dnsdist 1.4.0: LetsEncrypt's certbot fails to insert/delete records #8021
When updating certificates with certbot's dns-rfc2136 plugin dnsdist 1.4.0 fails most of the time.
Steps to reproduce
certbot certonly -d ns1.cainites.net -d $RANDOM.cainites.net --dns-rfc2136 --dry-run --dns-rfc2136-credentials /usr/local/etc/letsencrypt/dns-rfc2136.ini
You have an existing certificate that contains a portion of the domains you
It contains these names: ns1.cainites.net
You requested these names for the new certificate: ns1.cainites.net,
Do you want to expand and replace this existing certificate with the new
certbot fails with an exception (EOF reading socket) either during the insertion or deletion of the challenge record
This is from running dnsdist on the foreground with the -v flag:
The text was updated successfully, but these errors were encountered:
Thank you for this report! Would you mind providing your configuration? I'd like to know whether you have TCP Fast Open toward the backend enabled, for example.
So this indicates that the first connection to the downstream server failed, but the second one apparently succeeded, so I'm afraid I have no clue about what went wrong based on this log :'( Would you be able to look at
After looking at the network traces, it looks like we open a TCP connection to the backend, write to it successfully but then the first call to
I think I can trace this to what I believe is a bug in the FreeBSD kernel: