Problem on dns_rfc2136

I am using dns-rfc2136 in multiple servers but today on a bionic ubuntu i have a problem:

first i installed certbot and add plugin:
sudo apt install python3-certbot-dns-rfc2136

Then i did create my credential file named /etc/bind/c.ini:

# Target DNS server
dns_rfc2136_server=127.0.0.1
# Target DNS port
dns_rfc2136_port=53
# TSIG key name
dns_rfc2136_name=keyname.
# TSIG key secret
dns_rfc2136_secret=xxxx...xxx$
# TSIG key algorithm
dns_rfc2136_algorithm=HMAC-SHA512

after that i run the command:

sudo certbot certonly --manual-public-ip-logging-ok --agree-tos --dns-rfc2136 --dns-rfc2136-credentials /etc/bind/c.ini -d "example.com" -d "*.example.com"

But this errors accures:

Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator dns-rfc2136, Installer None
Obtaining a new certificate
Performing the following challenges:
dns-01 challenge for example.com
dns-01 challenge for example.com
Unsafe permissions on credentials configuration file: /etc/bind/c.ini
Cleaning up challenges
Encountered exception during recovery: 
Traceback (most recent call last):
  File "/usr/lib/python3/dist-packages/certbot/auth_handler.py", line 75, in handle_authorizations
    resp = self._solve_challenges(aauthzrs)
  File "/usr/lib/python3/dist-packages/certbot/auth_handler.py", line 139, in _solve_challenges
    resp = self.auth.perform(all_achalls)
  File "/usr/lib/python3/dist-packages/certbot/plugins/dns_common.py", line 57, in perform
    self._perform(domain, validation_domain_name, validation)
  File "/usr/lib/python3/dist-packages/certbot_dns_rfc2136/dns_rfc2136.py", line 76, in _perform
    self._get_rfc2136_client().add_txt_record(validation_name, validation, self.ttl)
  File "/usr/lib/python3/dist-packages/certbot_dns_rfc2136/dns_rfc2136.py", line 87, in _get_rfc2136_client
    dns.tsig.HMAC_MD5))
  File "/usr/lib/python3/dist-packages/certbot_dns_rfc2136/dns_rfc2136.py", line 98, in __init__
    key_name: key_secret
  File "/usr/lib/python3/dist-packages/dns/tsigkeyring.py", line 33, in from_text
    secret = base64.decodestring(maybe_encode(textring[keytext]))
  File "/usr/lib/python3.6/base64.py", line 554, in decodestring
    return decodebytes(s)
  File "/usr/lib/python3.6/base64.py", line 546, in decodebytes
    return binascii.a2b_base64(s)
binascii.Error: Incorrect padding

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
  File "/usr/lib/python3/dist-packages/certbot/error_handler.py", line 108, in _call_registered
    self.funcs[-1]()
  File "/usr/lib/python3/dist-packages/certbot/auth_handler.py", line 323, in _cleanup_challenges
    self.auth.cleanup(achalls)
  File "/usr/lib/python3/dist-packages/certbot/plugins/dns_common.py", line 76, in cleanup
    self._cleanup(domain, validation_domain_name, validation)
  File "/usr/lib/python3/dist-packages/certbot_dns_rfc2136/dns_rfc2136.py", line 79, in _cleanup
    self._get_rfc2136_client().del_txt_record(validation_name, validation)
  File "/usr/lib/python3/dist-packages/certbot_dns_rfc2136/dns_rfc2136.py", line 87, in _get_rfc2136_client
    dns.tsig.HMAC_MD5))
  File "/usr/lib/python3/dist-packages/certbot_dns_rfc2136/dns_rfc2136.py", line 98, in __init__
    key_name: key_secret
  File "/usr/lib/python3/dist-packages/dns/tsigkeyring.py", line 33, in from_text
    secret = base64.decodestring(maybe_encode(textring[keytext]))
  File "/usr/lib/python3.6/base64.py", line 554, in decodestring
    return decodebytes(s)
  File "/usr/lib/python3.6/base64.py", line 546, in decodebytes
    return binascii.a2b_base64(s)
binascii.Error: Incorrect padding
An unexpected error occurred:
binascii.Error: Incorrect padding

Any idea?

1 Like

Well, you can't post your TSIG secret, obviously, since it's a secret key, but...

Does the key really have a $ in it? That's not a normal base64 character.

Did you copy and paste it from a text editor that indicates long lines with $, truncating it in the middle?

Can you double check it's correct and complete?

Maybe the software that generated it uses unpadded base64, so you'd have to add one or more = signs to the end?

2 Likes

Thanks for your attention no there is no $ sign, just a little text like: PBZXHzpLn

I found there must be two equal signs (==) at the end of the secret!

3 Likes

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.