Using the dns-rfc2136 plugin

Help
1

my goal is to renew my certificate automatically with a zone entry like :

_acme-challenge.subdomain.example.com.     IN     TXT    " ?????????????????? "

so I installed the plugin :

apt install python3-certbot-dns-rfc2136

I am now a proud owner of a certbot with a dns-rfc2136 plugin.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
* dns-rfc2136
Description: Obtain certificates using a DNS TXT record (if you are using BIND for DNS).
Interfaces: IAuthenticator, IPlugin
Entry point: dns-rfc2136 = certbot_dns_rfc2136._internal.dns_rfc2136:Authenticator

* standalone
Description: Spin up a temporary webserver
Interfaces: IAuthenticator, IPlugin
Entry point: standalone = certbot._internal.plugins.standalone:Authenticator

* webroot
Description: Place files in webroot directory
Interfaces: IAuthenticator, IPlugin
Entry point: webroot = certbot._internal.plugins.webroot:Authenticator

then I tried to run the command :

certbot certonly --dns-rfc2136 -d subdomain.example.com

and certbot has complained as follows:

Input the path to your RFC 2136 credentials INI file (Enter 'c' to cancel):

Please enter a valid path to your RFC 2136 credentials INI file.

On the internet I found a sample of a ini file

# Target DNS server
dns_rfc2136_server = 192.0.2.1
# Target DNS port
dns_rfc2136_port = 53
# TSIG key name
dns_rfc2136_name = keyname.
# TSIG key secret
dns_rfc2136_secret = 4q4wM/2I180UXoMyN4INVhJNi8V9BCV+jMw2mXgZw/CSuxUT8C7NKKFs AmKd7ak51vWKgSl12ib86oQRPkpDjg==
# TSIG key algorithm
dns_rfc2136_algorithm = HMAC-SHA512

so tried to be creative and I entered the command

rndc-confgen  -a \
              -A HMAC-SHA512 \
              -b 512 
              -c /etc/bind/subdomain.example.com.key \
              -p 53 \
              -s 123.123.123.123  \
              -k keyname

that gave me the following output

key "keyname" {
        algorithm hmac-sha512;
        secret "Aun6vSwTAIt5j3gMxHJsI+xXr8HVrQdEYbjwKaC9gj2c08+TxNjYGFl21PGU2EgK5UZbreFKGEYa8VRacN6B2A==";
};

so I updated the rfc2136.ini file acordingly

# Target DNS server
dns_rfc2136_server = 123.123.123.123
# Target DNS port
dns_rfc2136_port = 53
# TSIG key name
dns_rfc2136_name = keyname.
# TSIG key secret
dns_rfc2136_secret = Aun6vSwTAIt5j3gMxHJsI+xXr8HVrQdEYbjwKaC9gj2c08+TxNjYGFl21PGU2EgK5UZbreFKGEYa8VRacN6B2A==
# TSIG key algorithm
dns_rfc2136_algorithm = HMAC-SHA512

so far so good, i have further given the following command

$ certbot certonly --dns-rfc2136 --dns-rfc2136-credentials /etc/bind/rfc2136.ini -d subdomain.example.com

Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator dns-rfc2136, Installer None
Cert is due for renewal, auto-renewing...
Renewing an existing certificate for subdomain.example.com
Performing the following challenges:
dns-01 challenge for subdomain.example.com
Cleaning up challenges

Encountered exception during recovery: certbot.errors.PluginError: Encountered error deleting TXT record: The peer didn't know the key we used
Encountered error adding TXT record: The peer didn't know the key we used

now I am stucked.

2

It is close to impossible for anyone here to troubleshoot a problem without an actual domain.

Do you really need to use DNS authentication?
[it is only required for wildcard certificates]

5 Likes
3

a more easy question is where do I get the info that I must paste in the TXT dns entry.

4

yes I need it.

yes, I need it, because I can not use other methods for various reasons.

  • I do not have port 80 free
  • the certificate I use is on another machine
  • I use a reverse proxy ...

and so on

5

I'm assuming the answer is "yes", seeing that you have access to the rndc-confgen application, but do you have a RFC2136 capable DNS server running under your controle at 123.123.123.123?

Note that the RFC2136 plugin also requires modifications on the DNS servers side. Please see the official plugin documentation at Welcome to certbot-dns-rfc2136’s documentation! — certbot-dns-rfc2136 0 documentation for examples for common DNS server softwares.

It might be useful to explore all those limitations. E.g., port 80 not being free could be interpreted as being in use by the webserver itself, which usually isn't an issue. Same goes for the "on another machine" and "reverse proxy" arguments. But we can't say for sure without details.

6 Likes
6

Asking me to provide real data to get an answer is a sign that you either have no clue or are up to no good.

7

Note that usually one would have been presented with a questionnaire when opening a new thread in the Help section. This would have included the following statement:

"Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help."

Also note that @rg305 has an excellent reputation on this Community. My advice is not to jump to conclusions :slight_smile:

7 Likes
8

Okay, I'll rephrase the question

What key do I need to enter in the text field of an "Acme Challenge" entry?

_acme-challenge.subdomain.example.com. IN TXT " ?????????????????? "

how do i create this key, or where do I copy it from.

9

The challenge token.

It's generated by the client with data from the ACME server. When using the RFC2136 plugin, this plugin does the adding (and afterwards removing) of this TXT record.

Note that the token is different for every challenge.

6 Likes
10

ok, I see, so the nameserver must be on the same machine as the certbot plugin?

11

I don't think this is an absolute requirement, but I'm not sure how secure that would be.

5 Likes
12

No. In fact, it is practically never on the same machine.

10 Likes
13

The DNS entry changes each time a challenge is issued. The acme client can be on the same machine, or it can use some protocol to communicate and update the DNS server, which is what the rfc2136 plugin is for.

The peer didn't know the key we used

Certbot is trying to update your DNS, using the protocol defined by rfc2136. That’s supported by many DNS servers, like bind for example.

Your dns server doesn’t know the key in your configuration file. How you set up that key depends on what your DNS server is.

For example, if you use pfsense and bind, these instructions would help: pfSense® software Configuration Recipes — Configuring BIND as an RFC 2136 Dynamic DNS Server | pfSense Documentation

Other servers have different configurations, there’s more docs here: Welcome to certbot-dns-rfc2136’s documentation! — certbot-dns-rfc2136 0 documentation

You can manually set up DNS but it won’t be able to automatically renew certs, which isn’t recommended.

10 Likes
14

Thank you

2 Likes
16

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.