Certbot with Bind

[ghost]

Hi,

I am wondering, if there is any way update_policy can be added to generated named conf file?

https://certbot-dns-rfc2136.readthedocs.io/en/stable/#sample-bind-configuration - I want to try and generate certs for bind zone. Thus, I can generate a key via

tsig-keygen -a hmac-sha512 keyname > /etc/bind/tsig.key

However, cant figure out how can I add update policy to generated conf file?

Thank you

[ghost]

Update:

I ve added those in entrypoint script:

                echo "zone \"${domain}\" IN {"
                echo "    type master;"
                echo "    allow-transfer { any; };"
                echo "    file \"${zone_file}\";"
                echo "    update-policy {"
                echo "      grant keyname. name _acme-challenge.wcl.net. txt;"
                echo "    };"
                echo "};"
--------
{
        echo "include \"${NAMED_LOG_CONF}\";"
        echo "include \"${NAMED_OPT_CONF}\";"
        echo "include \"/etc/bind/named.conf.local\";"
        echo "include \"/etc/bind/named.conf.default-zones\";"
        echo "include \"/etc/bind/tsig.key\";"
} > "${NAMED_CONF}"

However, certbot is failing with that error:

2020-08-08 00:08:50,783:DEBUG:acme.client:Storing nonce: 0002WQPJS-XuFFfRv-OgZH5557u21jzYdh92GLoD9xnNCYk
2020-08-08 00:08:50,784:INFO:certbot.auth_handler:Performing the following challenges:
2020-08-08 00:08:50,784:INFO:certbot.auth_handler:dns-01 challenge for wcl.net
2020-08-08 00:08:50,785:WARNING:certbot.plugins.dns_common:Unsafe permissions on credentials configuration file: /root/certbot.ini
2020-08-08 00:08:50,791:DEBUG:certbot_dns_rfc2136.dns_rfc2136:No authoritative SOA record found for _acme-challenge.wcl.net
2020-08-08 00:08:50,793:DEBUG:certbot_dns_rfc2136.dns_rfc2136:Received authoritative SOA response for wcl.net
2020-08-08 00:08:50,797:DEBUG:certbot.error_handler:Encountered exception:
Traceback (most recent call last):
  File "/usr/lib/python3/dist-packages/certbot/auth_handler.py", line 75, in handle_authorizations
    resp = self._solve_challenges(aauthzrs)
  File "/usr/lib/python3/dist-packages/certbot/auth_handler.py", line 139, in _solve_challenges
    resp = self.auth.perform(all_achalls)
  File "/usr/lib/python3/dist-packages/certbot/plugins/dns_common.py", line 57, in perform
    self._perform(domain, validation_domain_name, validation)
  File "/usr/lib/python3/dist-packages/certbot_dns_rfc2136/dns_rfc2136.py", line 76, in _perform
    self._get_rfc2136_client().add_txt_record(validation_name, validation, self.ttl)
  File "/usr/lib/python3/dist-packages/certbot_dns_rfc2136/dns_rfc2136.py", line 135, in add_txt_record
    .format(dns.rcode.to_text(rcode)))
certbot.errors.PluginError: Received response from server: SERVFAIL

2020-08-08 00:08:50,797:DEBUG:certbot.error_handler:Calling registered functions
2020-08-08 00:08:50,797:INFO:certbot.auth_handler:Cleaning up challenges
2020-08-08 00:08:50,800:DEBUG:certbot_dns_rfc2136.dns_rfc2136:No authoritative SOA record found for _acme-challenge.wcl.net
2020-08-08 00:08:50,801:DEBUG:certbot_dns_rfc2136.dns_rfc2136:Received authoritative SOA response for wcl.net
2020-08-08 00:08:50,803:DEBUG:certbot_dns_rfc2136.dns_rfc2136:Successfully deleted TXT record
2020-08-08 00:08:50,803:DEBUG:certbot.log:Exiting abnormally:
Traceback (most recent call last):
  File "/usr/bin/certbot", line 11, in <module>
    load_entry_point('certbot==0.31.0', 'console_scripts', 'certbot')()
  File "/usr/lib/python3/dist-packages/certbot/main.py", line 1365, in main
    return config.func(config, plugins)
  File "/usr/lib/python3/dist-packages/certbot/main.py", line 1250, in certonly
    lineage = _get_and_save_cert(le_client, config, domains, certname, lineage)
  File "/usr/lib/python3/dist-packages/certbot/main.py", line 121, in _get_and_save_cert
    lineage = le_client.obtain_and_enroll_certificate(domains, certname)
  File "/usr/lib/python3/dist-packages/certbot/client.py", line 410, in obtain_and_enroll_certificate
    cert, chain, key, _ = self.obtain_certificate(domains)
  File "/usr/lib/python3/dist-packages/certbot/client.py", line 353, in obtain_certificate
    orderr = self._get_order_and_authorizations(csr.data, self.config.allow_subset_of_names)
  File "/usr/lib/python3/dist-packages/certbot/client.py", line 389, in _get_order_and_authorizations
    authzr = self.auth_handler.handle_authorizations(orderr, best_effort)
  File "/usr/lib/python3/dist-packages/certbot/auth_handler.py", line 75, in handle_authorizations
    resp = self._solve_challenges(aauthzrs)
  File "/usr/lib/python3/dist-packages/certbot/auth_handler.py", line 139, in _solve_challenges
    resp = self.auth.perform(all_achalls)
  File "/usr/lib/python3/dist-packages/certbot/plugins/dns_common.py", line 57, in perform
    self._perform(domain, validation_domain_name, validation)
  File "/usr/lib/python3/dist-packages/certbot_dns_rfc2136/dns_rfc2136.py", line 76, in _perform
    self._get_rfc2136_client().add_txt_record(validation_name, validation, self.ttl)
  File "/usr/lib/python3/dist-packages/certbot_dns_rfc2136/dns_rfc2136.py", line 135, in add_txt_record
    .format(dns.rcode.to_text(rcode)))
certbot.errors.PluginError: Received response from server: SERVFAIL

Might be related to dir permissions though.

[anApeThrummingAViola]

I'm stuck at the same point, I doubt it's write permissions, as it persists even after adding write permissions for the 'bind' group to both the /etc/bind directory as well as the zone file.

[science695]

@anApeThrummingAViola Unsafe permission errors in linux, usually mean the file has too much access, not too little.

i.e.: it is world writable, or world readable. Depending on the situation, even group read/writable might cause an error.

In this case, here is some info on Certbot's warning: https://certbot-dns-rfc2136.readthedocs.io/en/stable/#credentials

[anApeThrummingAViola]

That was a good hint, my pre-set permissions on the bind dir were 2755, I changed them to 0774, restarted bind, and that got me past this problem.

[anApeThrummingAViola]

blushes I also had opened the firewall for port 53 TCP instead of UDP