Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Acme and Dyn

    ACME
    11
    30
    8.7k
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • C
      clazarowitz
      last edited by

      I got the notice as well, but I have paid domain registrations as well as dyn pro (though I’m not sure I use it anymore...I had originally obtained it so I could do things like device.mysubdomain.dyndns.org...maybe I should audit that.

      Regardless, they said it would be “migrated” to an oracle product line. Do they do dns? Or do they mean “rebranded”. Either way, I expect little to change other than eventually...maybe....they’ll fix their dynid bugs :)

      1 Reply Last reply Reply Quote 0
      • P
        piperspace
        last edited by

        Just FYI - I have completed migration to Cloudflare’s free service. It includes a DNS which works with Pfsense to handle IP address changes and ACME certificate renewal. No hacking required.

        1 Reply Last reply Reply Quote 0
        • I
          icepic
          last edited by

          This may be OBE in a few months, but I just set this up and wanted to pull everything together for Dyn.com ACME updates as I just got it working with info from a number of posts in this thread.

          I'm using Version 0.6.5 of the ACME client on 2.4.4-RELEASE-p3 of PFSense.

          Dyn.com has 3 products https://help.dyn.com/dyn-dns-products-compared/

          • Managed DNS - you log in at https://portal.dynect.net/
            ** "Professional DNS Solution"
          • Standard DNS - you log in at https://account.dyn.com/
            ** mange domains, the domain registration recently was migrated to name.com
          • DynDNS Pro, now just called Dynamic DNS - also at https://account.dyn.com/
            ** get up to 30 hostnames in prepopulated domains.
            The new Oracle Cloud DNS service is completely different.

          The "Dyn.com" method only works with Managed DNS.

          The nsupdate method works with Standard DNS

          • server = update.dyndns.com
          • keyname = see below
          • Key Algorithm = HMAC-MD5
          • Key = see below
          • Zone = your zone to use

          You have to get a TSIG key for the keyname and key. The directions are at https://dyn.com/updater/tsig/ and the key itself can be created or updated at https://account.dyn.com/profile/tsig.html

          I suspect this will not work for DynDNS Pro as there seems to be no way to create a TXT entry.

          1 Reply Last reply Reply Quote 3
          • F
            Fenil
            last edited by

            Hello I am using the pfsense version 2.6.0. I am having still having issue in renewing my dyndns certificate. I am trying to use nsupdate but this what I am having the issue with acme error.PNG acme error1.PNG
            I have try all the method that have been post earlier but no luck
            I am using dyndns pro service.
            Can anyone can write the full script of nsupdate that would be really help full ?

            GertjanG 1 Reply Last reply Reply Quote 0
            • GertjanG
              Gertjan @Fenil
              last edited by

              @fenil said in Acme and Dyn:

              I am using dyndns pro service.
              Can anyone can write the full script of nsupdate that would be really help full ?

              dyndns.org pro did : https://help.dyn.com/tsig/

              Instead of
              update add $HOST.$ZONE 60 A 10.0.0.1
              the acme API plugin dns_nsupdate.sh uses :
              update add ${fulldomain}. 60 in txt "${txtvalue}"

              to add this :
              720f73f0-c6a7-45ea-8661-13f9489032a6-image.png

              No "help me" PM's please. Use the forum, the community will thank you.
              Edit : and where are the logs ??

              1 Reply Last reply Reply Quote 0
              • F
                Fenil
                last edited by

                @gertjan
                Hey man I have contact dyndns pro tech people also and they are saying they cannot accept TXT or API method but they gave me is TSIG key. They only use is nsupdate and I am not able to understand where to make changes property in order to make it work with pfsense.

                can we bypass TXT method in pfsense acme ?

                GertjanG 1 Reply Last reply Reply Quote 0
                • GertjanG
                  Gertjan @Fenil
                  last edited by

                  @fenil said in Acme and Dyn:

                  can we bypass TXT method in pfsense acme ?

                  The method used has been chosen by you.
                  Because you chose to use "dyndns pro" so you have to the "dyndns pro" method.
                  As said : see https://help.dyn.com/tsig/ which is a very close approach to the old nsupdate method.

                  Example : I use my own domain name server (bind), not the ones offered by by registrar (they do offer an API, and an interface has be written, and is present for acme.sh - see many examples here).

                  when I replace $ZONE, $KEY_NAME $KEY_HMAC with my info, I could add a txt record named "myzone.mydomain.tld" that contains "hello".

                  [22.05-RELEASE][admin@pfSense.xxxxx-hotel-fumel.net]/root: nsupdate -d
                  > server ns1.xxxx-hotel-fumel.net
                  > zone xxxxx-hotel-fumel.net
                  > key hmac-sha512:update eYQiVAutEEAxxxxxxxxxxxxxxxVoCxOQ/jwBeA10EPeE7vwEdFT11QYs1YhO9zDCaJwzkuZp0w==
                  > update add myzone.xxxxx-hotel-fumel.net 60 TXT "hello"
                  > send
                  Sending update to 2001:41d0:2:927b::3#53
                  Outgoing update query:
                  ;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id:  46154
                  ;; flags:; ZONE: 1, PREREQ: 0, UPDATE: 1, ADDITIONAL: 1
                  ;; ZONE SECTION:
                  ;xxxxx-hotel-fumel.net.          IN      SOA
                  
                  ;; UPDATE SECTION:
                  myzone.xxxxxxx-hotel-fumel.net. 60 IN      TXT     "hello"
                  
                  ;; TSIG PSEUDOSECTION:
                  update.                 0       ANY     TSIG    hmac-sha512. 1664436399 300 64 6+N5xxxxxxxxxxxxhRMphgp69wR 2+t+aFdoPsF8plurhcN0Xo4GpMuQsg== 46154 NOERROR 0
                  
                  
                  Reply from update query:
                  ;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id:  46154
                  ;; flags: qr; ZONE: 1, PREREQ: 0, UPDATE: 0, ADDITIONAL: 1
                  ;; ZONE SECTION:
                  ;xxxx-hotel-fumel.net.          IN      SOA
                  
                  ;; TSIG PSEUDOSECTION:
                  update.                 0       ANY     TSIG    hmac-sha512. 1664436399 300 64 IoxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxLsQunveQ5o hwTwviKjz79jiO8Bdre57PF4zzSlZA== 46154 NOERROR 0
                  
                  > quit
                  

                  On my master domain dns server (bind) , I saw :

                  29-Sep-2022 09:26:39.225 update-security: client @0x7f842439cb60 2001:470:1f12:5c0::2#50387/key update: signer "update" approved
                  29-Sep-2022 09:26:39.225 update: client @0x7f842439cb60 2001:470:1f12:xxx:2#50387/key update: updating zone 'xxxx-hotel-fumel.net/IN': adding an RR at 'myzone.xxxx-hotel-fumel.net' TXT "hello"
                  

                  Now, lets dig :

                  [22.05-RELEASE][admin@pfSense.xxxx-hotel-fumel.net]/root: dig myzone.xxxx-hotel-fumel.net TXT +short
                  "hello"
                  

                  The acme.sh dnsapi look like pure rocket science, but the concept is actually simple.
                  You have to prove to Letsencrypt that you own (== rent) your domain name.
                  There are several ways to do this, and one is : if you can prove that you can access and modify your domain "zone", Letsencrypt accepts that as a proof. It's this domain name that will get stored in your certificate after all.
                  And if you also can access the place were, for example, the web server files are placed, you can have that web server use the certificate, so the entire https (TLS) scheme start to work.

                  No "help me" PM's please. Use the forum, the community will thank you.
                  Edit : and where are the logs ??

                  1 Reply Last reply Reply Quote 0
                  • F
                    Fenil
                    last edited by

                    @gertjan I try the way you explain with the shell command but still it is showing this error acmeerror.PNG nsupdateerror.PNG

                    GertjanG 1 Reply Last reply Reply Quote 0
                    • GertjanG
                      Gertjan @Fenil
                      last edited by Gertjan

                      @fenil

                      Without knowing what dyndns.org uses as a 'TSIG', I suspect it isn't the old and insecure :

                      ba553e09-e507-4573-b7d1-62031254d22c-image.png

                      are you sure it isn't something like :

                      b3a8fa72-94a1-4298-8b97-d47b2010095d-image.png

                      like the one I used against my own bind based name server ?

                      No "help me" PM's please. Use the forum, the community will thank you.
                      Edit : and where are the logs ??

                      F 2 Replies Last reply Reply Quote 0
                      • F
                        Fenil @Gertjan
                        last edited by

                        @gertjan I have try with both setting and it is still the same.

                        1 Reply Last reply Reply Quote 0
                        • F
                          Fenil @Gertjan
                          last edited by

                          @gertjan Don't Worry I bought different domain name from NO-IP and the certificate started working with it.
                          Thank you for your help.

                          1 Reply Last reply Reply Quote 0
                          • First post
                            Last post
                          Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.