Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.
My domain is: domesweetdome.us.com
I ran this command:
certbot certonly --config-dir /etc/letsencrypt/letsencrypt_forApacheJames
--dry-run --debug-challenges --dns-rfc2136
--dns-rfc2136-credentials /etc/letsencrypt/letsencrypt_forApacheJames/james/rfc2136.ini
--dns-rfc2136-propagation-seconds 10 --preferred-challenges=dns
--email marc@marcchamberlin.com --agree-tos
-d domesweetdome.us.com -d *.domesweetdome.us.com
It produced this output:
I believe this is the relevant output, copied and pasted, from the certbot log file -
2023-12-01 20:54:34,845:INFO:certbot._internal.auth_handler:Performing the following challenges:
2023-12-01 20:54:34,845:INFO:certbot._internal.auth_handler:dns-01 challenge for domesweetdome.us.com
2023-12-01 20:54:34,845:INFO:certbot._internal.auth_handler:dns-01 challenge for domesweetdome.us.com
2023-12-01 20:54:34,849:DEBUG:certbot_dns_rfc2136._internal.dns_rfc2136:No authoritative SOA record found for _acme-challenge.domesweetdome.us.com
2023-12-01 20:54:34,851:DEBUG:certbot_dns_rfc2136._internal.dns_rfc2136:Received authoritative SOA response for domesweetdome.us.com
2023-12-01 20:54:34,854:DEBUG:certbot._internal.error_handler:Encountered exception:
Traceback (most recent call last):
File "/snap/certbot/3462/lib/python3.8/site-packages/certbot/_internal/auth_handler.py", line 88, in handle_authorizations
resps = self.auth.perform(achalls)
File "/snap/certbot/3462/lib/python3.8/site-packages/certbot/plugins/dns_common.py", line 76, in perform
self._perform(domain, validation_domain_name, validation)
File "/snap/certbot-dns-rfc2136/current/lib/python3.8/site-packages/certbot_dns_rfc2136/_internal/dns_rfc2136.py", line 85, in _perform
self._get_rfc2136_client().add_txt_record(validation_name, validation, self.ttl)
File "/snap/certbot-dns-rfc2136/current/lib/python3.8/site-packages/certbot_dns_rfc2136/_internal/dns_rfc2136.py", line 151, in add_txt_record
raise errors.PluginError('Received response from server: {0}'
certbot.errors.PluginError: Received response from server: SERVFAIL2023-12-01 20:54:34,855:DEBUG:certbot._internal.error_handler:Calling registered functions
2023-12-01 20:54:34,855:INFO:certbot._internal.auth_handler:Cleaning up challenges
2023-12-01 20:54:34,856:DEBUG:certbot_dns_rfc2136._internal.dns_rfc2136:No authoritative SOA record found for _acme-challenge.domesweetdome.us.com
2023-12-01 20:54:34,856:DEBUG:certbot_dns_rfc2136._internal.dns_rfc2136:Received authoritative SOA response for domesweetdome.us.com
2023-12-01 20:54:34,857:ERROR:certbot._internal.error_handler:Encountered exception during recovery: certbot.errors.PluginError: Received response from server: SERVFAIL
2023-12-01 20:54:34,858:DEBUG:certbot._internal.log:Exiting abnormally:
Traceback (most recent call last):
File "/snap/certbot/3462/bin/certbot", line 8, in
sys.exit(main())
File "/snap/certbot/3462/lib/python3.8/site-packages/certbot/main.py", line 19, in main
return internal_main.main(cli_args)
File "/snap/certbot/3462/lib/python3.8/site-packages/certbot/_internal/main.py", line 1873, in main
return config.func(config, plugins)
File "/snap/certbot/3462/lib/python3.8/site-packages/certbot/_internal/main.py", line 1600, in certonly
lineage = _get_and_save_cert(le_client, config, domains, certname, lineage)
File "/snap/certbot/3462/lib/python3.8/site-packages/certbot/_internal/main.py", line 143, in _get_and_save_cert
lineage = le_client.obtain_and_enroll_certificate(domains, certname)
File "/snap/certbot/3462/lib/python3.8/site-packages/certbot/_internal/client.py", line 517, in obtain_and_enroll_certificate
cert, chain, key, _ = self.obtain_certificate(domains)
File "/snap/certbot/3462/lib/python3.8/site-packages/certbot/_internal/client.py", line 428, in obtain_certificate
orderr = self._get_order_and_authorizations(csr.data, self.config.allow_subset_of_names)
File "/snap/certbot/3462/lib/python3.8/site-packages/certbot/_internal/client.py", line 496, in _get_order_and_authorizations
authzr = self.auth_handler.handle_authorizations(orderr, self.config, best_effort)
File "/snap/certbot/3462/lib/python3.8/site-packages/certbot/_internal/auth_handler.py", line 88, in handle_authorizations
resps = self.auth.perform(achalls)
File "/snap/certbot/3462/lib/python3.8/site-packages/certbot/plugins/dns_common.py", line 76, in perform
self._perform(domain, validation_domain_name, validation)
File "/snap/certbot-dns-rfc2136/current/lib/python3.8/site-packages/certbot_dns_rfc2136/_internal/dns_rfc2136.py", line 85, in _perform
self._get_rfc2136_client().add_txt_record(validation_name, validation, self.ttl)
File "/snap/certbot-dns-rfc2136/current/lib/python3.8/site-packages/certbot_dns_rfc2136/_internal/dns_rfc2136.py", line 151, in add_txt_record
raise errors.PluginError('Received response from server: {0}'
certbot.errors.PluginError: Received response from server: SERVFAIL
2023-12-01 20:54:34,858:ERROR:certbot._internal.log:Received response from server: SERVFAIL
My web server is (include version):
This (bad) question presumes I am using a web server to validate ownership of the domain in question. I am NOT, I need to produce wild card certificates for my Apache James email server's keystore. So instead I am using my bind dns server instead.
My bind name servers version is -
named -v
BIND 9.16.44 (Extended Support Version) id:cd2b460
The operating system my web server runs on is (include version):
lsb_release -a
LSB Version: n/a
Distributor ID: openSUSE
Description: openSUSE Leap 15.4
Release: 15.4
Codename: n/a
My hosting provider, if applicable, is: N/A
I can login to a root shell on my machine (yes or no, or I don't know):
yes
I'm using a control panel to manage my site (no, or provide the name and version of the control panel):
no
The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):
certbot --version
certbot 2.7.4
I recently decided to install and use snap to install/upgrade certbot and the DNS plugin. I have for years now, had my dns server set up for certbot, to renew certificates following the instructions found at -
https://certbot-dns-rfc2136.readthedocs.io/en/stable/
without any problems. But now I am getting some sort of error about a missing SOA record??? I don't know what this means nor how to solve it, although Google searches does indeed show hits that refer to the need for an SOA record. But I don't grok how or why an SOA record is needed? If certbot has added some new feature, why isn't it backwards compatible with how it has worked for years? There is not one word about needing SOA records and how to set certbot and a dns server up using SOA records in the "readthedocs.io" shown in the above URL. (there is some mention of signing SOA queries, but I don't think that is related to needing SOA records.)
So I am really confused now and don't know how to proceed. If the model for Certbot and it's interactions with a Bind named server has change, then why hasn't/wasn't the documentation updated to reflect the changes BEFORE the release of a new version of Certbot was OK'd? If this is the case then it is really poor software engineering practice and even volunteer open source managers should know better. ESPECIALLY if a major change in the software models has occurred!
So if some kind guru could give me a pointer to what is now needed, and how to adjust my specification files for Certbot and Bind to meet any new requirements, I would greatly appreciate the help! As always many thanks in advance...
Marc...
P.S. I am willing to post/share the contents of any of my configuration files for certbot or named, just ask... I didn't post that stuff with this post as I want to avoid complaints about TMI! This post is already bad enough as is! 