Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.
I ran this command: certbot certonly --dns-rfc2136 --dns-rfc2136-credentials ~/.secrets/certbot/rfc2136.ini --dns-rfc2136-propagation-seconds 30 -d exampl.com -d example.be
It produced this output:
Obtaining a new certificate
Performing the following challenges:
dns-01 challenge for example.com
dns-01 challenge for example.be
Unsafe permissions on credentials configuration file: ~/.secrets/certbot/rfc2136.ini
Cleaning up challenges
Received response from server: SERVFAIL
The operating system my web server runs on is (include version): ubuntu 18.04 from which I doing the certbot command and I’m pointing to another VM ubuntu 16.04 where the dns server is
I can login to a root shell on my machine (yes or no, or I don’t know): yes
so in the log I can see this :
19-May-2018 21:19:45.666 queries: info: client 192.168.5.6#50272 (_acme-challenge.example.com): query: _acme-challenge.example.com IN SOA - (192.16
8.5.3)
19-May-2018 21:19:45.668 queries: info: client 192.168.5.6#38111 (example.com): query: example.com IN SOA - (192.168.5.3)
19-May-2018 21:19:45.672 update: info: client 192.168.5.6#34610/key letsupdate: updating zone 'example.com/IN': adding an RR at '_acme-challenge.example.com' TXT "ZXGX2hZOveeB66xl2UdrDzjfMDOi5xAheFrCldeEiB8"
19-May-2018 21:19:45.672 general: error: /etc/bind/db.example.com.jnl: create: permission denied
19-May-2018 21:19:45.672 update: info: client 192.168.5.6#34610/key letsupdate: updating zone 'example.com/IN': error: journal open failed: unexpected error
19-May-2018 21:19:45.675 queries: info: client 192.168.5.6#58696 (_acme-challenge.example.com): query: _acme-challenge.example.com IN SOA - (192.16
8.5.3)
19-May-2018 21:19:45.676 queries: info: client 192.168.5.6#47663 (example.com): query: example.com IN SOA - (192.168.5.3)
19-May-2018 21:19:45.679 update: info: client 192.168.5.6#34612/key letsupdate: updating zone 'example.com/IN': deleting an RR at _acme-challenge.example.com TXT
19-May-2018 21:19:45.681 queries: info: client 192.168.5.6#54012 (_acme-challenge.example.be): query: _acme-challenge.example.be IN SOA - (192.168.
5.3)
19-May-2018 21:19:45.682 queries: info: client 192.168.5.6#43709 (example.be): query: example.be IN SOA - (192.168.5.3)
19-May-2018 21:19:45.684 update: info: client 192.168.5.6#34614/key letsupdate: updating zone 'example.be/IN': deleting an RR at _acme-challenge.example.be TXT
Sorry I have replaced my domain with example but I’m not comfortable with giving name of my domain out of the blue.
So what’s giving me trouble is : /etc/bind/db.example.com.jnl which obviously doesn’t exist and I do’nt see why it should and what should exactly be this file! I can understand db.example.com but not a journal file… why a journal file?
this error is present for the .com but not for .be as you can see.
I can note also that the serial doesn’t seem to change during the operation which is odd… serial should be increment at each operation and can not be decrement. So what’s the mess here?