-
Hmm, it worked last time I tried it but I also get that error now. I'll look into it.
-
This looks like something that can save a lot of people a lot of money.Β I'll be glad when its a bit more firmed up.Β I bet the certificate mafias out there are crying big alligator tears right now.Β Surprised they haven't tried to kill it.
-
Not sure when it broken (within the last 3-4 months based upon my expiration) β¦ but for nsupdate/rfc2136 based, you are creating an invalidly formatted key file:
Actually the key format is correct, both ways should work. And indeed it does still work on most of my systems here. I tried a 2.3.5 box, a 2.4.1 box, and other 2.4.2 snapshots all on the newest ACME code and only one of them failed in this way. It's still not clear exactly what that one failed either. It worked fine with one other cert on the same exact box also using RFC2136. All of the files appear to be correctly formatted so far.
I'm still looking into it, but it does not appear to be a widespread issue (only one failure out of about 15 configurations here thus far)
-
Not sure when it broken (within the last 3-4 months based upon my expiration) β¦ but for nsupdate/rfc2136 based, you are creating an invalidly formatted key file:
Actually the key format is correct, both ways should work. And indeed it does still work on most of my systems here. I tried a 2.3.5 box, a 2.4.1 box, and other 2.4.2 snapshots all on the newest ACME code and only one of them failed in this way. It's still not clear exactly what that one failed either. It worked fine with one other cert on the same exact box also using RFC2136. All of the files appear to be correctly formatted so far.
I'm still looking into it, but it does not appear to be a widespread issue (only one failure out of about 15 configurations here thus far)
OK, I found the problem. It's a configuration issue. That was a test entry which did not have a proper key type or key algorithm set, I forgot I broke that one deliberately before when checking the formats.
So it's not a package problem that I can see. Make sure it's set correctly (e.g. set to Host Key, and set to the correct matching algo as the source key)
Unless there is something special about HMAC-SHA512 that requires the different key file format, that I could work around. I don't have any using that algo here.
-
Not sure when it broken (within the last 3-4 months based upon my expiration) β¦ but for nsupdate/rfc2136 based, you are creating an invalidly formatted key file:
[Wed Nov 1 18:22:29 EDT 2017] Found domain api file: /usr/local/pkg/acme/dnsapi/dns_nsupdate.sh [Wed Nov 1 18:22:29 EDT 2017] adding _acme-challenge.mydomain.com. 60 in txt "some-acme-nonce" 01-Nov-2017 18:22:29.933 /tmp/acme/mydomain.com/mydomain.com/nsupdate_acme-challenge.mydomain.com.key:1: unknown option '_acme-challenge.mydomain.com...' 01-Nov-2017 18:22:29.934 /tmp/acme/mydomain.com/mydomain.com/nsupdate_acme-challenge.mydomain.com.key:2: unexpected token near end of file could not read key from /tmp/acme/mydomain.com/mydomain.com/nsupdate_acme-challenge.mydomain.com.{private,key}: unexpected token update failed: REFUSED [Wed Nov 1 18:22:30 EDT 2017] error updating domainI have the same issue here, also with different key formats (HMAC-SHA256). I too think that the file is not formatted correctly.
Using the key file as -k parameter to nsupdate will always fail:
nsupdate -k /tmp/acme/pfsense.domainname/pfsense.domainname/nsupdate_acme-challenge.pfsense.domainname.key -v nsupdate.txt 11-Dec-2017 22:14:52.501 /tmp/acme/pfsense.domainname/pfsense.domainname/nsupdate_acme-challenge.pfsense.domainname.key:1: unknown option '_acme-challenge.pfsense.domain...' 11-Dec-2017 22:14:52.502 /tmp/acme/pfsense.domainname/pfsense.domainname/nsupdate_acme-challenge.pfsense.domainname.key:2: unexpected token near end of file could not read key from /tmp/acme/pfsense.domainname/pfsense.domainname/nsupdate_acme-challenge.pfsense.domainname.{private,key}: unexpected tokenHowever, passing the key differently to nsupdate works as expected:
nsupdate -y 'HMAC-SHA256:_acme-challenge.pfsense.domain:nQ02d88024393209140eIQo37QCM=' -v nsupdate.txtInvestigating further I found out that the .key file format seemed to be wrong. It was
_acme-challenge.pfsense.domain IN KEY 513 3 163 nQ02d88024393209140eIQo37QCM= ```when it should have been``` _acme-challenge.pfsense.domain. IN KEY 513 3 163 nQ02d88024393209140eIQo37QCM= ```instead. Note the missing . after the domain name. I reckon that's the issue here. @jimp could you look into this? -
It does appear as though the '.' should be there, but that doesn't cause any of mine to fail here. I have quite a few using nsupdate and it works perfectly. Though I think they are almost all HMAC_MD5.
Does adding the '.' to the file let it work? You can add it at line 195 of /usr/local/pkg/acme/acme_sh.inc
Change this:
file_put_contents("{$nsupdatefileprefix}_acme-challenge.{$nsupdatedomain}.key", "_acme-challenge.{$nsupdatedomain} IN KEY {$flags} {$proto} {$key_algo} {$nsupdatekey}\n");to this:
file_put_contents("{$nsupdatefileprefix}_acme-challenge.{$nsupdatedomain}.key", "_acme-challenge.{$nsupdatedomain}. IN KEY {$flags} {$proto} {$key_algo} {$nsupdatekey}\n");It seems to work either way for me, but if that lets it work for you then I'll go ahead and commit it.
-
Does adding the '.' to the file let it work? You can add it at line 195 of /usr/local/pkg/acme/acme_sh.inc
Unfortunately not. The error messages from nsupdate complaining about the *.key file weren't exactly helpful eitherβ¦
Anyhow, I've figured out what the issue was. Comparing the key pair generated on my DNS server and in pfSense I've noticed a few lines missing. Adding
Bits: AAA=in line 200 finally did the trick for me. Tadaaa:
[Tue Dec 12 18:48:06 CET 2017] Cert success.
I have no idea what the "Bits" line does unfortunately, but in the end it seems that this was what was missing.
I generated a HMAC-SHA512 key pair for comparison. It has the same "Bits" line; the request worked as well.
Cheers
-
Interesting. Every example I can find of the Bits: line is AAA= but I'd like to find some source for how that's calculated before I go hardcoding it or making a separate field.
-
Are there any plans on adding Google Domains to the list?
-
Are there any plans on adding Google Domains to the list?
It must be supported by the acme.sh project first, but it doesn't look like they're into the idea: https://github.com/Neilpang/acme.sh/issues/180
-
Ahh, bummer. Thanks!
Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.