SERVFAIL with dns challenge rfc2136


#1

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

I ran this command: certbot certonly --dns-rfc2136 --dns-rfc2136-credentials ~/.secrets/certbot/rfc2136.ini --dns-rfc2136-propagation-seconds 30 -d exampl.com -d example.be

It produced this output:
Obtaining a new certificate
Performing the following challenges:
dns-01 challenge for example.com
dns-01 challenge for example.be
Unsafe permissions on credentials configuration file: ~/.secrets/certbot/rfc2136.ini
Cleaning up challenges
Received response from server: SERVFAIL

The operating system my web server runs on is (include version): ubuntu 18.04 from which I doing the certbot command and I’m pointing to another VM ubuntu 16.04 where the dns server is

I can login to a root shell on my machine (yes or no, or I don’t know): yes

so in the log I can see this :

19-May-2018 21:19:45.666 queries: info: client 192.168.5.6#50272 (_acme-challenge.example.com): query: _acme-challenge.example.com IN SOA - (192.16
8.5.3)
19-May-2018 21:19:45.668 queries: info: client 192.168.5.6#38111 (example.com): query: example.com IN SOA - (192.168.5.3)
19-May-2018 21:19:45.672 update: info: client 192.168.5.6#34610/key letsupdate: updating zone 'example.com/IN': adding an RR at '_acme-challenge.example.com' TXT "ZXGX2hZOveeB66xl2UdrDzjfMDOi5xAheFrCldeEiB8"
19-May-2018 21:19:45.672 general: error: /etc/bind/db.example.com.jnl: create: permission denied
19-May-2018 21:19:45.672 update: info: client 192.168.5.6#34610/key letsupdate: updating zone 'example.com/IN': error: journal open failed: unexpected error
19-May-2018 21:19:45.675 queries: info: client 192.168.5.6#58696 (_acme-challenge.example.com): query: _acme-challenge.example.com IN SOA - (192.16
8.5.3)
19-May-2018 21:19:45.676 queries: info: client 192.168.5.6#47663 (example.com): query: example.com IN SOA - (192.168.5.3)
19-May-2018 21:19:45.679 update: info: client 192.168.5.6#34612/key letsupdate: updating zone 'example.com/IN': deleting an RR at _acme-challenge.example.com TXT
19-May-2018 21:19:45.681 queries: info: client 192.168.5.6#54012 (_acme-challenge.example.be): query: _acme-challenge.example.be IN SOA - (192.168.
5.3)
19-May-2018 21:19:45.682 queries: info: client 192.168.5.6#43709 (example.be): query: example.be IN SOA - (192.168.5.3)
19-May-2018 21:19:45.684 update: info: client 192.168.5.6#34614/key letsupdate: updating zone 'example.be/IN': deleting an RR at _acme-challenge.example.be TXT

Sorry I have replaced my domain with example but I’m not comfortable with giving name of my domain out of the blue.
So what’s giving me trouble is : /etc/bind/db.example.com.jnl which obviously doesn’t exist and I do’nt see why it should and what should exactly be this file! I can understand db.example.com but not a journal file… why a journal file?
this error is present for the .com but not for .be as you can see.
I can note also that the serial doesn’t seem to change during the operation which is odd… serial should be increment at each operation and can not be decrement. So what’s the mess here?


#2

Dynamic updates aren’t directly written to the zonefile in bind. They are first written to a binary log file called a journal.

The issue on your system is that bind doesn’t have the permissions to create the journal file. The SERVFAIL is a result of that failure.

You should check what user/group bind is running at, and check that /etc/bind has the right permissions on it in order to enable the journal file to be created.

Apart from directory permissions, SELinux may also be a culprit.

See these previous threads:


#3

Thank you for that.

Would you have any ref about how does it work with a journal file ? Because I didn’t know that an update of a zone like mine in bind can be updated using a journal or did I miss interprate what you said ?


#4

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.