SERVFAIL when using RFC 2136 plugin

My domain is: malcolm.id.au

I ran this command: certbot certonly --server https://acme-v02.api.letsencrypt.org/directory --dns-rfc2136 --dns-rfc2136-credentials /etc/letsencrypt/rfc2136.ini --dns-rfc2136-propagation-seconds 30 -d malcolm.id.au -d *.malcolm.id.au

It produced this output: Saving debug log to /var/log/letsencrypt/letsencrypt.log Plugins selected: Authenticator dns-rfc2136, Installer None Obtaining a new certificate Performing the following challenges: dns-01 challenge for db.malcolm.id.au dns-01 challenge for malcolm.id.au Cleaning up challenges Received response from server: SERVFAIL

My web server is (include version): Apache 2.4.25

The operating system my web server runs on is (include version): Debian GNU/Linux 9

My hosting provider, if applicable, is: self-hosted

I can login to a root shell on my machine (yes or no, or I don’t know): Yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel): No

You’ll need to enable debug logging on BIND to see why the dns-update is failing.

Hi @qirtaiba,

I’m leaving right now (time to sleep here) but apart from check what @_az said, you should also recheck the authoritative dns servers used by your domain.

au zone advertises 3 name servers for your domain:

malcolm.id.au.          14400   IN      NS      ns.malcolm.id.au.
malcolm.id.au.          14400   IN      NS      ns.bestbits.net.
malcolm.id.au.          14400   IN      NS      opendigital.trade.

And opendigital.trade doesn’t answer any request:

dig @opendigital.trade malcolm.id.au

; <<>> DiG 9.10.3-P4-Debian <<>> @opendigital.trade malcolm.id.au
; (1 server found)
;; global options: +cmd
;; connection timed out; no servers could be reached

In case you reach one of the other servers, they are advertising 4 ns servers for your domain:

malcolm.id.au.          86400   IN      NS      ns.malcolm.id.au.
malcolm.id.au.          86400   IN      NS      bestbits.net.
malcolm.id.au.          86400   IN      NS      opendigital.trade.
malcolm.id.au.          86400   IN      NS      igcaucus.org.

bestbits.net (it is different from the previous one ns.bestbits.net) and ns.malcom.id.au are answering requests but opendigital.trade and igcaucus.org aren’t so maybe you should fix this situation.

Good luck,
sahsanu

Thanks, yes one of those name servers was just added for testing, and I forgot it was still there! After increasing bind9’s debugging level I don’t see any SERVFAIL errors but I see this:

Apr 14 17:56:22 server named[25909]: client 192.168.42.10#44349/key certbot-key: signer “certbot-key” approved
Apr 14 17:56:22 server named[25909]: client 192.168.42.10#44349/key certbot-key: updating zone ‘malcolm.id.au/IN’: adding an RR at ‘_acme-challenge.db.malcolm.id.au’ TXT “ukIxzs7E2I17aJpdMEKPRfLx-vluz3k4Dbqfk8I1N3c”
Apr 14 17:56:22 server named[25909]: /etc/bind/db.malcolm.id.au.jnl: open: permission denied
Apr 14 17:56:22 server named[25909]: client 192.168.42.10#44349/key certbot-key: updating zone ‘malcolm.id.au/IN’: error: journal open failed: unexpected error
Apr 14 17:56:22 server named[25909]: client 192.168.42.10#44350/key certbot-key: signer “certbot-key” approved
Apr 14 17:56:22 server named[25909]: client 192.168.42.10#44350/key certbot-key: updating zone ‘malcolm.id.au/IN’: deleting an RR at _acme-challenge.db.malcolm.id.au TXT

I opened up the permissions on /etc/bind to see if that would help with the permission denied error, but it didn’t. I’m not sure if this is related to the problem that I’m seeing, anyway.

These are fatal permission errors relating to your DNS updates.

Check your SELinux audit logs, it might not have anything to directly do with your file directory modes.

See this post from yesterday:

OK thanks, this is solved now, I needed to restart bind after changing the directory permissions. I don’t know how /etc/bind wasn’t group-writable to begin with, because that was a long-fixed Debian bug.