Trouble setting up rfc2136


#1

My domain is: https://arenlor.com/

I ran this command: certbot certonly --rsa-key-size 4096 --staple-ocsp --server 'https://acme-v02.api.letsencrypt.org/directory' --dns-rfc2136 --dns-rfc2136-credentials /etc/letsencrypt/rfc2136.ini -d arenlor.com -d '*.arenlor.com'

It produced this output:

Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator dns-rfc2136, Installer None
Obtaining a new certificate
Performing the following challenges:
dns-01 challenge for arenlor.com
dns-01 challenge for arenlor.com

My web server is (include version): apache 2.4.34-1

The operating system my web server runs on is (include version): arch linux

My hosting provider, if applicable, is: n/a

I can login to a root shell on my machine (yes or no, or I don’t know): well, su or sudo, root over ssh is disabled.

I’m using a control panel to manage my site (no, or provide the name and version of the control panel): no

The command above hangs. I have the following (censored the key itself) as rfc2136.ini

dns_rfc2136_server = 127.0.0.1
dns_rfc2136_port = 953
dns_rfc2136_name = tsig-key
dns_rfc2136_secret = ****
dns_rfc2136_algorithm = HMAC-SHA512

This is in my named.conf:

controls {
    inet 127.0.0.1 port 953
    allow { 127.0.0.1; } keys { "rndc-key"; "tsig-key"; };
};
key "tsig-key" {
    algorithm hmac-sha512;
    secret "****";
};
zone "arenlor.com" {
    type master;
    file "arenlor.com.zone.signed";
    update-policy {
        grant tsig-key name _acme-challenge.arenlor.com. txt;
    };
};

It is .signed as I use dnssec signing and it’s not automated, yet to go that far.


#2

Hi @Arenlor

how long? More then 60 seconds?

There

is an option:

–dns-rfc2136-propagation-seconds DNS_RFC2136_PROPAGATION_SECONDS
The number of seconds to wait for DNS to propagate
before asking the ACME server to verify the DNS
record. (default: 60)

So 60 seconds should be normal


#3

Over 20 minutes so far on the most recent try. That’s why I feel it’s hanging.


#4

Ok, 20 minutes are too long.

There should be a certbot-log, there your order-url. Something like

https://acme-v02.api.letsencrypt.org/acme/order/yourAccountId/yourOrderId

you can open per browser. There are two authorizations (one per domain name), these should have a status.

Perhaps they are both pending, so Letsencrypt waits, that your certbot posts to the challenge-url.

Or they are invalid.


#5

They are both pending. Not sure what to do with it beyond that.


#6

Can you replicate it just using nsupdate?

echo -e "update add _acme-challenge.arenlor.com. 300 TXT abcd\nsend" \
| nsupdate -v -y "hmac-sha512:tsig-key:***" -p 953

#7

It does not hang, but it does not appear to update neither.


#8

I looked at BIND docs a bit. I don’t beieve that the 953 interface is meant to be used for dynamic DNS updates - I believe it is an entirely different protocol for rndc commands. You should be submitting DNS updates to port 53.

My previous command may need to be echo -e rather than echo (as well as using port 53 rather than 953, of course).


#9

I can confirm this. My RFC 2136 configuration doesn’t even contain the dns_rfc2136_port option and works fine without it.


#10

So the problem may be before.

A program may hang, if it requires input and doesn’t understand the given input.

So can you split the problem: First only with -d arenlor.com, then with -d *.arenlor.com

But: I can’t find a sample like

-d ‘*.arenlor.com’

only

-d *.arenlor.com

Is this really correct? Perhaps Certbot creates a wrong parameter, so the next program doesn’t understand it - and wants user-input.


#11

Using the correct port helped, now I think it’s an issue with signing somewhere. I get this is my named log:

27-Jul-2018 08:14:48.080 general: warning: dns_dnssec_findzonekeys2: error reading Karenlor.com.+010+29660.private: file not found
27-Jul-2018 08:14:48.081 general: warning: dns_dnssec_findzonekeys2: error reading Karenlor.com.+010+65117.private: file not found
27-Jul-2018 08:14:48.081 general: warning: dns_dnssec_findzonekeys2: error reading Karenlor.com.+010+38288.private: file not found
27-Jul-2018 08:14:48.081 general: warning: dns_dnssec_findzonekeys2: error reading Karenlor.com.+010+31356.private: file not found
27-Jul-2018 08:14:48.081 update: error: client @0x64dd880baae0 127.0.0.1#56968/key tsig-key: updating zone 'arenlor.com/IN': found no active private keys, unable to generate any signatures
27-Jul-2018 08:14:48.081 update: error: client @0x64dd880baae0 127.0.0.1#56968/key tsig-key: updating zone 'arenlor.com/IN': RRSIG/NSEC/NSEC3 update failed: not found

I do have all those private keys, I’m just not sure what needs to be pointed at them. They’re in /var/named/dnssec/$domain.name/ for my various domains.


#12

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.