Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Acme, Haproxy and DNSMadeEasy not working

    Scheduled Pinned Locked Moved ACME
    3 Posts 2 Posters 1.2k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • C
      cjbujold
      last edited by

      Trying to get acme, haproxy and DNSMadeEasy working together and cannot find any documentation or guide.  If somebody can point me in the right direction it would be appreciated.

      1. created my test account Key

      2. created my certificate using dnsMadeeasy for verification, but this is where it seems to break.  The error I get is

      [Wed Feb 22 15:31:45 AST 2017] The new-authz request is ok.
      [Wed Feb 22 15:31:45 AST 2017] Found domain api file: /usr/local/pkg/acme/dnsapi/dns_me.sh
      [Wed Feb 22 15:31:47 AST 2017] invalid domain
      [Wed Feb 22 15:31:47 AST 2017] Error add txt for domain:_acme-challenge.secure.accra.ca

      I have entered my API Key and API Secret Password.  I presume that I'm missing something additional in my DNS settings but I do not know what.  What do I need to add to my DNS settings to get this to work? Do I need to forward some additional port over the HAProxy port settings?

      Is there any documentation or guide that can help?

      Thanks

      1 Reply Last reply Reply Quote 0
      • thedaveCAT
        thedaveCA
        last edited by

        I'm seeing similar, check the debug logs, do you see an extra } symbol in the debug log like I am seeing?

        https://forum.pfsense.org/index.php?topic=125946.0

        In the meantime, you can get acme working today by using HTTP validation mode, put this on a non-standard port (82?) then set haproxy to forward requests for URLs starting with /.well-known/acme-challenge/ to a custom backend which ultimately points to 127.0.0.1:82. Be aware that you need to turn off monitoring for this backend as the HTTP validation server only runs for a few seconds when it's needed.

        I'd still rather get DNSMadeEasy integration working, but for hostnames which point to your pfSense and have haproxy on port 80, this may work.

        1 Reply Last reply Reply Quote 0
        • C
          cjbujold
          last edited by

          Not seeing the same issue as you.  My log is below.  The error seems to be that it is not finding the API Key (Dynamic DNS ID) when connecting to DNSMadeEasy.  I have verified both the ID and Password and they are valid.

          [Thu Feb 23 09:01:23 AST 2017] Found domain api file: /usr/local/pkg/acme/dnsapi/dns_me.sh
          [Thu Feb 23 09:01:23 AST 2017] dns_me_add exists=0
          [Thu Feb 23 09:01:23 AST 2017] APP
          [Thu Feb 23 09:01:23 AST 2017] 4:ME_Key='231XXXX'
          [Thu Feb 23 09:01:23 AST 2017] APP
          [Thu Feb 23 09:01:23 AST 2017] 5:ME_Secret='testforSecureXXXXX'
          [Thu Feb 23 09:01:23 AST 2017] First detect the root zone
          [Thu Feb 23 09:01:23 AST 2017] name?domainname=secure.accra.ca
          [Thu Feb 23 09:01:23 AST 2017] GET
          [Thu Feb 23 09:01:23 AST 2017] url='https://api.dnsmadeeasy.com/V2.0/dns/managed/name?domainname=secure.accra.ca'
          [Thu Feb 23 09:01:23 AST 2017] timeout
          [Thu Feb 23 09:01:23 AST 2017] curl exists=0
          [Thu Feb 23 09:01:23 AST 2017] wget exists=127
          [Thu Feb 23 09:01:23 AST 2017] _CURL='curl -L –silent --dump-header /tmp/acme/accra.ca//http.header '
          [Thu Feb 23 09:01:24 AST 2017] ret='0'
          [Thu Feb 23 09:01:24 AST 2017] response='{error: ["API key not found"]}'
          [Thu Feb 23 09:01:24 AST 2017] name?domainname=accra.ca
          [Thu Feb 23 09:01:24 AST 2017] GET
          [Thu Feb 23 09:01:24 AST 2017] url='https://api.dnsmadeeasy.com/V2.0/dns/managed/name?domainname=accra.ca'
          [Thu Feb 23 09:01:24 AST 2017] timeout
          [Thu Feb 23 09:01:24 AST 2017] curl exists=0
          [Thu Feb 23 09:01:24 AST 2017] wget exists=127
          [Thu Feb 23 09:01:24 AST 2017] _CURL='curl -L –silent --dump-header /tmp/acme/accra.ca//http.header '
          [Thu Feb 23 09:01:24 AST 2017] ret='0'
          [Thu Feb 23 09:01:24 AST 2017] response='{error: ["API key not found"]}'
          [Thu Feb 23 09:01:24 AST 2017] name?domainname=ca
          [Thu Feb 23 09:01:24 AST 2017] GET
          [Thu Feb 23 09:01:24 AST 2017] url='https://api.dnsmadeeasy.com/V2.0/dns/managed/name?domainname=ca'
          [Thu Feb 23 09:01:24 AST 2017] timeout
          [Thu Feb 23 09:01:24 AST 2017] curl exists=0
          [Thu Feb 23 09:01:24 AST 2017] wget exists=127
          [Thu Feb 23 09:01:24 AST 2017] _CURL='curl -L –silent --dump-header /tmp/acme/accra.ca//http.header '
          [Thu Feb 23 09:01:25 AST 2017] ret='0'
          [Thu Feb 23 09:01:25 AST 2017] response='{error: ["API key not found"]}'
          [Thu Feb 23 09:01:25 AST 2017] invalid domain
          [Thu Feb 23 09:01:25 AST 2017] Error add txt for domain:_acme-challenge.secure.accra.ca
          [Thu Feb 23 09:01:25 AST 2017] pid
          [Thu Feb 23 09:01:25 AST 2017] _clearupdns
          [Thu Feb 23 09:01:25 AST 2017] Dns not added, skip.
          [Thu Feb 23 09:01:25 AST 2017] _on_issue_err
          [Thu Feb 23 09:01:25 AST 2017] Please check log file for more details: /tmp/acme/accra.ca/acme_issuecert.log

          1 Reply Last reply Reply Quote 0
          • First post
            Last post
          Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.