.harvard.edu', 'fas.harvard.edu', 'harvard.edu', 'edu'].
Unable to determine base domain for _acme-challenge.dc-le-test.rc.fas.harvard.edu using names: ['_acme-challenge.dc-le-test.rc.fas.harvard.edu', 'dc-le-test.rc.fas.harvard.edu', 'rc.fas.harvard.edu', 'fas.harvard.edu', 'harvard.edu', 'edu'].
Ask for help or search for solutions at https://community.letsencrypt.org. See the logfile /var/log/letsencrypt/letsencrypt.log or re-run Certbot with -v for more details.
I'm not sure what this error means exactly, but it could be due to an incorrect zone configuration. Maybe the BIND logs can shed some light on this, although my experience with BIND and (debug) logging is that it is (#&$.
OR
They can also return a set of delegated nameservers for said subdomain.
[which in turn must be accessible and either answer the question OR delegate it ...]
I have a couple of questions about the error that I was receiving, but before I take your time with those, I wanted to find out if the rate limit error mentioned earlier will make them moot.
The error message associated with the rate limit seems pretty clear that there's nothing that can be done about the 50 certificate limit. Is that correct? We'd need to continue to keep our total number of certificates under 50 per week for the entire harvard.edu domain? I ask because we were hoping to use the DNS verification to install certs on even more hosts.
Thank you for the clarification. This would, however, be for the entire harvard.edu domain, correct? I ask because we are one small department at the university (rc.fas.harvard.edu) and we have no way to ensure that other departments under the harvard.edu domain will do their part to stay within any limits set.
Oh, sorry that I was misunderstanding that. That would certainly help as we wouldn't be adding 50 new certificates per week. Unfortunately, I still would have no way of knowing if other departments at the university would push the entire harvard.edu domain over the limit. So that may still pose a problem.