Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    FreeDNS DNS validation problem

    Scheduled Pinned Locked Moved
    ACME
    2
    3
    122
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • E
      eXo
      last edited by eXo

      When issuing/renewing the certificate, there seems to be a bug that does not wait for certificate creation. This happens when using freeDNS integration, have not tried it with other providers.

      I have confirmed the acme TXT record gets created correctly in freeDNS and it then gets deleted, as shown in the log below. But it seems to delete the DNS record too soon and it then fails, as if it's not waiting for the CA to return the certificate.

      I wanted to post in the forum before opening a bug report (if possible at all). Any help appreciated.

      log has been redacted.
      It's a pastebin, since otherwise the forum detects my post as spam
      https://pastebin.com/jLAyhbbi

      GertjanG 1 Reply Last reply Reply Quote 0
      • GertjanG
        Gertjan @eXo
        last edited by

        @eXo

        8ba90a65-4c4a-41ea-818e-658f8ae9ad76-image.png

        This is probably way to optimistic.
        Go for 300 sec, or more.

        When the amche.sh inserts the TXT records, they are inserted into the master DNS server only.
        When done, the master signals the slave DNS servers. Again : it signals the save(s) to indicate that the zone has been updated. The actual update isn't carried out yet.
        These slave servers come back to the master DNS server to sync up the zone "when they want to".
        Image this : what if the salve DNS servers hosts multi thousands of zones, would you handle the by batches or handle every update individually ;)
        And now, you get it : the slave can do this "right away" or "some time later". And that's it : you don't know. But you gave it "20 seconds".

        When the DNS sleep time is over, the acme scripts signaled Letsencrypt its ready .... but ... the underlying DNS system wasn't ready yet.
        Letsencypt starts to the do DNS check for the TXT record, and might hit the master DNS, or a a slave DNS. It probably lists all your DNS slaves, and test them all.
        If one of them wasn't updated (synced) yet, you'll have a fail.

        So, again : go for 300.

        Btw : I'm using afraid.org as they offer free slave DNS services.
        What I know, as I can see when a (TXT) record gets created on my DNS master, and when afraid.org syncs, you need the 300 seconds - and sometimes its even more.

        No "help me" PM's please. Use the forum, the community will thank you.
        Edit : and where are the logs ??

        E 1 Reply Last reply Reply Quote 1
        • E
          eXo @Gertjan
          last edited by

          @Gertjan Not only it worked, I had the DNS sleep time as an option in pfsense ACME gui, doh! Also, very nice explanation of why it's failing. checks out.

          Thank you so much.
          For all of you ADHDs there, this WORKS, hehehe.

          1 Reply Last reply Reply Quote 0
          • First post
            Last post