Setup a wildcard certificate with ACME on a custom domain name "hosted" by PowerDNS


I’m trying to setup a wildcard certificate with a custom domain name however I’m hitting an error which I don’t understand.

I’ve taken a look at the following URLs :

In my case, here is my config file for the wildcard certificate :


        security.acme = {
                acceptTerms = true;
                email = "";
                certs."" = {
                        dnsProvider = "pdns";
                        dnsResolver = "localhost:53"; # This should be pdns.
                        dnsPropagationCheck = true;
                        credentialsFile = "/var/lib/secrets/pdns-api-tokens";
                        domain = "*";

I’m hitting the current error when running sudo nixos-rebuild test:

[*] [*] acme: error presenting token: pdns: could not find the start of authority for read udp [::1]:54563->[::1]:53: read: connection refused

Also port 53 is opened in the Firewall for UDP and TCP.

And checking inside the powerDNS zone, no record has been added via the pdns API which seems weird to me.

I have a similar setup (powerdns and wildcard certificates), but I’m using the rfc2136 provider:

  security.acme.certs."" = {
    dnsProvider = "rfc2136";
    #server = "";
    credentialsFile = "/var/lib/secrets/certs.secret";
    extraDomainNames = [ "*" ];

And /var/lib/secrets/certs.secret contains

RFC2136_TSIG_ALGORITHM = hmac-sha512.
RFC2136_TSIG_KEY = acme-key

Did you setup anything related to rfc2136 on your NixOS machine, how did you get the secret key, did you generate it ?
Is there an rfc2136 nameserver running on your host machine?

Edit 1: Also, did you add any record about “_acme-challenge” into your pdns dns zone ?

Have you tried putting in your public ip rather than localhost? After all those dns query have to be performed by letsencrypt.

pdnsutil can generate secret keys and they need to be imported into the pdns database. The steps are here: Dynamic DNS Update (RFC2136) — PowerDNS Authoritative Server documentation

dnsupdate=yes in the pdns.config is required and I have these entries in the domainmetadata table (they are mentioned in the pdns docs above):


I also have ALLOW-DNSUPDATE-FROM entries in my database and set it empty in my pdns.config (allow-dnsupdate-from=). The defaults allow updates from, so that shouldn’t be needed.

I’ve been making some progress, however I did try what you told me to setup @Seebi, but it amounted to no success, it ended up with the error could not find start of authority for the domain.

So I cleaned up the config I just did, the meta-data, the dnsupdate=yes as well as the tsig-key I imported.

And I gave a try yet again at using the pdns API, and I’ve been getting a different error now, it seems I’m close to finally making it work I think, I had to add a NS record to my pdns zone to solve the could not find authoritative nameserver error.

Then at the moment I have another error which is the following, I don’t know why it happens :
time limit exceeded: last error: dial udp: lookup Temporary failure in name resolution.

My records are the following inside my zone file :

$ORIGIN . 3600 IN SOA 1 10800 3600 604800 3600 3600 IN NS 3600 IN AAAA [redacted IPv6] 3600 IN AAAA [redacted IPv6]

My NS record has indeed the, but I wonder why there is a temporary failure in name resolution, if anyone has any advice or way to solve this issue, I’m willing to give it a try.

Edit 1: Manually doing a nslookup works successfully from a client machine, and dig AAAA @ also works and resolve successfully.

Turns out I had issues with my current set DNS on my PowerDNS server after fixing that, I encountered another error which was about adding CAA records to allow a CA authority to issue certificate, I create the proper records for that and then tried again and finally, it ended up working successfully.

Edit answer to @shimun : About what you told me to try, I did set it up that way, I will try to change it and see if triggers an error with localhost for instance.

Hosted by Flying Circus.