4

Am trying to renew/create letsencrypt certs using DNS auth:

certbot-auto -d xxx.it -d mail.xxx.it --manual --preferred-challenges dns certonly

However, after inserting the requested records:

Please deploy a DNS TXT record under the name
_acme-challenge.mail.xxx.it with the following value:

yB_EQ-wiB0NzNUVwiyfiabeIOqIXx3fWKiia1uHGesE

Before continuing, verify the record is deployed.

The challenge fails.

Indeed, if I try:

$ dig_acme-challenge.mail.xxx.it TXT

The request also fails, though the zone file includes the record:

 # fgrep TXT /var/named/chroot/var/named/master/xxx.it
 acme-challenge.mail.xxx.it IN  TXT     "yB_EQ-wiB0NzNUVwiyfiabeIOqIXx3fWKiia1uHGesE"

I am supposing that BIND (bind-9.8.2-0.62.rc1.el6_9.4.x86_64) is somehow refusing to serve records with leading underscores, but the docs/google aren't helping.

Any ideas?

Edit As pointed in the answer below, host parts in zone records need to have a trailing dot OR have the domain part stripped. Look after you copy and paste.

Alien Life Form
  • 2,309
  • 2
  • 21
  • 32

1 Answers1

9

In your zone file you need to end the domain with a . that tells bind not to append the origin you list in the zone

 acme-challenge.mail.xxx.it. IN  TXT     "yB_EQ-wiB0NzNUVwiyfiabeIOqIXx3fWKiia1uHGesE"
Mike
  • 22,310
  • 7
  • 56
  • 79
  • Gee, I feel pretty stupid now. I just copypasted the values that LE spit out and never realized I needed to trim the domain part. Thanks for pointing the snafu out, I might have been looking at it for ages before it hit me. – Alien Life Form Oct 11 '17 at 16:47
  • I did the same thing, so thanks for making that mistake in the first place and saving me time. :) – Sam Watkins Jun 03 '18 at 14:32