I ran this command: certbot certonly --rsa-key-size 4096 --staple-ocsp --server 'https://acme-v02.api.letsencrypt.org/directory' --dns-rfc2136 --dns-rfc2136-credentials /etc/letsencrypt/rfc2136.ini -d arenlor.com -d '*.arenlor.com'
It produced this output:
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator dns-rfc2136, Installer None
Obtaining a new certificate
Performing the following challenges:
dns-01 challenge for arenlor.com
dns-01 challenge for arenlor.com
My web server is (include version): apache 2.4.34-1
The operating system my web server runs on is (include version): arch linux
My hosting provider, if applicable, is: n/a
I can login to a root shell on my machine (yes or no, or I don’t know): well, su or sudo, root over ssh is disabled.
I’m using a control panel to manage my site (no, or provide the name and version of the control panel): no
The command above hangs. I have the following (censored the key itself) as rfc2136.ini
--dns-rfc2136-propagation-seconds DNS_RFC2136_PROPAGATION_SECONDS
The number of seconds to wait for DNS to propagate
before asking the ACME server to verify the DNS
record. (default: 60)
I looked at BIND docs a bit. I don’t beieve that the 953 interface is meant to be used for dynamic DNS updates - I believe it is an entirely different protocol for rndc commands. You should be submitting DNS updates to port 53.
My previous command may need to be echo -e rather than echo (as well as using port 53 rather than 953, of course).
Using the correct port helped, now I think it’s an issue with signing somewhere. I get this is my named log:
27-Jul-2018 08:14:48.080 general: warning: dns_dnssec_findzonekeys2: error reading Karenlor.com.+010+29660.private: file not found
27-Jul-2018 08:14:48.081 general: warning: dns_dnssec_findzonekeys2: error reading Karenlor.com.+010+65117.private: file not found
27-Jul-2018 08:14:48.081 general: warning: dns_dnssec_findzonekeys2: error reading Karenlor.com.+010+38288.private: file not found
27-Jul-2018 08:14:48.081 general: warning: dns_dnssec_findzonekeys2: error reading Karenlor.com.+010+31356.private: file not found
27-Jul-2018 08:14:48.081 update: error: client @0x64dd880baae0 127.0.0.1#56968/key tsig-key: updating zone 'arenlor.com/IN': found no active private keys, unable to generate any signatures
27-Jul-2018 08:14:48.081 update: error: client @0x64dd880baae0 127.0.0.1#56968/key tsig-key: updating zone 'arenlor.com/IN': RRSIG/NSEC/NSEC3 update failed: not found
I do have all those private keys, I’m just not sure what needs to be pointed at them. They’re in /var/named/dnssec/$domain.name/ for my various domains.