Need help setting up rfc2136 for dynamic TXT record update with certbot for Let's Encrypt

[jmaat]

I have Dyn DNS setup from my router to update a record with my home IP address, and that's working fine, but requires me to have port 80 open for Let's Encrypt renewal. I am now trying to get it to verify my domain with rfc2136 (which also allows for a wildcard cert). I have everything setup, and this is my ini file:

# Instructions: https://github.com/certbot/certbot/blob/master/certbot-dns-rfc2136/certbot_dns_rfc2136/__init__.py#L20
# Replace with your values
# Target DNS server
dns_rfc2136_server = dynamic.zoneedit.com #api.cp.zoneedit.com #64.68.203.17
# TSIG key name
dns_rfc2136_name = <zoneedit username>
# TSIG key secret
dns_rfc2136_secret = <Dyn Auth token>
# TSIG key algorithm
dns_rfc2136_algorithm = HMAC-SHA512

But this is not working. (I've tried both dynamic and api.cp hosts, as well as the IP). What would a working rfc2136 ini file look like for ZoneEdit?
I can provide some of the letsencrypt logs, but so far aside from this, they have not been very useful. Here's the most relevant part I could find:

2023-03-17 11:20:52,768:INFO:certbot._internal.auth_handler: Performing the following challenges:
2023-03-17 11:20:52,768:INFO:certbot._internal.auth_handler:dns-01 challenge for <mydomain>.com
2023-03-17 11:20:52,769:INFO:certbot._internal.auth_handler:dns-01 challenge for <mydomain>.com

2023-03-17 11:20:52,806: DEBUG:certbot_dns_rfc2136._internal.dns_rfc2136:TCP query failed, fallback to UDP: [Errno 111] Connection refused

Looking at the documentation (https://github.com/certbot/certbot/...~:text=(IPv4 or IPv6 address, not a hostname)), it states that it needs to be an IP address, not hostname.
And I tried using:
https://dynamic.zoneedit.com/txt-create.php?host=test.<mydomain>.com&rdata=ThisIsTheData
which works fine. However when I tried:
https://64.68.203.17/txt-create.php?host=test.<mydomain>.com&rdata=ThisIsTheData
I get:
Class file for server "64.68.203.17" does not exist

So is this something you need to fix on your end to allow access via IP instead of hostname? Or am I doing something wrong?

 

[Chris Cherry]

Correct. "https://64.68.203.17/txt-create.php?host=test.<mydomain>.com&rdata=ThisIsTheData" won't work because HTTPS over an IP address won't work.

 

[jmaat]

HTTP doesn't work either (same error). But neither is relevant to the issue. I need it to work for certbot's rfc2136 implementation. What are the correct parameters? It requires an IP address, and I'm afraid 64.68.203.17 may not accept connections on port 53. (Which I believe is the port it is trying to connect to)
(trying a simple telnet to 64.68.203.17 gives me a connection refused)
Is there a different IP address we should be using for rfc2136? Or a different port number?

 

[Brad C.]

The documentation you're following that requires an IP instead of a hostname is looking for the IP of a nameserver that will transfer the zone. If your domain is in secondary mode with Zoneedit, you could use the Ze secondary server's IP - it will be listed in the control panel when you configure secondary DNS. You also have the option in the Zoneedit control panel to configure TSIG. In your use case you probably don't want to have your domain in secondary mode at Zoneedit so I think you need to find a solution that doesn't involve rfc2136.

 

[jmaat]

The documentation that requires an IP instead of a hostname at https://github.com/certbot/certbot/...s-rfc2136/certbot_dns_rfc2136/__init__.py#L20 is looking for the IP of a nameserver that will serve the TXT record. You could use 139.177.204.42 for dns1.zoneedit.com.

Great, that got me one step closer.. Now it's saying:
Encountered error when making query: The peer didn't know the key we used
I am using my login name as the name, and the Dyn Auth token as the secret.

 

[Brad C.]

Great, that got me one step closer.. Now it's saying:
Encountered error when making query: The peer didn't know the key we used
I am using my login name as the name, and the Dyn Auth token as the secret.

Looking more closely at the docs for rfc2136, I don't think it's the solution you're looking for. rfc2136 is for transferring the zone via AXFR and would require your domain to be in secondary mode at Zoneedit.

 

[jmaat]

rfc2136 is indeed key for AXFR transfer out of a zone, however it can also be used to add, update, or delete RRs.
According to this post: https://forum.zoneedit.com/threads/rfc2136-support.8783/post-21679 Zoneedit now supports rfc2136 updates to allow Let's Encrypt cert renewal. Which for certbot means it needs to talk to the DNS server to add a TXT record.

I looked at your documentation (https://support.zoneedit.com/en/knowledgebase/article/secondary-dns), and the TSIG listed under the Secondary Information in DNS Settings is likely exactly what I would need. I do not want/need my domain to be secondary. I just need to have a TSIG that allows me to make updates to the records on the primary (@ Zoneedit)

So.. How bad would it break if I change the primary name server in that section to 139.177.204.42 (My zone's primary NS @Zoneedit). Would that allow me to get a TSIG and still have my primary domain @ Zoneedit?

 

[jmaat]

@Brad C. (Or @sandy?) is there any update on this? I would love to be able to finally get a wildcard certificate through LetsEncrypt (using swag)

 

[sandy]

in the Ze forum thread about 'rfc2136 support' it was referenced DYN endpoints for creating TXT records for letsencrypt.. We do not support fully rfc2136.. only the DYN endpoints for creating TXT records for letsencrypt

regards.

 

[jmaat]

in the Ze forum thread about 'rfc2136 support' it was referenced DYN endpoints for creating TXT records for letsencrypt.. We do not support fully rfc2136.. only the DYN endpoints for creating TXT records for letsencrypt

regards.

Thanks. Is there any true rfc2136 support for certbot to renew letsencrypt wildcard certificates in the pipeline? Or a DNS plugin for certbot (https://eff-certbot.readthedocs.io/en/stable/using.html#third-party-plugins)?
Right now my cert request has about a dozen alternate names to allow for all the hostnames. (And with each new server I have to update the cert. I don't think I've ever had my cert last the full time until auto-renewal). I would love to be able to finally get a wildcard certificate.

 

[Brad C.]

If you can script something to create the TXT records using a DYN call like https://forum.zoneedit.com/threads/automating-changes-of-txt-records-in-dns.7394/post-19772 then you could create a wildcard cert with certbot using something like:

certbot certonly --manual --preferred-challenges dns --server https://acme-v02.api.letsencrypt.org/directory --csr /path/to/csr_file --manual-public-ip-logging-ok --config-dir YOUR_DIR --work-dir YOUR_DIR --logs-dir YOUR_DIR --agree-tos --register-unsafely-without-email --manual-auth-hook '/path/to/script/that/creates/txt/reccords' --non-interactive --force-renewal -d whatever.com -d '*.whatever.com'