I have been attempting to perform a dry-run to renew a certificate. It uses the rfc2136 plugin. So far, it has failed.
I searched for similar posts regarding rfc2136. They were solved by fixing file permissions. However, none of the posts mentioned which permissions, what the permissions were, or how they were changed.
My domain is: sma-inc.us
I ran this command:
sudo certbot certonly \
-v \
--domains "*.$DOMAIN" \
--agree-tos \
--dns-rfc2136 \
--dns-rfc2136-credentials "/root/.secrets/certbot/rfc2136.ini" \
--dns-rfc2136-propagation-seconds 10 \
--dry-run
It produced this output:
(Note: the log output, letsencrypt.log, is quite long. Is there a way to attach a file?) Here is a (hopefully) useful excerpt:
2022-11-18 11:48:06,500:INFO:certbot._internal.auth_handler:Performing the following challenges:
2022-11-18 11:48:06,500:INFO:certbot._internal.auth_handler:dns-01 challenge for sma-inc.us
2022-11-18 11:48:06,511:DEBUG:certbot_dns_rfc2136._internal.dns_rfc2136:No authoritative SOA record found for _acme-challenge.sma-inc.us
2022-11-18 11:48:06,516:DEBUG:certbot_dns_rfc2136._internal.dns_rfc2136:Received authoritative SOA response for sma-inc.us
2022-11-18 11:48:06,522:DEBUG:certbot._internal.error_handler:Encountered exception:
Traceback (most recent call last):
File "/usr/lib/python3.6/site-packages/certbot/_internal/auth_handler.py", line 85, in handle_authorizations
resps = self.auth.perform(achalls)
File "/usr/lib/python3.6/site-packages/certbot/plugins/dns_common.py", line 76, in perform
self._perform(domain, validation_domain_name, validation)
File "/usr/lib/python3.6/site-packages/certbot_dns_rfc2136/_internal/dns_rfc2136.py", line 81, in _perform
self._get_rfc2136_client().add_txt_record(validation_name, validation, self.ttl)
File "/usr/lib/python3.6/site-packages/certbot_dns_rfc2136/_internal/dns_rfc2136.py", line 144, in add_txt_record
.format(dns.rcode.to_text(rcode)))
certbot.errors.PluginError: Received response from server: SERVFAIL
Ouput from named:
18-Nov-2022 11:48:06.518 update: info: client @0x7f78c41facf0 192.168.69.246#58112/key letsencrypt: updating zone 'sma-inc.us/IN': adding an RR at '_acme-challenge.sma-inc.us' TXT "IVhQbly7ce141NJIcQoqMp3XGMYTTgda0AUeZ4pI_lU"
18-Nov-2022 11:48:06.518 general: warning: dns_dnssec_findzonekeys2: error reading Ksma-inc.us.+005+15981.private: file not found
18-Nov-2022 11:48:06.518 general: warning: dns_dnssec_findzonekeys2: error reading Ksma-inc.us.+005+38578.private: file not found
18-Nov-2022 11:48:06.518 update: error: client @0x7f78c41facf0 192.168.69.246#58112/key letsencrypt: updating zone 'sma-inc.us/IN': found no active private keys, unable to generate any signatures
18-Nov-2022 11:48:06.518 update: error: client @0x7f78c41facf0 192.168.69.246#58112/key letsencrypt: updating zone 'sma-inc.us/IN': RRSIG/NSEC/NSEC3 update failed: not found
18-Nov-2022 11:48:06.530 update: info: client @0x7f78c41facf0 192.168.69.246#58140/key letsencrypt: updating zone 'sma-inc.us/IN': deleting an RR at _acme-challenge.sma-inc.us TXT
My DNS server is (include version):
BIND (named) 9.16.33
The operating system my DNS server runs on is (include version):
opensuse LEAP 15.4
I can login to a root shell on my machine (yes or no, or I don't know):
Yes.
The version of my client is certbot 1.22.0: