Today I faced the first consequences of my TXT & Let’s Encrypt strict policy

Today I faced the first implications of deciding to tightly restrict the use of nsupdate keys for modifying TXT records for dns-01 challenges with Let’s Encrypt.


This section should be on and you can skip it to get to the real stuff.

Today I’m working on a mostly automated FreshPorts node deployment. A FreshPorts node consists of:

  • host server – A FreeBSD host which contains the other nodes
  • database – holds the commits
  • mx ingress – mostly deprecated now as FreeBSD moves to git
  • ingress – processes the commits into the database
  • web – displays the commits to the user

Each of those components is independent but they usually reside on one host, each within a separate jail on the host.

For my proof-of-concept deployment to AWS, I’ve put the database in Amazon RDS.

Also for the AWS POC, I’ll only be doing the host server, and two jails: ingress and web.

Cert creation failure

I went to create a new cert today, as part of my AWS-FreshPorts work. It failed. Names have been changed.

The following shows my cert creation for

$ --issue --dns dns_nsupdate -d
[Thu Dec 24 12:48:15 UTC 2020] Using CA:
[Thu Dec 24 12:48:15 UTC 2020] Creating domain key
[Thu Dec 24 12:48:16 UTC 2020] The domain key is here: /var/db/acme/certs/
[Thu Dec 24 12:48:16 UTC 2020] Single domain=''
[Thu Dec 24 12:48:16 UTC 2020] Getting domain auth token for each domain
[Thu Dec 24 12:48:17 UTC 2020] Getting webroot for domain=''
[Thu Dec 24 12:48:17 UTC 2020] Adding txt value: iBVvRKd8mYvEUEA_QjISfl845RHS1wjmtgy5i2xgK8Y for domain:
[Thu Dec 24 12:48:17 UTC 2020] adding 60 in txt "iBVvRKd8mYvEUEA_QjISfl845RHS1wjmtgy5i2xgK8Y"
update failed: REFUSED
[Thu Dec 24 12:48:17 UTC 2020] error updating domain
[Thu Dec 24 12:48:17 UTC 2020] Error add txt for
[Thu Dec 24 12:48:17 UTC 2020] Please check log file for more details: /var/log/

Quite clearly, the TXT record was not added.

Looking at my DNS servers, I find:

24-Dec-2020 12:48:17.931 client @0x830f62f68 
updating zone '': update failed: rejected by secure update (REFUSED)

Before issuing a new certificate, I need to first add a grant for the TXT record for all hostnames which will be present in that certificate. That is one grant per hostname.

The amendments

This is what I added to my zone files:

+ grant name TXT;
+ grant name TXT;

I might as well add the grant for the other cert I’ll create later today.

That fixed it.

Change in routine

Here is what I should be doing:

  1. Create A record, perhaps PTR record too
  2. add grant
  3. repeat for any other hostnames in the new cert
  4. issue new cert
Website Pin Facebook Twitter Myspace Friendfeed Technorati Digg Google StumbleUpon Premium Responsive

Leave a Comment

Scroll to Top