RFC2136 - _acme-challenge record not found

First of all, thanks a lot for your great work with letsencrypt and certbot to make the web more secure.

I am currently trying to get DNS-Checked Certificates working, as I do not only use certs for https but also with my Mailserver and I wanted to get a wildcard cert to ease the use among multiple processes (e.g. I do not want to set up an additional webserver for the host mail.murphyslantech.de as it normally should care about mail (SMTP etc) but not https).

I am also running a PowerDNS-Server which allows for DNS-Updates. I already checked during the request if the record is created correctly. Querying the DNS-Server during the attempt to verify the acme-challenge.murphyslantech.de TXT record I get the right results from my DNS-Server:
dig @46.4.. -t TXT _acme-challenge.murphyslantech.de

; <<>> DiG 9.16.6-Ubuntu <<>> @46.4.104.234 -t TXT _acme-challenge.murphyslantech.de
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 20638
;; flags: qr aa rd; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1
;; WARNING: recursion requested but not available

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
;; QUESTION SECTION:
;_acme-challenge.murphyslantech.de. IN  TXT

;; ANSWER SECTION:
_acme-challenge.murphyslantech.de. 120 IN TXT  "M1U0EphIMA00XMJHLSerFeesF3dZnef8LPDXOKJUHt8"

;; Query time: 11 msec
;; SERVER: 46.4.*.*#53(46.4.104.234)
;; WHEN: Mi Jan 06 14:15:48 CET 2021
;; MSG SIZE  rcvd: 118

However certbot reports that the record cannot be found. I think this might have to do with the fact that I am using my Hosting-Providers service to act as a secondary (alternative) DNS-Service, which uses ZoneTransfers (AXFR,IXFR) to replicate the DNS-Entries.

Any ideas on how to get certbot with DNS-RFC2136 in such a setup are very welcome.

My domain is:
*.murphyslantech.de

I ran this command:

docker run -it --rm --name certbot -v "/etc/letsencrypt:/etc/letsencrypt" -v "/var/lib/letsencrypt:/var/lib/letsencrypt" --network dns certbot-rfc2136 certonly --dns-rfc2136 --dns-rfc2136-credentials /etc/certbot-rfc2136.conf -d '*.murphyslantech.de'

It produced this output:

Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator dns-rfc2136, Installer None
Requesting a certificate for *.murphyslantech.de
Performing the following challenges:
dns-01 challenge for murphyslantech.de
Unsafe permissions on credentials configuration file: /etc/certbot-rfc2136.conf
Waiting 60 seconds for DNS changes to propagate
Waiting for verification...
Challenge failed for domain murphyslantech.de
dns-01 challenge for murphyslantech.de
Cleaning up challenges
Some challenges have failed.

IMPORTANT NOTES:
- The following errors were reported by the server:

  Domain: murphyslantech.de
  Type:   dns
  Detail: DNS problem: NXDOMAIN looking up TXT for
  _acme-challenge.murphyslantech.de - check that a DNS record exists
  for this domain

My web server is (include version):
none

The operating system my web server runs on is (include version):
ubunut 20.04 LTS, docker 19.03.13

My hosting provider, if applicable, is:
Hetzner (also used for secondary DNS with A

I can login to a root shell on my machine (yes or no, or I don't know):
yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel):
no

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):
certbot 1.11.0

Hi @murphyslantech

checking your domain via https://check-your-website.server-daten.de/?q=murphyslantech.de

These are your authoritative name servers:

Domain	Nameserver	NS-IP
www.murphyslantech.de
	•  ns1.first-ns.de / fsn1-dns-aut1b.hetzner.company
		•
murphyslantech.de
	•  ns1.first-ns.de / fsn1-dns-aut1b.hetzner.company
	213.239.242.238
Falkenstein/Saxony/Germany (DE) - Hetzner Online GmbH	•

	• 
	2a01:4f8:0:a101::a:1
Falkenstein/Saxony/Germany (DE) - Hetzner Online GmbH	•

	•  robotns2.second-ns.de / nbg1-dns-aut1b.hetzner.company
	213.133.105.6
Nuremberg/Bavaria/Germany (DE) - Hetzner Online GmbH	•

	• 
	2a01:4f8:d0a:2004::2
Nuremberg/Bavaria/Germany (DE) - Hetzner Online GmbH	•

	•  robotns3.second-ns.com / dus1-dns-aut1b.hetzner.company
	193.47.99.3
Düsseldorf/North Rhine-Westphalia/Germany (DE) - myLoc managed IT AG	•

	• 
	2001:67c:192c::add:a3
Düsseldorf/North Rhine-Westphalia/Germany (DE) - myLoc managed IT AG	•

Updates your PowerDNS these name servers?

If not, that can't work.

Thanks for pointing me in the right direction.
The Servers you listed are provided by my Hosting Service (Hetzner), which update their information using zone transfers at certain intervals (which I cannot control), so I have no option to update those directly.

I will give adding my own nameserver to the list, but of course I will have to wait until this information too is also propagated by zone transfers.

I will keep you updated on the progress.

You can use delegation to reduce the nameservers used to just yours.
That is, leave those as is.
Add a new delegated zone - example: acme.murphyslantech.de
And make only one server authoritative for this new zone - yours.
[this would require you to allow DNS inbound to your managed server during expected challenge times]

You can use acme-dns

to implement @rg305's suggestion.

There is also an option in the DNS plugin called --dns-rfc2136-propagation-seconds.

This can add a delay between setting the TXT record and asking the certificate authority to validate it. If you're making an unattended certificate request, you might be able to set this delay pretty high (e.g. 900 or 3600 seconds), assuming that your authoritative nameserver will automatically pick up the changes during a certain time interval. This is not pleasant if you're sitting there watching the process, but if you're doing it from a script or you start it and then go have a meal or a nap, it might be OK! :fork_and_knife: :zzz:

1 Like

Thanks for the tip with the propagation time - I just lowered my refresh setting to have a faster propagation (kind of problematic to mark a zone as "not stable" just as we add an remove entries in shorter periods of time).
Delegation will only work for a subdomain if I am not totally mistaken (which may happen). Therefore it will not allow me to be used on a second-level domain. Having a single nameserver for a second level domain is considered problematic and for .de Domains DENIC even requires to have at least two Nameservers available which should be on different network-segments.
I already have fully fledged nameserver using powerdns up and running in docker containers with native IPv6, so I could quite easily just spin up another container, but it would be on the same network-segment. The update itself via RFC2136 is working without any trouble, I can see the acme-recod showing up properly when I query the master nameserver, but it seems to me that the propagation just takes longer than the default 60 Seconds.

I will keep you updated on the topic - I am currently running another try to get things going with a longer wait-time (currently waiting ;))

I think you might not have understood how to take advantage of delegation.

You don't delegate: domian.de
You CNAME entries in domain.de - like: _acme-challenge.domain.de
To a delegated domain - like: acmedns.domain.de
So LE could end up asking for _acme-challenge.acmedns.domain.de to validate domain.de requests.
domain.de remains with the same two DNS servers.
acmedns.domain.de can be served by your single DNS system when required.

Ok, after waiting (actually I started certbot before going to bed as proposed) I found myself happy this morning, as the attempt was successful at least for another domain I am responsible for.
For my own domain I just figured out what happened: I thought I moved all my domains to the new name-server, away from the service of my hosting provider, but it seems I missed out on my primary domain :expressionless: - so I will fix this issue first and than give certbot another spin. I don't have a problem if the certification takes a bit longer as I am going to automate the renewal completely anyway and in this case there should be enough time before the certs run out.

2 Likes