Wilcard of server centos7.5-bind9.9


#1

Hello
My system: Centos 7.5
Bind 9.9.4.6
my domain : shost.fr

My credential file

Serveur DNS

dns_rfc2136_server = 192.168.1.20

Nom de la clé TSIG (doit se terminer par un ‘.’)

dns_rfc2136_name = keyname.

clé secrète

dns_rfc2136_secret = r59s+m9wCfkv2Ti???yQRRw3QyaZXZvVIP4Qxh+m63c1wZD74 aYdYiH74pP93ce7JoHryrOlI4BjkVA==

Algorythme TSIG utilisé

dns_rfc2136_algorithm = HMAC-SHA512

certbot certonly --server https://acme-v02.api.letsencrypt.org/directory --dns-rfc2136 --dns-rfc2136-credentials ~/.secrets/certbot/rfc2136.ini -d shost.fr -d www.shost.fr

When I run Certbot to get a generic certificate for my domain, I have the following error:

Encountered exception during recovery:
Traceback (most recent call last):
File “/usr/lib/python2.7/site-packages/certbot/error_handler.py”, line 108, in _call_registered
self.funcs-1
File “/usr/lib/python2.7/site-packages/certbot/auth_handler.py”, line 310, in _cleanup_challenges
self.auth.cleanup(achalls)
File “/usr/lib/python2.7/site-packages/certbot/plugins/dns_common.py”, line 76, in cleanup
self._cleanup(domain, validation_domain_name, validation)
File “/usr/lib/python2.7/site-packages/certbot_dns_rfc2136/dns_rfc2136.py”, line 79, in _cleanup
self._get_rfc2136_client().del_txt_record(validation_name, validation)
File “/usr/lib/python2.7/site-packages/certbot_dns_rfc2136/dns_rfc2136.py”, line 170, in del_txt_record
.format(dns.rcode.to_text(rcode)))
PluginError: Received response from server: REFUSED

I already have another domain (vhost.fr) certified by letsencrypt and I applied the same procedure. The only change is the access provider.

Do you have any idea of the origin of this problem?
Thank you for your reply.


#2

Hi,

The traceback might states that the server (DNS) was not available at the time of the request (the connection is refused when certbot tried to update DNS records on that server)

Thank you


#3

TSIG keys need to remain secret! If you’re using that one, and it isn’t just an example, you need to change it. (Disable it on your servers and generate a new one.)


#4

No problem. It was just a previous trial. The key has been changed since.