CAA record getting removed
I am trying to renew my Let's Encrypt certificate through WHM/cPanel. It wont' because of my CAA records. It reports this issue:
So I got to the zone editor in cPanel, and look at the CAA records. I have:
So I go, oh lemme add Lets Encrypt then. So I do that and it looks like this in the zone record now:
I run AutoSSL again and I get this:
I go, that's strange, I just added it. I go back to the zone file, and lo-and-behold the record I just added is now gone. Like it never even happened. WHAT is going on? My certificate expired and cPanel won't let me renew it. Please help.
1:29:53 PM Verifying "Let"s Encrypt"s authorization on domains via DNS CAA records "
1:29:53 PM ERROR CA forbidden: "example.com"
So I got to the zone editor in cPanel, and look at the CAA records. I have:
example.com. 3600 IN CAA 0 issue comodoca.com
example.com. 3600 IN CAA 0 issue amazon.com
example.com. 3600 IN CAA 0 issuewild ;
example.com. 3600 IN CAA 0 iodef mailto:dns@example.com
So I go, oh lemme add Lets Encrypt then. So I do that and it looks like this in the zone record now:
example.com. 3600 IN CAA 0 issue comodoca.com
example.com. 3600 IN CAA 0 issue amazon.com
example.com. 3600 IN CAA 0 issuewild ;
example.com. 3600 IN CAA 0 iodef mailto:dns@example.com
example.com. 3600 IN CAA 0 issue letsencrypt.org
I run AutoSSL again and I get this:
3:54:53 PM Verifying "Let"s Encrypt"s authorization on domains via DNS CAA records "
3:54:53 PM ERROR CA forbidden: "example.com"
I go, that's strange, I just added it. I go back to the zone file, and lo-and-behold the record I just added is now gone. Like it never even happened. WHAT is going on? My certificate expired and cPanel won't let me renew it. Please help.
-
You're doing this correctly, there must be something adding the record to the zone file or the change is not being retained for some reason. Are you making the modification in cPanel's zone editor or through WHM? If you're doing it through cPanel could you try making the modification through WHM and let me know what the outcome is? If the outcome is the same you might want to create an audit rule to see what's modifying the dns zone file for the domain, this isn't something that we add, my assumption is there's some script running that's adding this. 0 -
@cPanelLauren I was using the cPanel Zone Editor, so i tried the WHM DNS editor as you suggested. Same outcome, I can add the record and go back and verify it saved it. Then when I run Let's Encrypt from AutoSSL it says it's forbidden. I then go back and look and the record has been removed. I also checked the raw zone file to see if maybe it commented it out or something but nada. I had never heard of an audit rule before so I had to look it up. This is what it logged: # Add CAA record type=CONFIG_CHANGE msg=audit(1581734154.486:32626): auid=4294967295 ses=4294967295 subj=system_u:system_r:unconfined_service_t:s0 op=add_rule key="example_dns_change" list=4 res=1 type=SYSCALL msg=audit(1581734255.007:32629): arch=c000003e syscall=2 success=yes exit=7 a0=1b01e50 a1=80042 a2=180 a3=2ac4c68b59d6 items=2 ppid=1608 pid=30250 auid=4294967295 uid=0gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm=646E7361646D696E202D2053415645 exe="/usr/local/cpanel/whostmgr/bin/dnsadmin" subj=system_u:system_r:unconfined_service_t:s0 key="example_dns_change" type=CONFIG_CHANGE msg=audit(1581734255.008:32630): auid=4294967295 ses=4294967295 op=updated_rules path="/var/named/example.com.db" key="example_dns_change" list=4 res=1 type=SYSCALL msg=audit(1581734255.008:32631): arch=c000003e syscall=82 success=yes exit=0 a0=1b0cda0 a1=1ace150 a2=2ac4c6c39b80 a3=3 items=5 ppid=1608 pid=30250 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm=646E7361646D696E202D2053415645 exe="/usr/local/cpanel/whostmgr/bin/dnsadmin" subj=system_u:system_r:unconfined_service_t:s0 key="example_dns_change" type=SYSCALL msg=audit(1581734255.009:32632): arch=c000003e syscall=92 success=yes exit=0 a0=1b0e690 a1=19 a2=19 a3=7ffe1f9f1d20 items=1 ppid=1608 pid=30250 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm=646E7361646D696E202D2053415645 exe="/usr/local/cpanel/whostmgr/bin/dnsadmin" subj=system_u:system_r:unconfined_service_t:s0 key="example_dns_change" type=SYSCALL msg=audit(1581734257.028:32633): arch=c000003e syscall=2 success=yes exit=6 a0=7fbde9865ec8 a1=0 a2=1b6 a3=24 items=1 ppid=1 pid=1609 auid=4294967295 uid=25 gid=25 euid=25 suid=25 fsuid=25 egid=25 sgid=25 fsgid=25 tty=(none) ses=4294967295 comm="isc-worker0000" exe="/usr/sbin/named" subj=system_u:system_r:named_t:s0 key="example_dns_change" type=SYSCALL msg=audit(1581734257.038:32634): arch=c000003e syscall=2 success=yes exit=6 a0=7fbde9865400 a1=0 a2=1b6 a3=24 items=1 ppid=1 pid=1609 auid=4294967295 uid=25 gid=25 euid=25 suid=25 fsuid=25 egid=25 sgid=25 fsgid=25 tty=(none) ses=4294967295 comm="isc-worker0000" exe="/usr/sbin/named" subj=system_u:system_r:named_t:s0 key="example_dns_change" # Run AutoSSL type=SYSCALL msg=audit(1581734446.945:32695): arch=c000003e syscall=2 success=yes exit=7 a0=1b2cd60 a1=80042 a2=180 a3=2ac4c68b59d6 items=2 ppid=1608 pid=30738 auid=4294967295 uid=0gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm=646E7361646D696E202D2053594E43 exe="/usr/local/cpanel/whostmgr/bin/dnsadmin" subj=system_u:system_r:unconfined_service_t:s0 key="example_dns_change" type=CONFIG_CHANGE msg=audit(1581734446.946:32696): auid=4294967295 ses=4294967295 op=updated_rules path="/var/named/example.com.db" key="example_dns_change" list=4 res=1 type=SYSCALL msg=audit(1581734446.946:32697): arch=c000003e syscall=82 success=yes exit=0 a0=1b31870 a1=1b29020 a2=2ac4c6c39b80 a3=3 items=5 ppid=1608 pid=30738 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm=646E7361646D696E202D2053594E43 exe="/usr/local/cpanel/whostmgr/bin/dnsadmin" subj=system_u:system_r:unconfined_service_t:s0 key="example_dns_change" type=SYSCALL msg=audit(1581734446.946:32698): arch=c000003e syscall=92 success=yes exit=0 a0=1b2ea70 a1=19 a2=19 a3=7ffe1f9f1d20 items=1 ppid=1608 pid=30738 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm=646E7361646D696E202D2053594E43 exe="/usr/local/cpanel/whostmgr/bin/dnsadmin" subj=system_u:system_r:unconfined_service_t:s0 key="example_dns_change" type=SYSCALL msg=audit(1581734448.964:32699): arch=c000003e syscall=2 success=yes exit=6 a0=7fbde9865ec8 a1=0 a2=1b6 a3=24 items=1 ppid=1 pid=1609 auid=4294967295 uid=25 gid=25 euid=25 suid=25 fsuid=25 egid=25 sgid=25 fsgid=25 tty=(none) ses=4294967295 comm="isc-worker0001" exe="/usr/sbin/named" subj=system_u:system_r:named_t:s0 key="example_dns_change" type=SYSCALL msg=audit(1581734448.970:32700): arch=c000003e syscall=2 success=yes exit=6 a0=7fbde9865400 a1=0 a2=1b6 a3=24 items=1 ppid=1 pid=1609 auid=4294967295 uid=25 gid=25 euid=25 suid=25 fsuid=25 egid=25 sgid=25 fsgid=25 tty=(none) ses=4294967295 comm="isc-worker0001" exe="/usr/sbin/named" subj=system_u:system_r:named_t:s0 key="example_dns_change"
0 -
Hi @coursevector Nice job creating the audit rule, sometimes I forget that it might not be something people use often and that's completely my fault, I apologize, I should have given you instructions. I was hoping to see a modification by a service besides root or named unfortunately but this output just shows named making a change and root - which is standard when either of these actions is occurring. Was there output from after you made the modification until you ran autossl? What are the permissions of /var/named/example.com.db? Do you have a DNS cluster? 0 -
@cPanelLauren I couldn't find the original log anymore, i guess it cycled out so I re-ran the test. What I did before was set the "key" to a easy to find identifier and filtered to just show the records with that key. Below is a more verbose version based on the start of the first record and the end of the last record. But to answer your questions: Permissions: -rw-------. 1 named named 3.7K Feb 18 15:34 example.com.db
# stat example.com.db File: "example.com.db" Size: 3703 Blocks: 8 IO Block: 4096 regular file Device: ca01h/51713d Inode: 12809223 Links: 1 Access: (0600/-rw-------) Uid: ( 25/ named) Gid: ( 25/ named) Context: system_u:object_r:named_zone_t:s0 Access: 2020-02-18 15:34:49.457145166 -0500 Modify: 2020-02-18 15:34:47.431159732 -0500 Change: 2020-02-18 15:34:47.431159732 -0500 Birth: -
I am not running a DNS cluster.type=SYSCALL msg=audit(1582058070.552:92870): arch=c000003e syscall=2 success=yes exit=7 a0=2b92190 a1=80042 a2=180 a3=2ad70e2479d6 items=2 ppid=1608 pid=19049 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm=646E7361646D696E202D2053415645 exe="/usr/local/cpanel/whostmgr/bin/dnsadmin" subj=system_u:system_r:unconfined_service_t:s0 key="example_dns_change" type=CWD msg=audit(1582058070.552:92870): cwd="/" type=PATH msg=audit(1582058070.552:92870): item=0 name="/var/named/" inode=12747081 dev=ca:01 mode=040755 ouid=25 ogid=25 rdev=00:00 obj=system_u:object_r:named_zone_t:s0 objtype=PARENT cap_fp=0000000000000000 cap_fi=0000000000000000 cap_fe=0 cap_fver=0 type=PATH msg=audit(1582058070.552:92870): item=1 name="/var/named/example.com.db" inode=12602763 dev=ca:01 mode=0100600 ouid=25 ogid=25 rdev=00:00 obj=system_u:object_r:named_zone_t:s0 objtype=NORMAL cap_fp=0000000000000000 cap_fi=0000000000000000 cap_fe=0 cap_fver=0 type=PROCTITLE msg=audit(1582058070.552:92870): proctitle=646E7361646D696E202D20534156455A4F4E45202D20444C45467533713168536C6D49495836594935576478664B46325133793065305F3135383230353830373020284C4F43414C29 type=CONFIG_CHANGE msg=audit(1582058070.554:92871): auid=4294967295 ses=4294967295 op=updated_rules path="/var/named/example.com.db" key="example_dns_change" list=4 res=1 type=SYSCALL msg=audit(1582058070.554:92872): arch=c000003e syscall=82 success=yes exit=0 a0=2b98a70 a1=2b8f4c0 a2=2ad70e5cbb80 a3=3 items=5 ppid=1608 pid=19049 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm=646E7361646D696E202D2053415645 exe="/usr/local/cpanel/whostmgr/bin/dnsadmin" subj=system_u:system_r:unconfined_service_t:s0 key="example_dns_change" type=CWD msg=audit(1582058070.554:92872): cwd="/" type=PATH msg=audit(1582058070.554:92872): item=0 name="/var/named/" inode=12747081 dev=ca:01 mode=040755 ouid=25 ogid=25 rdev=00:00 obj=system_u:object_r:named_zone_t:s0 objtype=PARENT cap_fp=0000000000000000 cap_fi=0000000000000000 cap_fe=0 cap_fver=0 type=PATH msg=audit(1582058070.554:92872): item=1 name="/var/named/" inode=12747081 dev=ca:01 mode=040755 ouid=25 ogid=25 rdev=00:00 obj=system_u:object_r:named_zone_t:s0 objtype=PARENT cap_fp=0000000000000000 cap_fi=0000000000000000 cap_fe=0 cap_fver=0 type=PATH msg=audit(1582058070.554:92872): item=2 name="/var/named/example.com.db-25e658099a235-2a3ae543-16f8b" inode=12809226 dev=ca:01 mode=0100600 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:named_zone_t:s0 objtype=DELETE cap_fp=0000000000000000 cap_fi=0000000000000000 cap_fe=0 cap_fver=0 type=PATH msg=audit(1582058070.554:92872): item=3 name="/var/named/example.com.db" inode=12602763 dev=ca:01 mode=0100600 ouid=25 ogid=25 rdev=00:00 obj=system_u:object_r:named_zone_t:s0 objtype=DELETE cap_fp=0000000000000000 cap_fi=0000000000000000 cap_fe=0 cap_fver=0 type=PATH msg=audit(1582058070.554:92872): item=4 name="/var/named/example.com.db" inode=12809226 dev=ca:01 mode=0100600 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:named_zone_t:s0 objtype=CREATE cap_fp=0000000000000000 cap_fi=0000000000000000 cap_fe=0 cap_fver=0 type=PROCTITLE msg=audit(1582058070.554:92872): proctitle=646E7361646D696E202D20534156455A4F4E45202D20444C45467533713168536C6D49495836594935576478664B46325133793065305F3135383230353830373020284C4F43414C29 type=SYSCALL msg=audit(1582058070.555:92873): arch=c000003e syscall=92 success=yes exit=0 a0=2b921c0 a1=19 a2=19 a3=7ffc7c7282a0 items=1 ppid=1608 pid=19049 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm=646E7361646D696E202D2053415645 exe="/usr/local/cpanel/whostmgr/bin/dnsadmin" subj=system_u:system_r:unconfined_service_t:s0 key="example_dns_change" type=CWD msg=audit(1582058070.555:92873): cwd="/" type=PATH msg=audit(1582058070.555:92873): item=0 name="/var/named/example.com.db" inode=12809226 dev=ca:01 mode=0100600 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:named_zone_t:s0 objtype=NORMAL cap_fp=0000000000000000 cap_fi=0000000000000000 cap_fe=0 cap_fver=0 type=PROCTITLE msg=audit(1582058070.555:92873): proctitle=646E7361646D696E202D20534156455A4F4E45202D20444C45467533713168536C6D49495836594935576478664B46325133793065305F3135383230353830373020284C4F43414C29 type=SYSCALL msg=audit(1582058072.572:92874): arch=c000003e syscall=2 success=yes exit=6 a0=7fbde9865ec8 a1=0 a2=1b6 a3=24 items=1 ppid=1 pid=1609 auid=4294967295 uid=25 gid=25 euid=25 suid=25 fsuid=25 egid=25 sgid=25 fsgid=25 tty=(none) ses=4294967295 comm="isc-worker0001" exe="/usr/sbin/named" subj=system_u:system_r:named_t:s0 key="example_dns_change" type=CWD msg=audit(1582058072.572:92874): cwd="/var/named" type=PATH msg=audit(1582058072.572:92874): item=0 name="/var/named/example.com.db" inode=12809226 dev=ca:01 mode=0100600 ouid=25 ogid=25 rdev=00:00 obj=system_u:object_r:named_zone_t:s0 objtype=NORMAL cap_fp=0000000000000000 cap_fi=0000000000000000 cap_fe=0 cap_fver=0 type=PROCTITLE msg=audit(1582058072.572:92874): proctitle=2F7573722F7362696E2F6E616D6564002D75006E616D6564002D63002F6574632F6E616D65642E636F6E66 type=SYSCALL msg=audit(1582058072.578:92875): arch=c000003e syscall=2 success=yes exit=6 a0=7fbde9865400 a1=0 a2=1b6 a3=24 items=1 ppid=1 pid=1609 auid=4294967295 uid=25 gid=25 euid=25 suid=25 fsuid=25 egid=25 sgid=25 fsgid=25 tty=(none) ses=4294967295 comm="isc-worker0001" exe="/usr/sbin/named" subj=system_u:system_r:named_t:s0 key="example_dns_change" type=CWD msg=audit(1582058072.578:92875): cwd="/var/named" type=PATH msg=audit(1582058072.578:92875): item=0 name="/var/named/example.com.db" inode=12809226 dev=ca:01 mode=0100600 ouid=25 ogid=25 rdev=00:00 obj=system_u:object_r:named_zone_t:s0 objtype=NORMAL cap_fp=0000000000000000 cap_fi=0000000000000000 cap_fe=0 cap_fver=0 type=PROCTITLE msg=audit(1582058072.578:92875): proctitle=2F7573722F7362696E2F6E616D6564002D75006E616D6564002D63002F6574632F6E616D65642E636F6E66 type=SYSCALL msg=audit(1582058087.430:92876): arch=c000003e syscall=2 success=yes exit=7 a0=2bb7d70 a1=80042 a2=180 a3=2ad70e2479d6 items=2 ppid=1608 pid=19142 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm=646E7361646D696E202D2053594E43 exe="/usr/local/cpanel/whostmgr/bin/dnsadmin" subj=system_u:system_r:unconfined_service_t:s0 key="example_dns_change" type=CWD msg=audit(1582058087.430:92876): cwd="/" type=PATH msg=audit(1582058087.430:92876): item=0 name="/var/named/" inode=12747081 dev=ca:01 mode=040755 ouid=25 ogid=25 rdev=00:00 obj=system_u:object_r:named_zone_t:s0 objtype=PARENT cap_fp=0000000000000000 cap_fi=0000000000000000 cap_fe=0 cap_fver=0 type=PATH msg=audit(1582058087.430:92876): item=1 name="/var/named/example.com.db" inode=12809226 dev=ca:01 mode=0100600 ouid=25 ogid=25 rdev=00:00 obj=system_u:object_r:named_zone_t:s0 objtype=NORMAL cap_fp=0000000000000000 cap_fi=0000000000000000 cap_fe=0 cap_fver=0 type=PROCTITLE msg=audit(1582058087.430:92876): proctitle=646E7361646D696E202D2053594E435A4F4E4553202D2058394E68764E414C5866394C4B4B35794C41486E6949377466515A596B4E4C305F3135383230353830383720284C4F43414C29 type=CONFIG_CHANGE msg=audit(1582058087.431:92877): auid=4294967295 ses=4294967295 op=updated_rules path="/var/named/example.com.db" key="example_dns_change" list=4 res=1 type=SYSCALL msg=audit(1582058087.431:92878): arch=c000003e syscall=82 success=yes exit=0 a0=2bbc890 a1=2bb3fa0 a2=2ad70e5cbb80 a3=3 items=5 ppid=1608 pid=19142 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm=646E7361646D696E202D2053594E43 exe="/usr/local/cpanel/whostmgr/bin/dnsadmin" subj=system_u:system_r:unconfined_service_t:s0 key="example_dns_change" type=CWD msg=audit(1582058087.431:92878): cwd="/" type=PATH msg=audit(1582058087.431:92878): item=0 name="/var/named/" inode=12747081 dev=ca:01 mode=040755 ouid=25 ogid=25 rdev=00:00 obj=system_u:object_r:named_zone_t:s0 objtype=PARENT cap_fp=0000000000000000 cap_fi=0000000000000000 cap_fe=0 cap_fver=0 type=PATH msg=audit(1582058087.431:92878): item=1 name="/var/named/" inode=12747081 dev=ca:01 mode=040755 ouid=25 ogid=25 rdev=00:00 obj=system_u:object_r:named_zone_t:s0 objtype=PARENT cap_fp=0000000000000000 cap_fi=0000000000000000 cap_fe=0 cap_fver=0 type=PATH msg=audit(1582058087.431:92878): item=2 name="/var/named/example.com.db-25e658099a235-1d16c4c43-5e7f" inode=12809223 dev=ca:01 mode=0100600 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:named_zone_t:s0 objtype=DELETE cap_fp=0000000000000000 cap_fi=0000000000000000 cap_fe=0 cap_fver=0 type=PATH msg=audit(1582058087.431:92878): item=3 name="/var/named/example.com.db" inode=12809226 dev=ca:01 mode=0100600 ouid=25 ogid=25 rdev=00:00 obj=system_u:object_r:named_zone_t:s0 objtype=DELETE cap_fp=0000000000000000 cap_fi=0000000000000000 cap_fe=0 cap_fver=0 type=PATH msg=audit(1582058087.431:92878): item=4 name="/var/named/example.com.db" inode=12809223 dev=ca:01 mode=0100600 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:named_zone_t:s0 objtype=CREATE cap_fp=0000000000000000 cap_fi=0000000000000000 cap_fe=0 cap_fver=0 type=PROCTITLE msg=audit(1582058087.431:92878): proctitle=646E7361646D696E202D2053594E435A4F4E4553202D2058394E68764E414C5866394C4B4B35794C41486E6949377466515A596B4E4C305F3135383230353830383720284C4F43414C29 type=SYSCALL msg=audit(1582058087.431:92879): arch=c000003e syscall=92 success=yes exit=0 a0=2bb9a80 a1=19 a2=19 a3=7ffc7c7282a0 items=1 ppid=1608 pid=19142 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm=646E7361646D696E202D2053594E43 exe="/usr/local/cpanel/whostmgr/bin/dnsadmin" subj=system_u:system_r:unconfined_service_t:s0 key="example_dns_change" type=CWD msg=audit(1582058087.431:92879): cwd="/" type=PATH msg=audit(1582058087.431:92879): item=0 name="/var/named/example.com.db" inode=12809223 dev=ca:01 mode=0100600 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:named_zone_t:s0 objtype=NORMAL cap_fp=0000000000000000 cap_fi=0000000000000000 cap_fe=0 cap_fver=0 type=PROCTITLE msg=audit(1582058087.431:92879): proctitle=646E7361646D696E202D2053594E435A4F4E4553202D2058394E68764E414C5866394C4B4B35794C41486E6949377466515A596B4E4C305F3135383230353830383720284C4F43414C29 type=SYSCALL msg=audit(1582058089.457:92880): arch=c000003e syscall=2 success=yes exit=6 a0=7fbde9865ec8 a1=0 a2=1b6 a3=24 items=1 ppid=1 pid=1609 auid=4294967295 uid=25 gid=25 euid=25 suid=25 fsuid=25 egid=25 sgid=25 fsgid=25 tty=(none) ses=4294967295 comm="isc-worker0000" exe="/usr/sbin/named" subj=system_u:system_r:named_t:s0 key="example_dns_change" type=CWD msg=audit(1582058089.457:92880): cwd="/var/named" type=PATH msg=audit(1582058089.457:92880): item=0 name="/var/named/example.com.db" inode=12809223 dev=ca:01 mode=0100600 ouid=25 ogid=25 rdev=00:00 obj=system_u:object_r:named_zone_t:s0 objtype=NORMAL cap_fp=0000000000000000 cap_fi=0000000000000000 cap_fe=0 cap_fver=0 type=PROCTITLE msg=audit(1582058089.457:92880): proctitle=2F7573722F7362696E2F6E616D6564002D75006E616D6564002D63002F6574632F6E616D65642E636F6E66 type=SYSCALL msg=audit(1582058089.465:92881): arch=c000003e syscall=2 success=yes exit=6 a0=7fbde9865400 a1=0 a2=1b6 a3=24 items=1 ppid=1 pid=1609 auid=4294967295 uid=25 gid=25 euid=25 suid=25 fsuid=25 egid=25 sgid=25 fsgid=25 tty=(none) ses=4294967295 comm="isc-worker0000" exe="/usr/sbin/named" subj=system_u:system_r:named_t:s0 key="example_dns_change" type=CWD msg=audit(1582058089.465:92881): cwd="/var/named" type=PATH msg=audit(1582058089.465:92881): item=0 name="/var/named/example.com.db" inode=12809223 dev=ca:01 mode=0100600 ouid=25 ogid=25 rdev=00:00 obj=system_u:object_r:named_zone_t:s0 objtype=NORMAL cap_fp=0000000000000000 cap_fi=0000000000000000 cap_fe=0 cap_fver=0 type=PROCTITLE msg=audit(1582058089.465:92881): proctitle=2F7573722F7362696E2F6E616D6564002D75006E616D6564002D63002F6574632F6E616D65642E636F6E66
0 -
Hello, A lot of what I'm looking for here is the UID of the user changing the file. All I'm seeing here is root and named making changes. Also to not get this confused with other rules in the audit logs you can just grep for that key so: grep example_dns_change /var/log/audit/audit.log
Which leaves you with:[root@server logs]# grep example_dns_change audit type=SYSCALL msg=audit(1582058070.552:92870): arch=c000003e syscall=2 success=yes exit=7 a0=2b92190 a1=80042 a2=180 a3=2ad70e2479d6 items=2 ppid=1608 pid=19049 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm=646E7361646D696E202D2053415645 exe="/usr/local/cpanel/whostmgr/bin/dnsadmin" subj=system_u:system_r:unconfined_service_t:s0 key="example_dns_change" type=CONFIG_CHANGE msg=audit(1582058070.554:92871): auid=4294967295 ses=4294967295 op=updated_rules path="/var/named/example.com.db" key="example_dns_change" list=4 res=1 type=SYSCALL msg=audit(1582058070.554:92872): arch=c000003e syscall=82 success=yes exit=0 a0=2b98a70 a1=2b8f4c0 a2=2ad70e5cbb80 a3=3 items=5 ppid=1608 pid=19049 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm=646E7361646D696E202D2053415645 exe="/usr/local/cpanel/whostmgr/bin/dnsadmin" subj=system_u:system_r:unconfined_service_t:s0 key="example_dns_change" type=SYSCALL msg=audit(1582058070.555:92873): arch=c000003e syscall=92 success=yes exit=0 a0=2b921c0 a1=19 a2=19 a3=7ffc7c7282a0 items=1 ppid=1608 pid=19049 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm=646E7361646D696E202D2053415645 exe="/usr/local/cpanel/whostmgr/bin/dnsadmin" subj=system_u:system_r:unconfined_service_t:s0 key="example_dns_change" type=SYSCALL msg=audit(1582058072.572:92874): arch=c000003e syscall=2 success=yes exit=6 a0=7fbde9865ec8 a1=0 a2=1b6 a3=24 items=1 ppid=1 pid=1609 auid=4294967295 uid=25 gid=25 euid=25 suid=25 fsuid=25 egid=25 sgid=25 fsgid=25 tty=(none) ses=4294967295 comm="isc-worker0001" exe="/usr/sbin/named" subj=system_u:system_r:named_t:s0 key="example_dns_change" type=SYSCALL msg=audit(1582058072.578:92875): arch=c000003e syscall=2 success=yes exit=6 a0=7fbde9865400 a1=0 a2=1b6 a3=24 items=1 ppid=1 pid=1609 auid=4294967295 uid=25 gid=25 euid=25 suid=25 fsuid=25 egid=25 sgid=25 fsgid=25 tty=(none) ses=4294967295 comm="isc-worker0001" exe="/usr/sbin/named" subj=system_u:system_r:named_t:s0 key="example_dns_change" type=SYSCALL msg=audit(1582058087.430:92876): arch=c000003e syscall=2 success=yes exit=7 a0=2bb7d70 a1=80042 a2=180 a3=2ad70e2479d6 items=2 ppid=1608 pid=19142 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm=646E7361646D696E202D2053594E43 exe="/usr/local/cpanel/whostmgr/bin/dnsadmin" subj=system_u:system_r:unconfined_service_t:s0 key="example_dns_change" type=CONFIG_CHANGE msg=audit(1582058087.431:92877): auid=4294967295 ses=4294967295 op=updated_rules path="/var/named/example.com.db" key="example_dns_change" list=4 res=1 type=SYSCALL msg=audit(1582058087.431:92878): arch=c000003e syscall=82 success=yes exit=0 a0=2bbc890 a1=2bb3fa0 a2=2ad70e5cbb80 a3=3 items=5 ppid=1608 pid=19142 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm=646E7361646D696E202D2053594E43 exe="/usr/local/cpanel/whostmgr/bin/dnsadmin" subj=system_u:system_r:unconfined_service_t:s0 key="example_dns_change" type=SYSCALL msg=audit(1582058087.431:92879): arch=c000003e syscall=92 success=yes exit=0 a0=2bb9a80 a1=19 a2=19 a3=7ffc7c7282a0 items=1 ppid=1608 pid=19142 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm=646E7361646D696E202D2053594E43 exe="/usr/local/cpanel/whostmgr/bin/dnsadmin" subj=system_u:system_r:unconfined_service_t:s0 key="example_dns_change" type=SYSCALL msg=audit(1582058089.457:92880): arch=c000003e syscall=2 success=yes exit=6 a0=7fbde9865ec8 a1=0 a2=1b6 a3=24 items=1 ppid=1 pid=1609 auid=4294967295 uid=25 gid=25 euid=25 suid=25 fsuid=25 egid=25 sgid=25 fsgid=25 tty=(none) ses=4294967295 comm="isc-worker0000" exe="/usr/sbin/named" subj=system_u:system_r:named_t:s0 key="example_dns_change" type=SYSCALL msg=audit(1582058089.465:92881): arch=c000003e syscall=2 success=yes exit=6 a0=7fbde9865400 a1=0 a2=1b6 a3=24 items=1 ppid=1 pid=1609 auid=4294967295 uid=25 gid=25 euid=25 suid=25 fsuid=25 egid=25 sgid=25 fsgid=25 tty=(none) ses=4294967295 comm="isc-worker0000" exe="/usr/sbin/named" subj=system_u:system_r:named_t:s0 key="example_dns_change"
I'm most interested in these which are putting out an exit=7 rather than a success which would be 0:[root@server logs]# grep example_dns_change audit |grep exit=7 type=SYSCALL msg=audit(1582058070.552:92870): arch=c000003e syscall=2 success=yes exit=7 a0=2b92190 a1=80042 a2=180 a3=2ad70e2479d6 items=2 ppid=1608 pid=19049 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm=646E7361646D696E202D2053415645 exe="/usr/local/cpanel/whostmgr/bin/dnsadmin" subj=system_u:system_r:unconfined_service_t:s0 key="example_dns_change" type=SYSCALL msg=audit(1582058087.430:92876): arch=c000003e syscall=2 success=yes exit=7 a0=2bb7d70 a1=80042 a2=180 a3=2ad70e2479d6 items=2 ppid=1608 pid=19142 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm=646E7361646D696E202D2053594E43 exe="/usr/local/cpanel/whostmgr/bin/dnsadmin" subj=system_u:system_r:unconfined_service_t:s0 key="example_dns_change"
I believe this is you changing the DNS zone file - what is output in WHM when you do this? Is there an error? There is also:[root@server logs]# grep example_dns_change audit |grep exit=6 type=SYSCALL msg=audit(1582058072.572:92874): arch=c000003e syscall=2 success=yes exit=6 a0=7fbde9865ec8 a1=0 a2=1b6 a3=24 items=1 ppid=1 pid=1609 auid=4294967295 uid=25 gid=25 euid=25 suid=25 fsuid=25 egid=25 sgid=25 fsgid=25 tty=(none) ses=4294967295 comm="isc-worker0001" exe="/usr/sbin/named" subj=system_u:system_r:named_t:s0 key="example_dns_change" type=SYSCALL msg=audit(1582058072.578:92875): arch=c000003e syscall=2 success=yes exit=6 a0=7fbde9865400 a1=0 a2=1b6 a3=24 items=1 ppid=1 pid=1609 auid=4294967295 uid=25 gid=25 euid=25 suid=25 fsuid=25 egid=25 sgid=25 fsgid=25 tty=(none) ses=4294967295 comm="isc-worker0001" exe="/usr/sbin/named" subj=system_u:system_r:named_t:s0 key="example_dns_change" type=SYSCALL msg=audit(1582058089.457:92880): arch=c000003e syscall=2 success=yes exit=6 a0=7fbde9865ec8 a1=0 a2=1b6 a3=24 items=1 ppid=1 pid=1609 auid=4294967295 uid=25 gid=25 euid=25 suid=25 fsuid=25 egid=25 sgid=25 fsgid=25 tty=(none) ses=4294967295 comm="isc-worker0000" exe="/usr/sbin/named" subj=system_u:system_r:named_t:s0 key="example_dns_change" type=SYSCALL msg=audit(1582058089.465:92881): arch=c000003e syscall=2 success=yes exit=6 a0=7fbde9865400 a1=0 a2=1b6 a3=24 items=1 ppid=1 pid=1609 auid=4294967295 uid=25 gid=25 euid=25 suid=25 fsuid=25 egid=25 sgid=25 fsgid=25 tty=(none) ses=4294967295 comm="isc-worker0000" exe="/usr/sbin/named" subj=system_u:system_r:named_t:s0 key="example_dns_change"
Which is named itself What do you get when you run named-checkzone?named-checkzone full /var/named/domain.tld.db
0 -
"I believe this is you changing the DNS zone file - what is output in WHM when you do this?" - This is what I get: [QUOTE] Modifying Zone example.com zone example.com/IN: loaded serial 2020022212 OK Bind reloading on host using rndc zone: [example.com] Bind reloading on host using rndc zone: [example.com] Reconfiguring Mail Routing: LOCAL MAIL EXCHANGER: This server will serve as a primary mail exchanger for example.com's mail.: This configuration has been manually selected. Your settings have been updated.
"What do you get when you run named-checkzone? "/var/named/example.com.db:4: ignoring out-of-zone data (example.com) /var/named/example.com.db:19: ignoring out-of-zone data (example.com) /var/named/example.com.db:20: ignoring out-of-zone data (example.com) /var/named/example.com.db:22: ignoring out-of-zone data (example.com) /var/named/example.com.db:23: ignoring out-of-zone data (example.com) /var/named/example.com.db:27: ignoring out-of-zone data (example.com) /var/named/example.com.db:37: ignoring out-of-zone data (example.com) /var/named/example.com.db:38: ignoring out-of-zone data (example.com) /var/named/example.com.db:39: ignoring out-of-zone data (example.com) /var/named/example.com.db:40: ignoring out-of-zone data (example.com) /var/named/example.com.db:41: ignoring out-of-zone data (example.com) zone full/IN: has 0 SOA records zone full/IN: has no NS records zone full/IN: not loaded due to errors.
Now, I did take a look at the raw zone file after editing it with WHM. I do see the record added and saved properly:example.com. 3600 IN TYPE257 \# 22 000569737375XXXXXXXXXXXXXXXXXXXX742E6F7267
But after running AutoSSL, that line disappears from the zone file. Before and after named-checkzone says the same thing. The ONLY weird thing I have in the zone file I could possibly attribute any weirdness to is I have a text record in there that contains a JavaScript embed. So something along the lines of this:example.com. 3600 IN TXT ""
The script just plays some music and other silly stuff for the DNS lookup services that don't properly escape the records. But it shouldn't cause any errors in the zone file as it's properly quoted, so I don't THINK that's a factor but thought I'd mention it. i was able to add another subdomains after that record without issues for months.0 -
What line is that TXT record on in the Zone file? Also what is on the lines as follows: 4, 19, 20, 22, 23, 27, 37, 38, 39, 40, 41 The output from named-checkzone indicates there were some issues with the zone file in other spots too: zone full/IN: has 0 SOA records zone full/IN: has no NS records zone full/IN: not loaded due to errors.
Namely that it wasn't loaded because of errors - I'd assume that's when named is rebuilding the configuration and overwriting what you're adding - is an SOA and NS records present in the zone? I wonder if this is related to the difference in name for zone type with CAA records - Bind didn't use to support it ( prior to 9.9) and if you're on CentOS 6 it may not still, so using TYPE257 was what you'd enter but bind 9.9 and higher recognize the CAA type.0 -
Here is a sanitized version of my zone file in question. The server is running CENTOS 7.7 and WHM 84.0.21 with BIND version 9.11.4. ; cPanel first:11.56.0.24 (update_time):1582397296 Cpanel::ZoneFile::VERSION:1.3 hostname:host.server.com latest:84.0.21 ; Zone file for example.com $TTL 14400 example.com. 3600 IN SOA ns1.server.com. servers.vendor.com. ( 2020022212 ;Serial Number 3600 ;refresh 1800 ;retry 1209600 ;expire 86400 ;minimum ) ; example.com. 86400 IN SOA ns1.old-server.com. webmaster.vendor.com. ( ; Previous value removed by cPanel restore auto-merge on 20190412124608 GMT ; 2018090500 ;Serial Number ; Previous value removed by cPanel restore auto-merge on 20190412124608 GMT ; 3600 ;refresh ; Previous value removed by cPanel restore auto-merge on 20190412124608 GMT ; 7200 ;retry ; Previous value removed by cPanel restore auto-merge on 20190412124608 GMT ; 1209600 ;expire ; Previous value removed by cPanel restore auto-merge on 20190412124608 GMT ; 86400 ;minimum ; Previous value removed by cPanel restore auto-merge on 20190412124608 GMT ; ) ; Previous value removed by cPanel restore auto-merge on 20190412124608 GMT ; example.com. 86400 IN NS ns1.old-server.com. ; Previous value removed by cPanel restore auto-merge on 20190412124608 GMT example.com. 3600 IN NS ns2.server.com. example.com. 3600 IN NS ns1.server.com. ; example.com. 86400 IN NS ns2.old-server.com. ; Previous value removed by cPanel restore auto-merge on 20190412124608 GMT example.com. 3600 IN A 255.255.255.255 example.com. 3600 IN MX 0 example.com. mail 3600 IN CNAME example.com. www 3600 IN CNAME example.com. ftp 3600 IN A 255.255.255.255 example.com. 3600 IN TXT "v=spf1 ip4:255.255.255.255 ip4:255.255.255.255 +a +mx +ip4:255.255.255.254 -all" cpanel 3600 IN A 255.255.255.255 webmail 3600 IN A 255.255.255.255 autoconfig 3600 IN A 255.255.255.255 autodiscover 3600 IN A 255.255.255.255 _autodiscover._tcp 3600 IN SRV 0 0 443 cpanelemaildiscovery.cpanel.net. default._domainkey 3600 IN TXT "v=DKIM1; k=rsa; p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIB...szFrcRRfp0nEVhZZad5PqUnLJGi6Z8uAZcvowIDAQAB\; minecraft 3600 IN CNAME example2.com. _7f188...4974b0d.cdn 3600 IN CNAME _2dfb97a...674678.acm-validations.aws. cdn 3600 IN CNAME d1no...pp9.cloudfront.net. example.com. 3600 IN TYPE257 \# 19 0005697373...D6F646F63612E636F6D example.com. 3600 IN TYPE257 \# 17 0005697373...617A6F6E2E636F6D example.com. 3600 IN TYPE257 \# 12 0009697373...C643B example.com. 3600 IN TYPE257 \# 30 0005696F646...746F3A646E73406D617269616E692E6C696665 example.com. 3600 IN TXT "" _5bb0f2c...727e55c.api 14400 IN CNAME _20797b3c34...b1953d24.olprtlswtu.acm-validations.aws. api 3600 IN CNAME d-o...k.execute-api.us-east-1.amazonaws.com. gallery 3600 IN CNAME example-gallery.netlify.com.
0 -
The CAA record type you're adding is the old version. To clarify you're adding the record yourself right? 0 -
I'm adding the record through either cPanel or WHM using the interfaces provided. I'm not adding it to the file directly. 0 -
Ok, I just wanted to ensure that it wasn't being automatically created. Can you tell me what you're adding when you add the record? Are you adding the Type as TYPE257? Modern CAA records are input in the following format (since =>Bind 9.9) sectigo. IN CAA 0 issue "sectigo.com"
Old Legacy type looks like the following for the same record:sectigo. IN TYPE257 \# 18 000569737375657365637469676F2E636F6D
What I'm curious about occurring here is that the TYPE257 type is not being recognized.0 -
i go into cpanel, click add CAA record (or select CAA as a type) and fill out the record options and hit save. I didn't even realize it was saving it as TYPE257 until I looked at the raw zone file. 0 -
Yea, that's really strange, I am pretty confused as to why it's doing that as well. I'm sure that's what is causing the issue. I'm going to do a bit of research to see what I can find out on that, but in the meantime if you manually edit the zone file to include teh record you need included and remove the old type record (ensure you increase the serial on the zone file) does it still get changed? 0 -
I just went through cPanel -> Zone Editor -> Manage -> Add CAA Record. Filled in the form for letsencrypt.org and it added this record to the zone file: example.com. 3600 IN TYPE257 \# 22 00056973....0742E6F7267
I then removed the record using the Zone Editor and added in the record as you formatted it manually to the zone file and incremented the serial number.example.com. 3600 IN CAA 0 issue "letsencrypt.org"
It shows up correctly in the Zone Editor. I then tried to run AutoSSL again, and it still says it's forbidden but it did NOT remove the record this time. [QUOTE] 5:00:57 PM AutoSSL"s configured provider is "Let"s Encrypt"". Analyzing "example""s domains " 5:00:57 PM Analyzing "example.com" " 5:00:57 PM ERROR TLS Status: Defective ERROR Certificate expiry: 2/9/20, 8:26 AM UTC (17.57 days ago) ERROR Defect: OPENSSL_VERIFY: The certificate chain failed OpenSSL"s verification (0:10:CERT_HAS_EXPIRED). 5:00:57 PM Attempting to ensure the existence of necessary CAA records " 5:00:57 PM No CAA records were created. 5:00:57 PM Verifying "Let"s Encrypt"s authorization on domains via DNS CAA records " 5:00:57 PM ERROR CA forbidden: "example.com" ERROR CA forbidden: "www.example.com" (alias of "example.com.") ERROR CA forbidden: "mail.example.com" (alias of "example.com.") ERROR CA forbidden: "cpanel.example.com" (via "example.com") ERROR CA forbidden: "webdisk.example.com" (via "example.com") ERROR CA forbidden: "webmail.example.com" (via "example.com") ERROR CA forbidden: "autodiscover.example.com" (via "example.com") 5:00:57 PM AutoSSL cannot increase "example""s SSL coverage.
I'm not sure if I have to reload any services after editing the file directly, I did not.0 -
@coursevector out of pure curiosity, you're not running Tomcat are you? 0 -
nope 0 -
Ok, good, so can you give me the output of the following on that server? rpm -qa |grep bind
(and I know it's reporting as 9.11 but I just want to confirm thats what you get when you look at the version)named -v
ps faux |egrep -i 'named|bind'
Also, we made a bunch of changes for how these records are translated some time ago and I wonder, do you have anything being excluded in/etc/cpanelsync.exclude
and anything set in/etc/cpupdate.conf
As well as any custom settings in/var/cpanel/rpm.versions.d/
Also if you manually edited the zone file you'd want to update the serial within the zone file, the format is YYYY-MM-DD-CC where C stands for counter (number of times that day you've edited) Once it's updated accordingly you'd then reload the zone. Do you have any custom zone templates? You can view them at WHM>>DNS Functions>>Edit Zone Templates0 -
Here you go # rpm -qa |grep bind rpcbind-0.2.0-48.el7.x86_64 bind-lite-devel-9.11.4-9.P2.el7.x86_64 bind-utils-9.11.4-9.P2.el7.x86_64 bind-license-9.11.4-9.P2.el7.noarch bind-libs-lite-9.11.4-9.P2.el7.x86_64 cpanel-bindp-1.0.0-1.cp1152.x86_64 bind-libs-9.11.4-9.P2.el7.x86_64 bind-devel-9.11.4-9.P2.el7.x86_64 bind-9.11.4-9.P2.el7.x86_64 bind-export-libs-9.11.4-9.P2.el7.x86_64
# named -v BIND 9.11.4-P2-RedHat-9.11.4-9.P2.el7 (Extended Support Version)
# ps faux |egrep -i 'named|bind' rpc 801 0.0 0.0 69276 1092 ? Ss Feb13 0:02 /sbin/rpcbind -w named 1609 0.0 1.4 317696 115384 ? Ssl Feb13 1:38 /usr/sbin/named -u named -c /etc/named.conf root 24813 0.0 0.0 112712 988 pts/0 S+ 14:45 0:00 \_ grep -E --color=auto -i named|bind
0 -
@coursevector All good with bind - I added a few things I was requesting to my response previously as well, that were more on the cPanel end of things 0 -
@cPanelLauren Here you go: # cat /etc/cpanelsync.exclude cat: /etc/cpanelsync.exclude: No such file or directory
# cat /etc/cpupdate.conf CPANEL=stable RPMUP=daily SARULESUP=daily STAGING_DIR=/usr/local/cpanel UPDATES=daily
#cd /var/cpanel/rpm.versions.d/ # ls -lah total 16K drwx------. 2 root root 28 Apr 10 2019 . drwx--x--x. 115 root root 8.0K Feb 27 19:42 .. -rw-r--r--. 1 root root 95 Apr 10 2019 local.versions # cat local.versions --- file_format: version: 2 target_settings: analog: uninstalled perl526: uninstalled
When I manually edited the zone file, I did increment the counter of the zone file. "Once it's updated accordingly you'd then reload the zone " - How do i do this? As for zone templates, I do not have any custom templates. I have never messed with this feature (never had to). Hope this helps!0 -
@coursevector thanks for that. None of this is customized, which is great but at the same time causing this issue to be more and more perplexing! The DNS zone files have probable been reloaded by now but you can inititate that at any time by running the following: rndc reload
or if you have a lot of zones you can specify a specific onerndc reload
0
Please sign in to leave a comment.
Comments
21 comments