Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    nsupdate: key ? is unreadable

    ACME
    1
    2
    355
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • S
      Sprinterfreak
      last edited by

      Hi there,

      i wanted to use my existing dns challenge infrastructure, which is running fine using acertmgr.

      Basically there is a dedicated bind instance running at challenge.domain.net, serving acme.challenge.domain.net.
      On every domain I like to validate, I add (in this case)

      _acme-challenge.owa IN CNAME acme.challenge.domain.net.

      I have TSIG keys configured at challenge.domain.net, which allow update txt on acme.challenge.domain.net. Tested, working in production with acertmgr on lot of debian mashines. So until here there is no fault.

      Now pfsense's Acme comes in.

      • I created new Acme account "LE Testing" using le-staging-2 CA
      • I created a certificate config for owa.domain.net as follows:

      Name: owa.domain.net
      Acme Account: LE Testing
      Domain SAN list DNS-Nsupdate /RFC2136

      • Server challenge.domain.net
      • Key Name: pfsense.
      • Key Algorithm: HMAC-SHA512
      • Key: VLvHm4IeTM8gzIx3SteM7ISjz+oReIklXYciB0P6GFMPFBnw1pTu/BS4adDStWvP1gRAzhCBv1MFFb5xja05uA==
      • Enable DNS alias mode: acme.challenge.domain.net
      • Enable DNS domain alias mode: [x]

      When I save and hit renew, following is presented in a green box: (Why green? It failed...)

      owa.domain.net
Renewing certificate 
account: LE Testing 
server: letsencrypt-staging-2 

 getCertificatePSK updating key
/usr/local/pkg/acme/acme.sh  --home '/tmp/acme/owa.domain.net/' --accountconf '/tmp/acme/owa.domain.net/accountconf.conf' --create-domain-key --domain 'owa.domain.net' --keylength '4096' --log-level 3 --log '/tmp/acme/owa.domain.net/acme_createdomainkey.log'
Array
(
    [path] => /etc:/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/bin/
    [PATH] => /etc:/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/bin/
)
[Sat Jun 10 16:22:16 CEST 2023] Creating domain key
[Sat Jun 10 16:22:17 CEST 2023] The domain key is here: /tmp/acme/owa.domain.net//owa.domain.net/owa.domain.net.key

/usr/local/pkg/acme/acme.sh  --issue  --domain 'owa.domain.net' --domain-alias 'acme.challenge.domain.net' --dns 'dns_nsupdate'  --home '/tmp/acme/owa.domain.net/' --accountconf '/tmp/acme/owa.domain.net/accountconf.conf' --force --reloadCmd '/tmp/acme/owa.domain.net/reloadcmd.sh' --log-level 3 --log '/tmp/acme/owa.domain.net/acme_issuecert.log'
Array
(
    [path] => /etc:/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/bin/
    [PATH] => /etc:/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/bin/
    [NSUPDATE_SERVER] => /tmp/acme/owa.domain.net/owa.domain.netnsupdate
    [NSUPDATE_KEYNAME] => pfsense.
    [NSUPDATE_KEYALGO] => 165
    [NSUPDATE_KEY] => /tmp/acme/owa.domain.net/owa.domain.netnsupdate
    [NSUPDATE_ZONE] => challenge.domain.net
)
[Sat Jun 10 16:22:18 CEST 2023] Using CA: https://acme-staging-v02.api.letsencrypt.org/directory
[Sat Jun 10 16:22:18 CEST 2023] Creating domain key
[Sat Jun 10 16:22:18 CEST 2023] The domain key is here: /tmp/acme/owa.domain.net//owa.domain.net/owa.domain.net.key
[Sat Jun 10 16:22:18 CEST 2023] Single domain='owa.domain.net'
[Sat Jun 10 16:22:18 CEST 2023] Getting domain auth token for each domain
[Sat Jun 10 16:22:20 CEST 2023] Getting webroot for domain='owa.domain.net'
[Sat Jun 10 16:22:20 CEST 2023] Adding txt value: iNxhsmIl2uBmS88ekq9xrRHq5OzL2gNyStpu9yFGVcU for domain:  acme.challenge.domain.net
[Sat Jun 10 16:22:20 CEST 2023] key /tmp/acme/owa.domain.net/owa.domain.netnsupdateacme.challenge.domain.net.key is unreadable
[Sat Jun 10 16:22:20 CEST 2023] Error add txt for domain:acme.challenge.domain.net
[Sat Jun 10 16:22:20 CEST 2023] Please check log file for more details: /tmp/acme/owa.domain.net/acme_issuecert.log

      So the line in question is this:

      [Sat Jun 10 16:22:20 CEST 2023] key /tmp/acme/owa.domain.net/owa.domain.netnsupdateacme.challenge.domain.net.key is unreadable

      By the looks of it, the path looks allready broken. The file does not exist, pfsense has failed to create it, i guess.

      So now i fiddled around alot.
      I managed to fix the missing files by

      cd /tmp/acme/owa.domain.net
ln -s owa.domain.netnsupdate_acme-challenge.acme.challenge.domain.net.server owa.domain.netnsupdateacme.challenge.domain.net.server
ln -s owa.domain.netnsupdate_acme-challenge.acme.challenge.domain.net.key owa.domain.netnsupdateacme.challenge.domain.net.key

      Sorry for finding a hack before posting, but there is definitely something wrong with filenames created by the UI.

      Hopefully this is useful enough for our dev's to find a permament solution to this.

      Best regards,
      Jan

      S 1 Reply Last reply Reply Quote 0
      • S
        Sprinterfreak @Sprinterfreak
        last edited by

        The issue maybe just pfsense prepending _acme-challenge. to the challenge fqdn in the filename when "Enable DNS domain alias mode" is ticked

        1 Reply Last reply Reply Quote 0
        • First post
          Last post
        Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.