1

I need a TLS cert for Exim and not a website. For people who do not use webserver, Let's Encrypt provides certs via so-called DNS-01 challenge. It's simple really, a hook script dynamically updates BIND's zone with a TXT challenge RR which is then used by Let's Encrypt to verify the cert request.

It all works up to a DDNS update in BIND. I have following zone configuration:

    zone "example.com" IN {
            type master;
            notify yes;
            allow-query { "any"; };
            file "/etc/bind/example.com.zone";
            update-policy {
                grant ddns-key zonesub ANY;
            };
    };

I then use dehydrated client to issue cert request, get cert signed etc. dehydrated uses a hook script that dynamically adds TXT record with a challenge for a domain:

% dehydrated -c --domain example.com -t dns-01 -k /myhook.sh

# INFO: Using main config file /etc/dehydrated/config
Processing example.com
 + Signing domains...
 + Generating private key...
 + Generating signing request...
 + Requesting new certificate order from CA...
 + Received 1 authorizations URLs from the CA
 + Handling authorization for example.com
 + 1 pending challenge(s)
 + Deploying challenge tokens...
 + Responding to challenge for example.com authorization...
 + Cleaning challenge tokens...
 + Challenge validation has failed :(
ERROR: Challenge is invalid! (returned: invalid) (result: {
  "type": "dns-01",
  "status": "invalid",
  "error": {
    "type": "urn:ietf:params:acme:error:dns",
    "detail": "DNS problem: NXDOMAIN looking up TXT for _acme-challenge.example.com - check that a DNS record exists for this domain",
    "status": 400
  },
  "url": "https://acme-v02.api.letsencrypt.org/acme/chall-v3/9027433651/.....",
  "token": "g_zU3NXkYwjt2LrRm3Yo33O22BFPLRvl......"
})

The hook script is based on https://github.com/dehydrated-io/dehydrated/wiki/example-dns-01-nsupdate-script.

If I check for existence of TXT record (before dehydrated tries to delete it), it indeed does not exist:

dig TXT _acme-challenge.example.com @inet.example.com

...NXDOMAIN

In the log BIND writes a single related line:

02-Dec-2020 20:21:56.089 update: info: client 10.5.1.181#49440/key ddns-key: updating zone 'example.com/IN': adding an RR at '_acme-challenge.example.com' TXT "GLuKNhJkt3MJ4refRS_nkL9BRBbqXSl4a3QytkGfY64"

That's it. There's nothing more, even though I have increased logging level to debug. The TXT record does not appear, there's no error message, nothing.

How can I get this fixed?

OS: Debian 9. BIND version: 9.10.

% named -V
BIND 9.10.3-P4-Debian <id:ebd72b3>
built by make with '--prefix=/usr' '--mandir=/usr/share/man' '--libdir=/usr/lib/x86_64-linux-gnu' '--infodir=/usr/share/info' '--sysconfdir=/etc/bind' '--with-python=python3' '--localstatedir=/' '--enable-threads' '--enable-largefile' '--with-libtool' '--enable-shared' '--enable-static' '--with-gost=no' '--with-openssl=/usr' '--with-gssapi=/usr' '--with-gnu-ld' '--with-geoip=/usr' '--with-atf=no' '--enable-ipv6' '--enable-rrl' '--enable-filter-aaaa' '--enable-native-pkcs11' '--with-pkcs11=/usr/lib/x86_64-linux-gnu/softhsm/libsofthsm2.so' '--with-randomdev=/dev/urandom' 'CFLAGS=-g -O2 -fdebug-prefix-map=/build/bind9-3gVwXu/bind9-9.10.3.dfsg.P4=. -fstack-protector-strong -Wformat -Werror=format-security -fno-strict-aliasing -fno-delete-null-pointer-checks -DNO_VERSION_DATE -DDIG_SIGCHASE' 'LDFLAGS=-Wl,-z,relro -Wl,-z,now' 'CPPFLAGS=-Wdate-time -D_FORTIFY_SOURCE=2'
compiled by GCC 6.3.0 20170516
compiled with OpenSSL version: OpenSSL 1.0.2u  20 Dec 2019
linked to OpenSSL version: OpenSSL 1.0.2u  20 Dec 2019
compiled with libxml2 version: 2.9.4
linked to libxml2 version: 20904

UPDATE

I found something, this seems to be related to IP/interface that BIND is listening from. When I'm using externally visible nameserver for example.com, I get refusal with following nsupdate commands:

% nsupdate -k /etc/exim4/ddns.key < /tmp/s
; TSIG error with server: tsig indicates error
update failed: NOTAUTH(BADKEY)

% cat /tmp/s
server inet.example.com
add _acme-challenge.example.com 1010001 in TXT "abc"
send

However, I do not get an error and the TXT record does get inserted with following nsupdate commands:

server 10.0.0.1
add _acme-challenge.example.com 1010001 in TXT "abc"
send
LetMeSOThat4U
  • 1,159
  • 2
  • 14
  • 29
  • 1
    Are you by any chance using `bind` views? If yes, you are probably editing / adding record to a zone in incorrect view. – Tomek Dec 02 '20 at 20:40
  • You could well use HTTP-01 challenge without a web server. Certbot has a built-in temporary web server for that. – Esa Jokinen Dec 02 '20 at 21:53
  • @Tomek: Unfortunately no, I'm not using views. – LetMeSOThat4U Dec 03 '20 at 11:43
  • A comment from Patrick Mevzek to a different question applies here too: "BIND 9.10 is EOL for more than 2 years (see https://kb.isc.org/docs/aa-00896). So you might want to start using something newer. And while Debian 9 is not EOL you should upgrade too." – Tommiie Dec 03 '20 at 11:50

0 Answers0