I ran this command: certbot certonly --server https://acme-v02.api.letsencrypt.org/directory --dns-rfc2136 --dns-rfc2136-credentials /etc/letsencrypt/rfc2136.ini --dns-rfc2136-propagation-seconds 30 -d malcolm.id.au -d *.malcolm.id.au
It produced this output: Saving debug log to /var/log/letsencrypt/letsencrypt.log Plugins selected: Authenticator dns-rfc2136, Installer None Obtaining a new certificate Performing the following challenges: dns-01 challenge for db.malcolm.id.au dns-01 challenge for malcolm.id.au Cleaning up challenges Received response from server: SERVFAIL
My web server is (include version): Apache 2.4.25
The operating system my web server runs on is (include version): Debian GNU/Linux 9
My hosting provider, if applicable, is: self-hosted
I can login to a root shell on my machine (yes or no, or I don’t know): Yes
I’m using a control panel to manage my site (no, or provide the name and version of the control panel): No
I’m leaving right now (time to sleep here) but apart from check what @_az said, you should also recheck the authoritative dns servers used by your domain.
au zone advertises 3 name servers for your domain:
malcolm.id.au. 14400 IN NS ns.malcolm.id.au.
malcolm.id.au. 14400 IN NS ns.bestbits.net.
malcolm.id.au. 14400 IN NS opendigital.trade.
And opendigital.trade doesn’t answer any request:
dig @opendigital.trade malcolm.id.au
; <<>> DiG 9.10.3-P4-Debian <<>> @opendigital.trade malcolm.id.au
; (1 server found)
;; global options: +cmd
;; connection timed out; no servers could be reached
In case you reach one of the other servers, they are advertising 4 ns servers for your domain:
malcolm.id.au. 86400 IN NS ns.malcolm.id.au.
malcolm.id.au. 86400 IN NS bestbits.net.
malcolm.id.au. 86400 IN NS opendigital.trade.
malcolm.id.au. 86400 IN NS igcaucus.org.
bestbits.net (it is different from the previous one ns.bestbits.net) and ns.malcom.id.au are answering requests but opendigital.trade and igcaucus.org aren’t so maybe you should fix this situation.
Thanks, yes one of those name servers was just added for testing, and I forgot it was still there! After increasing bind9's debugging level I don't see any SERVFAIL errors but I see this:
Apr 14 17:56:22 server named[25909]: client 192.168.42.10#44349/key certbot-key: signer "certbot-key" approved
Apr 14 17:56:22 server named[25909]: client 192.168.42.10#44349/key certbot-key: updating zone 'malcolm.id.au/IN': adding an RR at '_acme-challenge.db.malcolm.id.au' TXT "ukIxzs7E2I17aJpdMEKPRfLx-vluz3k4Dbqfk8I1N3c"
Apr 14 17:56:22 server named[25909]: /etc/bind/db.malcolm.id.au.jnl: open: permission denied
Apr 14 17:56:22 server named[25909]: client 192.168.42.10#44349/key certbot-key: updating zone 'malcolm.id.au/IN': error: journal open failed: unexpected error
Apr 14 17:56:22 server named[25909]: client 192.168.42.10#44350/key certbot-key: signer "certbot-key" approved
Apr 14 17:56:22 server named[25909]: client 192.168.42.10#44350/key certbot-key: updating zone 'malcolm.id.au/IN': deleting an RR at _acme-challenge.db.malcolm.id.au TXT
I opened up the permissions on /etc/bind to see if that would help with the permission denied error, but it didn't. I'm not sure if this is related to the problem that I'm seeing, anyway.
OK thanks, this is solved now, I needed to restart bind after changing the directory permissions. I don’t know how /etc/bind wasn’t group-writable to begin with, because that was a long-fixed Debian bug.