Your message dated Mon, 01 Jun 2026 01:36:00 +0000
with message-id <[email protected]>
and subject line Re: lego: RFC2136 unusable on Debian Bullseye
has caused the Debian Bug report #1003872,
regarding lego: RFC2136 unusable on Debian Bullseye
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
1003872: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1003872
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Package: lego
Version: 3.2.0-3.1+b5
Severity: important
X-Debbugs-Cc: [email protected]
Dear Maintainer,
The version of lego installed by default on Debian Bullseye (i.e. via apt-get
install lego) is totally unusable with RFC2136.
Please see outputs below. First block is from the "apt-get install lego"
version of lego. The second block is from the latest version downloaded from
the Releases section of the official Lego GitHub account. No other changes
were made except from different Lego versions. As you can see, the "built-in"
version failed, the newer version worked.
Please urgently update the distro bundled version of Lego !!!!!
#########
######### apt-get install lego
#########
RFC2136_NAMESERVER=REMOVED_FOR_SECURITY RFC2136_TSIG_ALGORITHM=hmac-sha512
RFC2136_TSIG_KEY=REMOVED_FOR_SECURITY RFC2136_TSIG_SECRET=REMOVED_FOR_SECURITY
lego -k rsa2048 --dns rfc2136 --email REMOVED_FOR_SECURITY --dns rfc2136
--domains REMOVED_FOR_SECURITY run
2022/01/17 11:18:31 [INFO] [REMOVED_FOR_SECURITY] acme: Obtaining bundled SAN
certificate
2022/01/17 11:18:32 [INFO] [REMOVED_FOR_SECURITY] AuthURL:
https://acme-v02.api.letsencrypt.org/acme/authz-v3/69168346090
2022/01/17 11:18:32 [INFO] [REMOVED_FOR_SECURITY] acme: Could not find solver
for: tls-alpn-01
2022/01/17 11:18:32 [INFO] [REMOVED_FOR_SECURITY] acme: Could not find solver
for: http-01
2022/01/17 11:18:32 [INFO] [REMOVED_FOR_SECURITY] acme: use dns-01 solver
2022/01/17 11:18:32 [INFO] [REMOVED_FOR_SECURITY] acme: Preparing to solve
DNS-01
2022/01/17 11:18:42 [INFO] [REMOVED_FOR_SECURITY] acme: Cleaning DNS-01
challenge
2022/01/17 11:18:42 [WARN] [REMOVED_FOR_SECURITY] acme: error cleaning up:
rfc2136: failed to remove: DNS update failed: dns: domain must be fully
qualified
2022/01/17 11:18:42 [INFO] Deactivating auth:
https://acme-v02.api.letsencrypt.org/acme/authz-v3/69168346090
2022/01/17 11:18:42 Could not obtain certificates:
acme: Error -> One or more domains had a problem:
[REMOVED_FOR_SECURITY] [REMOVED_FOR_SECURITY] acme: error presenting token:
rfc2136: failed to insert: unexpected response code 'REFUSED' for
REMOVED_FOR_SECURITY.
#########
######### FROM LEGO Github Release
#########
$ rm -rf /home/REMOVED_FOR_SECURITY/.lego
$ tar zxvf lego_v4.5.3_linux_amd64.tar.gz
$ RFC2136_NAMESERVER= REMOVED_FOR_SECURITY RFC2136_TSIG_ALGORITHM=hmac-sha512
RFC2136_TSIG_KEY=REMOVED_FOR_SECURITY RFC2136_TSIG_SECRET=REMOVED_FOR_SECURITY
./lego -k rsa2048 --dns rfc2136 --email REMOVED_FOR_SECURITY --dns rfc2136
--domains REMOVED_FOR_SECURITY run
2022/01/17 11:21:26 No key found for account REMOVED_FOR_SECURITY. Generating a
2048 key.
2022/01/17 11:21:26 Saved key to
/home/REMOVED_FOR_SECURITY/tmp/.lego/accounts/acme-v02.api.letsencrypt.org/REMOVED_FOR_SECURITY
2022/01/17 11:21:38 Please review the TOS at
https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf
Do you accept the TOS? Y/n
y
2022/01/17 11:21:39 [INFO] acme: Registering account for REMOVED_FOR_SECURITY
!!!! HEADS UP !!!!
Your account credentials have been saved in your Let's Encrypt
configuration directory at "/home/REMOVED_FOR_SECURITY/tmp/.lego/accounts".
You should make a secure backup of this folder now. This
configuration directory will also contain certificates and
private keys obtained from Let's Encrypt so making regular
backups of this folder is ideal.
2022/01/17 11:21:40 [INFO] [REMOVED_FOR_SECURITY] acme: Obtaining bundled SAN
certificate
2022/01/17 11:21:40 [INFO] [REMOVED_FOR_SECURITY] AuthURL:
https://acme-v02.api.letsencrypt.org/acme/authz-v3/69169060960
2022/01/17 11:21:40 [INFO] [REMOVED_FOR_SECURITY] acme: Could not find solver
for: tls-alpn-01
2022/01/17 11:21:40 [INFO] [REMOVED_FOR_SECURITY] acme: Could not find solver
for: http-01
2022/01/17 11:21:40 [INFO] [REMOVED_FOR_SECURITY] acme: use dns-01 solver
2022/01/17 11:21:40 [INFO] [REMOVED_FOR_SECURITY] acme: Preparing to solve
DNS-01
2022/01/17 11:21:45 [INFO] [REMOVED_FOR_SECURITY] acme: Trying to solve DNS-01
2022/01/17 11:21:45 [INFO] [REMOVED_FOR_SECURITY] acme: Checking DNS record
propagation using [REMOVED_FOR_SECURITY]
2022/01/17 11:21:47 [INFO] Wait for propagation [timeout: 1m0s, interval: 2s]
2022/01/17 11:21:52 [INFO] [REMOVED_FOR_SECURITY] The server validated our
request
2022/01/17 11:21:52 [INFO] [REMOVED_FOR_SECURITY] acme: Cleaning DNS-01
challenge
2022/01/17 11:21:52 [INFO] [REMOVED_FOR_SECURITY] acme: Validations succeeded;
requesting certificates
2022/01/17 11:21:53 [INFO] [REMOVED_FOR_SECURITY] Server responded with a
certificate.
-- System Information:
Debian Release: 11.2
APT prefers stable-updates
APT policy: (500, 'stable-updates'), (500, 'stable-security'), (500, 'stable')
Architecture: amd64 (x86_64)
Kernel: Linux 5.10.0-10-amd64 (SMP w/8 CPU threads)
Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8),
LANGUAGE=en_GB:en
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled
Versions of packages lego depends on:
ii ca-certificates 20210119
ii libc6 2.31-13+deb11u2
lego recommends no packages.
lego suggests no packages.
-- no debconf information
--- End Message ---
--- Begin Message ---
Hi Laura,
I'm sorry that this bug wasn't addressed during bullseye's supported
life cycle. Based on your report, I believe that lego in bookworm and
newer should have a properly functioning RFC2136 DNS provider. Thus, I
will now close this bug. If you are still seeing this issue in trixie,
please feel free to re-open the bug and update its metadata as
appropriate.
Mathias
signature.asc
Description: This is a digitally signed message part
--- End Message ---
