Snap update broke using dns_rfc2136 plugin

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: domesweetdome.us.com

I ran this command:

certbot certonly --config-dir /etc/letsencrypt/letsencrypt_forApacheJames
--dry-run --debug-challenges --dns-rfc2136
--dns-rfc2136-credentials /etc/letsencrypt/letsencrypt_forApacheJames/james/rfc2136.ini
--dns-rfc2136-propagation-seconds 10 --preferred-challenges=dns
--email marc@marcchamberlin.com --agree-tos
-d domesweetdome.us.com -d *.domesweetdome.us.com

It produced this output:

I believe this is the relevant output, copied and pasted, from the certbot log file -

2023-12-01 20:54:34,845:INFO:certbot._internal.auth_handler:Performing the following challenges:
2023-12-01 20:54:34,845:INFO:certbot._internal.auth_handler:dns-01 challenge for domesweetdome.us.com
2023-12-01 20:54:34,845:INFO:certbot._internal.auth_handler:dns-01 challenge for domesweetdome.us.com
2023-12-01 20:54:34,849:DEBUG:certbot_dns_rfc2136._internal.dns_rfc2136:No authoritative SOA record found for _acme-challenge.domesweetdome.us.com
2023-12-01 20:54:34,851:DEBUG:certbot_dns_rfc2136._internal.dns_rfc2136:Received authoritative SOA response for domesweetdome.us.com
2023-12-01 20:54:34,854:DEBUG:certbot._internal.error_handler:Encountered exception:
Traceback (most recent call last):
File "/snap/certbot/3462/lib/python3.8/site-packages/certbot/_internal/auth_handler.py", line 88, in handle_authorizations
resps = self.auth.perform(achalls)
File "/snap/certbot/3462/lib/python3.8/site-packages/certbot/plugins/dns_common.py", line 76, in perform
self._perform(domain, validation_domain_name, validation)
File "/snap/certbot-dns-rfc2136/current/lib/python3.8/site-packages/certbot_dns_rfc2136/_internal/dns_rfc2136.py", line 85, in _perform
self._get_rfc2136_client().add_txt_record(validation_name, validation, self.ttl)
File "/snap/certbot-dns-rfc2136/current/lib/python3.8/site-packages/certbot_dns_rfc2136/_internal/dns_rfc2136.py", line 151, in add_txt_record
raise errors.PluginError('Received response from server: {0}'
certbot.errors.PluginError: Received response from server: SERVFAIL

2023-12-01 20:54:34,855:DEBUG:certbot._internal.error_handler:Calling registered functions
2023-12-01 20:54:34,855:INFO:certbot._internal.auth_handler:Cleaning up challenges
2023-12-01 20:54:34,856:DEBUG:certbot_dns_rfc2136._internal.dns_rfc2136:No authoritative SOA record found for _acme-challenge.domesweetdome.us.com
2023-12-01 20:54:34,856:DEBUG:certbot_dns_rfc2136._internal.dns_rfc2136:Received authoritative SOA response for domesweetdome.us.com
2023-12-01 20:54:34,857:ERROR:certbot._internal.error_handler:Encountered exception during recovery: certbot.errors.PluginError: Received response from server: SERVFAIL
2023-12-01 20:54:34,858:DEBUG:certbot._internal.log:Exiting abnormally:
Traceback (most recent call last):
File "/snap/certbot/3462/bin/certbot", line 8, in
sys.exit(main())
File "/snap/certbot/3462/lib/python3.8/site-packages/certbot/main.py", line 19, in main
return internal_main.main(cli_args)
File "/snap/certbot/3462/lib/python3.8/site-packages/certbot/_internal/main.py", line 1873, in main
return config.func(config, plugins)
File "/snap/certbot/3462/lib/python3.8/site-packages/certbot/_internal/main.py", line 1600, in certonly
lineage = _get_and_save_cert(le_client, config, domains, certname, lineage)
File "/snap/certbot/3462/lib/python3.8/site-packages/certbot/_internal/main.py", line 143, in _get_and_save_cert
lineage = le_client.obtain_and_enroll_certificate(domains, certname)
File "/snap/certbot/3462/lib/python3.8/site-packages/certbot/_internal/client.py", line 517, in obtain_and_enroll_certificate
cert, chain, key, _ = self.obtain_certificate(domains)
File "/snap/certbot/3462/lib/python3.8/site-packages/certbot/_internal/client.py", line 428, in obtain_certificate
orderr = self._get_order_and_authorizations(csr.data, self.config.allow_subset_of_names)
File "/snap/certbot/3462/lib/python3.8/site-packages/certbot/_internal/client.py", line 496, in _get_order_and_authorizations
authzr = self.auth_handler.handle_authorizations(orderr, self.config, best_effort)
File "/snap/certbot/3462/lib/python3.8/site-packages/certbot/_internal/auth_handler.py", line 88, in handle_authorizations
resps = self.auth.perform(achalls)
File "/snap/certbot/3462/lib/python3.8/site-packages/certbot/plugins/dns_common.py", line 76, in perform
self._perform(domain, validation_domain_name, validation)
File "/snap/certbot-dns-rfc2136/current/lib/python3.8/site-packages/certbot_dns_rfc2136/_internal/dns_rfc2136.py", line 85, in _perform
self._get_rfc2136_client().add_txt_record(validation_name, validation, self.ttl)
File "/snap/certbot-dns-rfc2136/current/lib/python3.8/site-packages/certbot_dns_rfc2136/_internal/dns_rfc2136.py", line 151, in add_txt_record
raise errors.PluginError('Received response from server: {0}'
certbot.errors.PluginError: Received response from server: SERVFAIL
2023-12-01 20:54:34,858:ERROR:certbot._internal.log:Received response from server: SERVFAIL

My web server is (include version):

This (bad) question presumes I am using a web server to validate ownership of the domain in question. I am NOT, I need to produce wild card certificates for my Apache James email server's keystore. So instead I am using my bind dns server instead.

My bind name servers version is -

named -v

BIND 9.16.44 (Extended Support Version) id:cd2b460

The operating system my web server runs on is (include version):

lsb_release -a

LSB Version: n/a
Distributor ID: openSUSE
Description: openSUSE Leap 15.4
Release: 15.4
Codename: n/a

My hosting provider, if applicable, is: N/A

I can login to a root shell on my machine (yes or no, or I don't know):

yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel):

no

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):

certbot --version

certbot 2.7.4

I recently decided to install and use snap to install/upgrade certbot and the DNS plugin. I have for years now, had my dns server set up for certbot, to renew certificates following the instructions found at -

https://certbot-dns-rfc2136.readthedocs.io/en/stable/

without any problems. But now I am getting some sort of error about a missing SOA record??? I don't know what this means nor how to solve it, although Google searches does indeed show hits that refer to the need for an SOA record. But I don't grok how or why an SOA record is needed? If certbot has added some new feature, why isn't it backwards compatible with how it has worked for years? There is not one word about needing SOA records and how to set certbot and a dns server up using SOA records in the "readthedocs.io" shown in the above URL. (there is some mention of signing SOA queries, but I don't think that is related to needing SOA records.)

So I am really confused now and don't know how to proceed. If the model for Certbot and it's interactions with a Bind named server has change, then why hasn't/wasn't the documentation updated to reflect the changes BEFORE the release of a new version of Certbot was OK'd? If this is the case then it is really poor software engineering practice and even volunteer open source managers should know better. ESPECIALLY if a major change in the software models has occurred!

So if some kind guru could give me a pointer to what is now needed, and how to adjust my specification files for Certbot and Bind to meet any new requirements, I would greatly appreciate the help! As always many thanks in advance...

Marc...

P.S. I am willing to post/share the contents of any of my configuration files for certbot or named, just ask... I didn't post that stuff with this post as I want to avoid complaints about TMI! This post is already bad enough as is! :wink:

1 Like

So, this exact same command request worked before?
Before what [changed] exactly?
If it was certbot, OR snap, have you tried rolling back to a previously working version?

3 Likes

Thank you, @rg305, for your response. While at first glance your suggestion, to use a previous version of certbot, seams like a good idea, but in practice it isn't obvious how to set up and install a previous version! Here is what I have tried to do -

First, I uninstalled the version of certbot and certbot-dns-rfc2136 that snap had installed (version 2.7.4) using the "snap remove" command. Then I installed the versions of certbot and certbot-dns-rfc2136 that come from the OpenSuSE 15.4 repositories (version 1.22.0). FYI the OpenSuSE versions of certbot have been written in Python and the packages are referred to with a prefix of Python. For example - python3-certbot and python3-certbot-dns-rfc2136. They are very dependent on having Python and many of its libraries installed.

Upon running the afore mentioned dry run of Certbot, I get the exact same error message about a missing SOA record!

My next attempt was to add the repository from the previous version of OpenSuSE 15.3. But that attempt quickly devolved into dependency hell as I had to also install the previous versions of Python libraries and tools in order to support OpenSuSE 15.3's version of Certbot. I gave up trying to track down all the loose ends that were not included in the Python dependency tree.

My final thought was to see if I could install previous versions of Certbot through Snap. But my Google searches have resulted in no joy. It appears that snap can only find versions that have been previously downloaded into it's own cache. I (and many others) could not find a straight answer to the question on how to install an older version of a package into a freshly built Snap cache. If you can answer that for me, it would be greatly helpful and appreciated!

So, I am still stuck, and am currently trying to find more information about the requirement for an SOA record that Certbot is complaining about. I never had to manually install an SOA record, previously, in the Bind/Named servers configuration files, so I remain confused and perplexed about this error message.

Thanks again for your thought and any further ideas you or others have.

Marc...

1 Like

Here are some DNS checks that don't fair well

1 Like

Have a look at:

2 Likes

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.