Help needed over setting up DNS-01 challenge with self hosted BIND9 server and Step CA ACME sever using RFC2136

[silversurfer98]

I have a test environment with Docker, where I wanted to test wildcard cert genration using self hosted Bind9 DNS server and a step CA ACME server. I'm facing issues with DNS challenge

While I am able to obtain certificates for all individual *.silverdev.fun internal domains using the HTTP-01 challenge using certbot, my goal was to secure a wildcard certificate using the DNS challenge. The most relevant solution I found in the documentation was the RCF2136 provider. Consequently, I set up a BIND9 server and correctly configured all the records as follows:

named.conf

cl home {
    192.168.1.0/24;
    172.18.0.0/24;
};

options {
    version "not currently available";
    forwarders {
        1.1.1.1;
        1.0.0.1;
    };
    allow-query { home; };
};

key "keyname." {
        algorithm hmac-sha512;
        secret "key as generated by tsig-keygen -a hmac-sha512 keyname.";
};

zone "silverdev.fun." IN {
  type master;
  file "/etc/bind/silver-dev.zone";
  update-policy {
    grant keyname. zonesub any;
  };
};

and /etc/bind/silver-dev.zone

$ORIGIN .
$TTL 120        ; 2 minutes
silverdev.fun           IN SOA  ns.silverdev.fun. admin.silverdev.fun. (
                                2024040419 ; serial
                                43200      ; refresh (12 hours)
                                900        ; retry (15 minutes)
                                1814400    ; expire (3 weeks)
                                7200       ; minimum (2 hours)
                                )
                        NS      ns.silverdev.fun.
                        A       192.168.1.19
$ORIGIN silverdev.fun.
*                       CNAME   silverdev.fun.
ns                      A       192.168.1.19

With this configuration, I can successfully obtain a wildcard certificate when I employ certbot in the following manner:

docker run -it --rm --name certbot -e REQUESTS_CA_BUNDLE=/home/root.crt -p 80:80 --network="proxy" \
            -v "./data/etc:/etc/letsencrypt" \
            -v "./data/var:/var/lib/letsencrypt" \
            -v "./data/secrets:/home" \
            -v "./data/certs/root_ca.crt:/home/root.crt" \
            certbot/dns-rfc2136 certonly --dns-rfc2136 --dns-rfc2136-credentials /home/dns.ini \
            --agree-tos --email [email protected] \
            --server https://step-ca:9000/acme/acme/directory -d "silverdev.fun" -d "*.silverdev.fun"

However, when I execute the lego container, I observe in the bind9 logs that lego is generating _acme challenge CNAME records. It doesn't succeed in obtaining the wildcard certificate. I need help regarding this

Steps I followed

RFC2136_TSIG_KEY=keyname. \
RFC2136_TSIG_SECRET=<key> \
RFC2136_TSIG_ALGORITHM=hmac-sha512. \
RFC2136_NAMESERVER=64.227.153.101 \
lego --server https://step-ca:9000/acme/acme/directory --accept-tos --email [email protected] --dns rfc2136 --dns.resolvers 64.227.153.101 --domains silverdev.fun run

I have to create a separate lego container where I trusted my self hosted step-ca's root.crt

The container docker file
# Start from a base image
FROM ubuntu:jammy

# Install necessary packages
RUN apt-get update && \
    apt-get install -y ca-certificates wget

# Copy certificates
COPY ./certs/ /usr/local/share/ca-certificates/

# Update certificates
RUN update-ca-certificates

# Change working directory
WORKDIR /home

# Download lego
RUN wget https://github.com/go-acme/lego/releases/download/v4.16.1/lego_v4.16.1_linux_amd64.tar.gz

# Extract lego
RUN tar -xzvf lego_v4.16.1_linux_amd64.tar.gz

# Move lego to bin
RUN mv /home/lego /usr/bin

# Clean up
RUN rm -rf /home/*

go-acme logs

!!!! HEADS UP !!!!

Your account credentials have been saved in your Let's Encrypt
configuration directory at "/home/.lego/accounts".

You should make a secure backup of this folder now. This
configuration directory will also contain certificates and
private keys obtained from Let's Encrypt so making regular
backups of this folder is ideal.
2024/04/06 15:30:58 [INFO] [silverdev.fun] acme: Obtaining bundled SAN certificate
2024/04/06 15:30:58 [INFO] [silverdev.fun] AuthURL: https://step-ca:9000/acme/acme/authz/N7WkbniwZKpvyafibrmk2qWfs8DfUZF7
2024/04/06 15:30:58 [INFO] [silverdev.fun] acme: Could not find solver for: http-01
2024/04/06 15:30:58 [INFO] [silverdev.fun] acme: use dns-01 solver
2024/04/06 15:30:58 [INFO] [silverdev.fun] acme: Preparing to solve DNS-01
2024/04/06 15:30:58 [INFO] Found CNAME entry for "_acme-challenge.silverdev.fun.": "silverdev.fun."
2024/04/06 15:30:58 [INFO] [silverdev.fun] acme: Trying to solve DNS-01
2024/04/06 15:30:58 [INFO] Found CNAME entry for "_acme-challenge.silverdev.fun.": "silverdev.fun."
2024/04/06 15:30:58 [INFO] [silverdev.fun] acme: Checking DNS record propagation. [nameservers=64.227.153.101:53]
2024/04/06 15:31:01 [INFO] Wait for propagation [timeout: 1m0s, interval: 2s]
2024/04/06 15:31:01 [INFO] [silverdev.fun] acme: Waiting for DNS record propagation.
2024/04/06 15:31:03 [INFO] [silverdev.fun] acme: Waiting for DNS record propagation.
2024/04/06 15:31:05 [INFO] [silverdev.fun] acme: Waiting for DNS record propagation.
2024/04/06 15:31:07 [INFO] [silverdev.fun] acme: Waiting for DNS record propagation.
2024/04/06 15:31:09 [INFO] [silverdev.fun] acme: Waiting for DNS record propagation.
2024/04/06 15:31:11 [INFO] [silverdev.fun] acme: Waiting for DNS record propagation.
2024/04/06 15:31:13 [INFO] [silverdev.fun] acme: Waiting for DNS record propagation.
2024/04/06 15:31:15 [INFO] [silverdev.fun] acme: Waiting for DNS record propagation.
2024/04/06 15:31:17 [INFO] [silverdev.fun] acme: Waiting for DNS record propagation.
2024/04/06 15:31:19 [INFO] [silverdev.fun] acme: Waiting for DNS record propagation.
2024/04/06 15:31:21 [INFO] [silverdev.fun] acme: Waiting for DNS record propagation.
2024/04/06 15:31:23 [INFO] [silverdev.fun] acme: Waiting for DNS record propagation.
2024/04/06 15:31:25 [INFO] [silverdev.fun] acme: Waiting for DNS record propagation.
2024/04/06 15:31:27 [INFO] [silverdev.fun] acme: Waiting for DNS record propagation.
2024/04/06 15:31:29 [INFO] [silverdev.fun] acme: Waiting for DNS record propagation.
2024/04/06 15:31:31 [INFO] [silverdev.fun] acme: Waiting for DNS record propagation.
2024/04/06 15:31:33 [INFO] [silverdev.fun] acme: Waiting for DNS record propagation.
2024/04/06 15:31:35 [INFO] [silverdev.fun] acme: Waiting for DNS record propagation.
2024/04/06 15:31:37 [INFO] [silverdev.fun] acme: Waiting for DNS record propagation.
2024/04/06 15:31:39 [INFO] [silverdev.fun] acme: Waiting for DNS record propagation.
2024/04/06 15:31:41 [INFO] [silverdev.fun] acme: Waiting for DNS record propagation.
2024/04/06 15:31:43 [INFO] [silverdev.fun] acme: Waiting for DNS record propagation.
2024/04/06 15:31:45 [INFO] [silverdev.fun] acme: Waiting for DNS record propagation.
2024/04/06 15:31:47 [INFO] [silverdev.fun] acme: Waiting for DNS record propagation.
2024/04/06 15:31:49 [INFO] [silverdev.fun] acme: Waiting for DNS record propagation.
2024/04/06 15:31:52 [INFO] [silverdev.fun] acme: Waiting for DNS record propagation.
2024/04/06 15:31:54 [INFO] [silverdev.fun] acme: Waiting for DNS record propagation.
2024/04/06 15:31:56 [INFO] [silverdev.fun] acme: Waiting for DNS record propagation.
2024/04/06 15:31:58 [INFO] [silverdev.fun] acme: Waiting for DNS record propagation.
2024/04/06 15:32:00 [INFO] [silverdev.fun] acme: Waiting for DNS record propagation.
2024/04/06 15:32:02 [INFO] [silverdev.fun] acme: Cleaning DNS-01 challenge
2024/04/06 15:32:02 [INFO] Found CNAME entry for "_acme-challenge.silverdev.fun.": "silverdev.fun."
2024/04/06 15:32:02 [INFO] Deactivating auth: https://step-ca:9000/acme/acme/authz/N7WkbniwZKpvyafibrmk2qWfs8DfUZF7
2024/04/06 15:32:02 [INFO] Unable to deactivate the authorization: https://step-ca:9000/acme/acme/authz/N7WkbniwZKpvyafibrmk2qWfs8DfUZF7
2024/04/06 15:32:02 Could not obtain certificates:
        error: one or more domains had a problem:
[silverdev.fun] propagation: time limit exceeded: last error: DNS call error: read udp 172.18.0.3:50812->192.168.1.19:53: read: connection refused [ns=ns.silverdev.fun.:53, question='silverdev.fun. IN  TXT']

And atlast my bind9 logs

bind9    | 06-Apr-2024 20:09:25.415 checkhints: b.root-servers.net/A (170.247.170.2) missing from hints
bind9    | 06-Apr-2024 20:09:25.415 checkhints: b.root-servers.net/A (199.9.14.201) extra record in hints
bind9    | 06-Apr-2024 20:09:25.415 checkhints: b.root-servers.net/AAAA (2801:1b8:10::b) missing from hints
bind9    | 06-Apr-2024 20:09:25.415 checkhints: b.root-servers.net/AAAA (2001:500:200::b) extra record in hints
bind9    | 06-Apr-2024 20:10:12.736 client @0x7f50541a3f18 <my-ip>#46986/key keyname: updating zone 'silverdev.fun/IN': deleting rrset at 'silverdev.fun' TXT
bind9    | 06-Apr-2024 20:10:12.736 client @0x7f50541a3f18 <my-ip>#46986/key keyname: updating zone 'silverdev.fun/IN': adding an RR at 'silverdev.fun' TXT "Xbw9wBoEDH4u_x-DJ6n8dXCvc7uRD6H1Xze1Oo0bzaY"
bind9    | 06-Apr-2024 20:11:15.925 client @0x7f50541a3f18 <my-ip>#33000/key keyname: updating zone 'silverdev.fun/IN': deleting an RR at silverdev.fun TXT
bind9    | 06-Apr-2024 20:13:33.167 client @0x7f50541a7bd8 23.26.60.162#56454 (sl): query (cache) 'sl/ANY/IN' denied (allow-query-cache did not match)
bind9    | 06-Apr-2024 20:37:53.601 client @0x7f50541a3f18 104.223.129.153#51626 (sl): query (cache) 'sl/ANY/IN' denied (allow-query-cache did not match)
bind9    | 06-Apr-2024 20:46:15.724 client @0x7f50541a7bd8 104.223.129.149#55514 (sl): query (cache) 'sl/ANY/IN' denied (allow-query-cache did not match)
bind9    | 06-Apr-2024 21:00:58.958 client @0x7f50541a3f18 <my-ip>#48105/key keyname: updating zone 'silverdev.fun/IN': deleting rrset at 'silverdev.fun' TXT
bind9    | 06-Apr-2024 21:00:58.958 client @0x7f50541a3f18 <my-ip>#48105/key keyname: updating zone 'silverdev.fun/IN': adding an RR at 'silverdev.fun' TXT "5cs0Uj3jQFfogfGZbptEm33syPu4AYpDXf_zbcKkIA8"
bind9    | 06-Apr-2024 21:02:02.199 client @0x7f50541a3f18 <my-ip>#49052/key keyname: updating zone 'silverdev.fun/IN': deleting an RR at silverdev.fun TXT

I'm stuck here, I don't know what else I can do, I have also raised a discussion in traefik forum since that was my first try traefik discussion

[ldez]

Hello,

I observe in the bind9 logs that lego is generating _acme challenge CNAME records.

Lego doesn't create CNAME, it just follows CNAME by default.

The problem is related to the CNAME wildcard record.

Can you set the env var LEGO_DISABLE_CNAME_SUPPORT to true?

[silversurfer98]

Hi, after a long time, I revisited this issue, this time with a fully local setup. LEGO successfully obtains certificates using the HTTP-01 challenge, but DNS-01 is still giving me trouble. I’ve struggled with it extensively, but Certbot works flawlessly. Could this be an issue with LEGO's RFC2136 implementation? Any help would be appreciated!

[ldez]

Could this be an issue with LEGO's RFC2136 implementation?

There is no problem with the implementation of the RFC.

What is your current problem?

[silversurfer98]

Environment

• Bind9 DNS Server: Running on 192.168.1.77, configured for Dynamic DNS updates with TSIG key kubedevkey.
• ACME Server: https://ca.home.com:9000/acme/acme/directory
• Docker: Used to run both lego and certbot

Problem Statement

Successful Manual DNS Update

Updating DNS manually with nsupdate works:

nsupdate -k kubedevkey.key
> server 192.168.1.77
> zone internal.com
> update add _acme-challenge.internal.com. 300 TXT "test-dns-01"
> send
> quit

Verification using dig:

dig @192.168.1.77 _acme-challenge.internal.com TXT

ANSWER SECTION:
_acme-challenge.internal.com. 120 IN   TXT     "test-dns-01"

PS also checked dig output in step-ca env

LEGO Fails to Validate DNS-01 Challenge

Running LEGO inside a Docker container results in a failure:

docker run --name lego --rm --dns 192.168.1.77 -v ./root_ca.pem:/root_ca.pem \
-e LEGO_CA_CERTIFICATES=/root_ca.pem \
-e RFC2136_TSIG_KEY=kubedev_key \
-e RFC2136_TSIG_SECRET=<kubedevkey> \
-e RFC2136_TSIG_ALGORITHM=hmac-sha256 \
-e RFC2136_NAMESERVER=192.168.1.77 \
-e LEGO_DISABLE_CNAME_SUPPORT=true \
goacme/lego --server https://ca.home.com:9000/acme/acme/directory \
--accept-tos --email [email protected] --dns rfc2136 \
--dns.resolvers 192.168.1.77 --domains="*.internal.com" run

Error Output

[INFO] Found CNAME entry for "_acme-challenge.internal.com.": "internal.com."
[INFO] [internal.com] acme: Checking DNS record propagation. [nameservers=192.168.1.77:53]
[INFO] Wait for propagation [timeout: 1m0s, interval: 2s]
[INFO] [internal.com] acme: Waiting for DNS record propagation.
[INFO] Deactivating auth: https://ca.home.com:9000/acme/acme/authz/7vCLAixHvhT9ohFvPBIHOcNJrlT5HPcM
[INFO] Unable to deactivate the authorization: https://ca.home.com:9000/acme/acme/authz/7vCLAixHvhT9ohFvPBIHOcNJrlT5HPcM
[ERROR] one or more domains had a problem:
[internal.com] propagation: time limit exceeded: last error: authoritative nameservers: DNS call error: read udp 172.17.0.2:44475->192.168.1.18:53: read: connection refused [ns=internal.com.:53, question='internal.com. IN  TXT']

LEGO works fine with HTTP-01 Challenge

Running LEGO for ngx.internal.com using HTTP Challenge, works without any problem

docker run --name lego --rm -v ./root_ca.pem:/root_ca.pem \
-e LEGO_CA_CERTIFICATES=/root_ca.pem \
-p 80:80 goacme/lego \
--server https://ca.home.com:9000/acme/acme/directory \
--accept-tos --email="[email protected]" \
--dns.resolvers 192.168.1.77 --domains="ngx.internal.com" --http run

Certbot Works Successfully

However, certbot succeeds:

docker run -it --rm --name certbot -e REQUESTS_CA_BUNDLE=/root_ca.pem --dns 192.168.1.77 \
-v ./root_ca.pem:/root_ca.pem \
-v ./dns.ini:/dns.ini \
certbot/dns-rfc2136 certonly --dns-rfc2136 --dns-rfc2136-credentials /dns.ini \
--agree-tos --email [email protected] \
--server https://ca.home.com:9000/acme/acme/directory -d "internal.com" -d "*.internal.com"

Possible issues based on my understanding.

1. CNAME Resolution Issue: LEGO detects a CNAME entry for _acme-challenge.internal.com, which may be causing problems with record updates.
2. Network Issues in Docker: The log suggests a potential UDP communication issue (read: connection refused).

Questions

• Why does LEGO fail to validate the DNS-01 challenge while Certbot succeeds?
• Is there a workaround for LEGO to correctly update and validate the challenge?
• Could the CNAME issue be affecting LEGO's validation process?

I appreciate the response to my previous post so quickly, but I still couldn't get it to work. Any suggestions would be greatly helpful.

[ldez]

can you try this option: --dns.propagation-disable-ans?

docker run --name lego --rm -v ./root_ca.pem:/root_ca.pem \
-e LEGO_CA_CERTIFICATES=/root_ca.pem \
-p 80:80 goacme/lego \
--server https://ca.home.com:9000/acme/acme/directory \
--accept-tos --email="[email protected]" \
--dns.propagation-disable-ans \
--dns.resolvers 192.168.1.77 --domains="ngx.internal.com" --http run

[silversurfer98]

--dns.propagation-disable-ans worked at last! I also tried cert-manager from my cluster, and that worked too. A short explanation of why this is needed would be helpful for me and others who visit later. Thank you

[ldez]

lego checks authoritative and recursing nameservers but inside your network, the authoritative nameservers don't respond.
--propagation-disable-ans disables the check of the authoritative nameservers.