Help needed over setting up DNS-01 challenge with self hosted BIND9 server and Step CA ACME sever using RFC2136 #2159

silversurfer98 · 2024-04-16T08:15:43Z

silversurfer98
Apr 16, 2024

I have a test environment with Docker, where I wanted to test wildcard cert genration using self hosted Bind9 DNS server and a step CA ACME server. I'm facing issues with DNS challenge

While I am able to obtain certificates for all individual *.silverdev.fun internal domains using the HTTP-01 challenge using certbot, my goal was to secure a wildcard certificate using the DNS challenge. The most relevant solution I found in the documentation was the RCF2136 provider. Consequently, I set up a BIND9 server and correctly configured all the records as follows:

named.conf

cl home {
    192.168.1.0/24;
    172.18.0.0/24;
};

options {
    version "not currently available";
    forwarders {
        1.1.1.1;
        1.0.0.1;
    };
    allow-query { home; };
};

key "keyname." {
        algorithm hmac-sha512;
        secret "key as generated by tsig-keygen -a hmac-sha512 keyname.";
};

zone "silverdev.fun." IN {
  type master;
  file "/etc/bind/silver-dev.zone";
  update-policy {
    grant keyname. zonesub any;
  };
};

and /etc/bind/silver-dev.zone

$ORIGIN .
$TTL 120        ; 2 minutes
silverdev.fun           IN SOA  ns.silverdev.fun. admin.silverdev.fun. (
                                2024040419 ; serial
                                43200      ; refresh (12 hours)
                                900        ; retry (15 minutes)
                                1814400    ; expire (3 weeks)
                                7200       ; minimum (2 hours)
                                )
                        NS      ns.silverdev.fun.
                        A       192.168.1.19
$ORIGIN silverdev.fun.
*                       CNAME   silverdev.fun.
ns                      A       192.168.1.19

With this configuration, I can successfully obtain a wildcard certificate when I employ certbot in the following manner:

docker run -it --rm --name certbot -e REQUESTS_CA_BUNDLE=/home/root.crt -p 80:80 --network="proxy" \
            -v "./data/etc:/etc/letsencrypt" \
            -v "./data/var:/var/lib/letsencrypt" \
            -v "./data/secrets:/home" \
            -v "./data/certs/root_ca.crt:/home/root.crt" \
            certbot/dns-rfc2136 certonly --dns-rfc2136 --dns-rfc2136-credentials /home/dns.ini \
            --agree-tos --email [email protected] \
            --server https://step-ca:9000/acme/acme/directory -d "silverdev.fun" -d "*.silverdev.fun"

However, when I execute the lego container, I observe in the bind9 logs that lego is generating _acme challenge CNAME records. It doesn't succeed in obtaining the wildcard certificate. I need help regarding this

Steps I followed

RFC2136_TSIG_KEY=keyname. \
RFC2136_TSIG_SECRET=<key> \
RFC2136_TSIG_ALGORITHM=hmac-sha512. \
RFC2136_NAMESERVER=64.227.153.101 \
lego --server https://step-ca:9000/acme/acme/directory --accept-tos --email [email protected] --dns rfc2136 --dns.resolvers 64.227.153.101 --domains silverdev.fun run

I have to create a separate lego container where I trusted my self hosted step-ca's root.crt

The container docker file
# Start from a base image
FROM ubuntu:jammy

# Install necessary packages
RUN apt-get update && \
    apt-get install -y ca-certificates wget

# Copy certificates
COPY ./certs/ /usr/local/share/ca-certificates/

# Update certificates
RUN update-ca-certificates

# Change working directory
WORKDIR /home

# Download lego
RUN wget https://github.com/go-acme/lego/releases/download/v4.16.1/lego_v4.16.1_linux_amd64.tar.gz

# Extract lego
RUN tar -xzvf lego_v4.16.1_linux_amd64.tar.gz

# Move lego to bin
RUN mv /home/lego /usr/bin

# Clean up
RUN rm -rf /home/*

go-acme logs

!!!! HEADS UP !!!!

Your account credentials have been saved in your Let's Encrypt
configuration directory at "/home/.lego/accounts".

You should make a secure backup of this folder now. This
configuration directory will also contain certificates and
private keys obtained from Let's Encrypt so making regular
backups of this folder is ideal.
2024/04/06 15:30:58 [INFO] [silverdev.fun] acme: Obtaining bundled SAN certificate
2024/04/06 15:30:58 [INFO] [silverdev.fun] AuthURL: https://step-ca:9000/acme/acme/authz/N7WkbniwZKpvyafibrmk2qWfs8DfUZF7
2024/04/06 15:30:58 [INFO] [silverdev.fun] acme: Could not find solver for: http-01
2024/04/06 15:30:58 [INFO] [silverdev.fun] acme: use dns-01 solver
2024/04/06 15:30:58 [INFO] [silverdev.fun] acme: Preparing to solve DNS-01
2024/04/06 15:30:58 [INFO] Found CNAME entry for "_acme-challenge.silverdev.fun.": "silverdev.fun."
2024/04/06 15:30:58 [INFO] [silverdev.fun] acme: Trying to solve DNS-01
2024/04/06 15:30:58 [INFO] Found CNAME entry for "_acme-challenge.silverdev.fun.": "silverdev.fun."
2024/04/06 15:30:58 [INFO] [silverdev.fun] acme: Checking DNS record propagation. [nameservers=64.227.153.101:53]
2024/04/06 15:31:01 [INFO] Wait for propagation [timeout: 1m0s, interval: 2s]
2024/04/06 15:31:01 [INFO] [silverdev.fun] acme: Waiting for DNS record propagation.
2024/04/06 15:31:03 [INFO] [silverdev.fun] acme: Waiting for DNS record propagation.
2024/04/06 15:31:05 [INFO] [silverdev.fun] acme: Waiting for DNS record propagation.
2024/04/06 15:31:07 [INFO] [silverdev.fun] acme: Waiting for DNS record propagation.
2024/04/06 15:31:09 [INFO] [silverdev.fun] acme: Waiting for DNS record propagation.
2024/04/06 15:31:11 [INFO] [silverdev.fun] acme: Waiting for DNS record propagation.
2024/04/06 15:31:13 [INFO] [silverdev.fun] acme: Waiting for DNS record propagation.
2024/04/06 15:31:15 [INFO] [silverdev.fun] acme: Waiting for DNS record propagation.
2024/04/06 15:31:17 [INFO] [silverdev.fun] acme: Waiting for DNS record propagation.
2024/04/06 15:31:19 [INFO] [silverdev.fun] acme: Waiting for DNS record propagation.
2024/04/06 15:31:21 [INFO] [silverdev.fun] acme: Waiting for DNS record propagation.
2024/04/06 15:31:23 [INFO] [silverdev.fun] acme: Waiting for DNS record propagation.
2024/04/06 15:31:25 [INFO] [silverdev.fun] acme: Waiting for DNS record propagation.
2024/04/06 15:31:27 [INFO] [silverdev.fun] acme: Waiting for DNS record propagation.
2024/04/06 15:31:29 [INFO] [silverdev.fun] acme: Waiting for DNS record propagation.
2024/04/06 15:31:31 [INFO] [silverdev.fun] acme: Waiting for DNS record propagation.
2024/04/06 15:31:33 [INFO] [silverdev.fun] acme: Waiting for DNS record propagation.
2024/04/06 15:31:35 [INFO] [silverdev.fun] acme: Waiting for DNS record propagation.
2024/04/06 15:31:37 [INFO] [silverdev.fun] acme: Waiting for DNS record propagation.
2024/04/06 15:31:39 [INFO] [silverdev.fun] acme: Waiting for DNS record propagation.
2024/04/06 15:31:41 [INFO] [silverdev.fun] acme: Waiting for DNS record propagation.
2024/04/06 15:31:43 [INFO] [silverdev.fun] acme: Waiting for DNS record propagation.
2024/04/06 15:31:45 [INFO] [silverdev.fun] acme: Waiting for DNS record propagation.
2024/04/06 15:31:47 [INFO] [silverdev.fun] acme: Waiting for DNS record propagation.
2024/04/06 15:31:49 [INFO] [silverdev.fun] acme: Waiting for DNS record propagation.
2024/04/06 15:31:52 [INFO] [silverdev.fun] acme: Waiting for DNS record propagation.
2024/04/06 15:31:54 [INFO] [silverdev.fun] acme: Waiting for DNS record propagation.
2024/04/06 15:31:56 [INFO] [silverdev.fun] acme: Waiting for DNS record propagation.
2024/04/06 15:31:58 [INFO] [silverdev.fun] acme: Waiting for DNS record propagation.
2024/04/06 15:32:00 [INFO] [silverdev.fun] acme: Waiting for DNS record propagation.
2024/04/06 15:32:02 [INFO] [silverdev.fun] acme: Cleaning DNS-01 challenge
2024/04/06 15:32:02 [INFO] Found CNAME entry for "_acme-challenge.silverdev.fun.": "silverdev.fun."
2024/04/06 15:32:02 [INFO] Deactivating auth: https://step-ca:9000/acme/acme/authz/N7WkbniwZKpvyafibrmk2qWfs8DfUZF7
2024/04/06 15:32:02 [INFO] Unable to deactivate the authorization: https://step-ca:9000/acme/acme/authz/N7WkbniwZKpvyafibrmk2qWfs8DfUZF7
2024/04/06 15:32:02 Could not obtain certificates:
        error: one or more domains had a problem:
[silverdev.fun] propagation: time limit exceeded: last error: DNS call error: read udp 172.18.0.3:50812->192.168.1.19:53: read: connection refused [ns=ns.silverdev.fun.:53, question='silverdev.fun. IN  TXT']

And atlast my bind9 logs

bind9    | 06-Apr-2024 20:09:25.415 checkhints: b.root-servers.net/A (170.247.170.2) missing from hints
bind9    | 06-Apr-2024 20:09:25.415 checkhints: b.root-servers.net/A (199.9.14.201) extra record in hints
bind9    | 06-Apr-2024 20:09:25.415 checkhints: b.root-servers.net/AAAA (2801:1b8:10::b) missing from hints
bind9    | 06-Apr-2024 20:09:25.415 checkhints: b.root-servers.net/AAAA (2001:500:200::b) extra record in hints
bind9    | 06-Apr-2024 20:10:12.736 client @0x7f50541a3f18 <my-ip>#46986/key keyname: updating zone 'silverdev.fun/IN': deleting rrset at 'silverdev.fun' TXT
bind9    | 06-Apr-2024 20:10:12.736 client @0x7f50541a3f18 <my-ip>#46986/key keyname: updating zone 'silverdev.fun/IN': adding an RR at 'silverdev.fun' TXT "Xbw9wBoEDH4u_x-DJ6n8dXCvc7uRD6H1Xze1Oo0bzaY"
bind9    | 06-Apr-2024 20:11:15.925 client @0x7f50541a3f18 <my-ip>#33000/key keyname: updating zone 'silverdev.fun/IN': deleting an RR at silverdev.fun TXT
bind9    | 06-Apr-2024 20:13:33.167 client @0x7f50541a7bd8 23.26.60.162#56454 (sl): query (cache) 'sl/ANY/IN' denied (allow-query-cache did not match)
bind9    | 06-Apr-2024 20:37:53.601 client @0x7f50541a3f18 104.223.129.153#51626 (sl): query (cache) 'sl/ANY/IN' denied (allow-query-cache did not match)
bind9    | 06-Apr-2024 20:46:15.724 client @0x7f50541a7bd8 104.223.129.149#55514 (sl): query (cache) 'sl/ANY/IN' denied (allow-query-cache did not match)
bind9    | 06-Apr-2024 21:00:58.958 client @0x7f50541a3f18 <my-ip>#48105/key keyname: updating zone 'silverdev.fun/IN': deleting rrset at 'silverdev.fun' TXT
bind9    | 06-Apr-2024 21:00:58.958 client @0x7f50541a3f18 <my-ip>#48105/key keyname: updating zone 'silverdev.fun/IN': adding an RR at 'silverdev.fun' TXT "5cs0Uj3jQFfogfGZbptEm33syPu4AYpDXf_zbcKkIA8"
bind9    | 06-Apr-2024 21:02:02.199 client @0x7f50541a3f18 <my-ip>#49052/key keyname: updating zone 'silverdev.fun/IN': deleting an RR at silverdev.fun TXT

I'm stuck here, I don't know what else I can do, I have also raised a discussion in traefik forum since that was my first try traefik discussion

ldez · 2024-04-16T11:27:05Z

ldez
Apr 16, 2024
Maintainer

Hello,

I observe in the bind9 logs that lego is generating _acme challenge CNAME records.

Lego doesn't create CNAME, it just follows CNAME by default.

The problem is related to the CNAME wildcard record.

Can you set the env var LEGO_DISABLE_CNAME_SUPPORT to true?

1 reply

silversurfer98 May 6, 2024
Author

I'm really Sorry for very late reply, I have tried the option LEGO_DISABLE_CNAME_SUPPORT to true, It doesn't make any different, It produces the same error, yet certbot somehow manages to get the certs

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Help needed over setting up DNS-01 challenge with self hosted BIND9 server and Step CA ACME sever using RFC2136 #2159

{{title}}

{{editor}}'s edit

{{editor}}'s edit

Replies: 1 comment 1 reply

{{title}}

{{title}}

Select a reply

Help needed over setting up DNS-01 challenge with self hosted BIND9 server and Step CA ACME sever using RFC2136 #2159

silversurfer98 Apr 16, 2024

Replies: 1 comment · 1 reply

ldez Apr 16, 2024 Maintainer

silversurfer98 May 6, 2024 Author

silversurfer98
Apr 16, 2024

Replies: 1 comment 1 reply

ldez
Apr 16, 2024
Maintainer

silversurfer98 May 6, 2024
Author