First of all, thanks a lot for your great work with letsencrypt and certbot to make the web more secure.
I am currently trying to get DNS-Checked Certificates working, as I do not only use certs for https but also with my Mailserver and I wanted to get a wildcard cert to ease the use among multiple processes (e.g. I do not want to set up an additional webserver for the host mail.murphyslantech.de as it normally should care about mail (SMTP etc) but not https).
I am also running a PowerDNS-Server which allows for DNS-Updates. I already checked during the request if the record is created correctly. Querying the DNS-Server during the attempt to verify the acme-challenge.murphyslantech.de TXT record I get the right results from my DNS-Server:
dig @46.4.. -t TXT _acme-challenge.murphyslantech.de
; <<>> DiG 9.16.6-Ubuntu <<>> @126.96.36.199 -t TXT _acme-challenge.murphyslantech.de ; (1 server found) ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 20638 ;; flags: qr aa rd; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1 ;; WARNING: recursion requested but not available ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 1232 ;; QUESTION SECTION: ;_acme-challenge.murphyslantech.de. IN TXT ;; ANSWER SECTION: _acme-challenge.murphyslantech.de. 120 IN TXT "M1U0EphIMA00XMJHLSerFeesF3dZnef8LPDXOKJUHt8" ;; Query time: 11 msec ;; SERVER: 46.4.*.*#53(188.8.131.52) ;; WHEN: Mi Jan 06 14:15:48 CET 2021 ;; MSG SIZE rcvd: 118
However certbot reports that the record cannot be found. I think this might have to do with the fact that I am using my Hosting-Providers service to act as a secondary (alternative) DNS-Service, which uses ZoneTransfers (AXFR,IXFR) to replicate the DNS-Entries.
Any ideas on how to get certbot with DNS-RFC2136 in such a setup are very welcome.
My domain is:
I ran this command:
docker run -it --rm --name certbot -v "/etc/letsencrypt:/etc/letsencrypt" -v "/var/lib/letsencrypt:/var/lib/letsencrypt" --network dns certbot-rfc2136 certonly --dns-rfc2136 --dns-rfc2136-credentials /etc/certbot-rfc2136.conf -d '*.murphyslantech.de'
It produced this output:
Saving debug log to /var/log/letsencrypt/letsencrypt.log Plugins selected: Authenticator dns-rfc2136, Installer None Requesting a certificate for *.murphyslantech.de Performing the following challenges: dns-01 challenge for murphyslantech.de Unsafe permissions on credentials configuration file: /etc/certbot-rfc2136.conf Waiting 60 seconds for DNS changes to propagate Waiting for verification... Challenge failed for domain murphyslantech.de dns-01 challenge for murphyslantech.de Cleaning up challenges Some challenges have failed. IMPORTANT NOTES: - The following errors were reported by the server: Domain: murphyslantech.de Type: dns Detail: DNS problem: NXDOMAIN looking up TXT for _acme-challenge.murphyslantech.de - check that a DNS record exists for this domain
My web server is (include version):
The operating system my web server runs on is (include version):
ubunut 20.04 LTS, docker 19.03.13
My hosting provider, if applicable, is:
Hetzner (also used for secondary DNS with A
I can login to a root shell on my machine (yes or no, or I don't know):
I'm using a control panel to manage my site (no, or provide the name and version of the control panel):
The version of my client is (e.g. output of
certbot --version or
certbot-auto --version if you're using Certbot):