Acme certificate with DNS-Manual
-
Hello,
I am trying to generate certificate with Dns-manual.
i am able to get the txt value when i hit issue in certificate tab and i got this outputThe new-authz request is ok.
[Wed Jan 31 18:14:31 IST 2018] Add the following TXT record:
[Wed Jan 31 18:14:31 IST 2018] Domain: '_acme-challenge.fdmoon.co'
[Wed Jan 31 18:14:31 IST 2018] TXT value: 'a7JQ-PpmOc77pTVqo8zHB6mHxiMhqC9pjRfYAVKhYPA'
[Wed Jan 31 18:14:31 IST 2018] Please be aware that you prepend _acme-challenge. before your domain
[Wed Jan 31 18:14:31 IST 2018] so the resulting subdomain will be: _acme-challenge.fdmoon.co
[Wed Jan 31 18:14:31 IST 2018] Please add the TXT records to the domains, and retry again.but i don't know exactly where should i add the txt record please help me.
i added in DNS resolver custom option in the following way
server:
local-data: '_acme-challenge.fdmoon.co IN TXT a7JQ-PpmOc77pTVqo8zHB6mHxiMhqC9pjRfYAVKhYPA'
once i hit renew the certificate is not generating
i don't know whether it is correct or not please help me, i am trying this for many days
thank you. -
Hi,
First of all : you're in the wrong forum section. "acme" is a package, so your post should be here : pfSense Forum » pfSense English Support » Packages
Ask yourself this question : how is the Letsenscrypt going to check this TXT record ???
First of all, as you should know, the server that checks this TXT record from Letsenscrypt lives somewhere on the Internet, so it is going to resolve "fdmoon.co" first.
Guess what ? :host fdmoon.co Host fdmoon.co not found: 3(NXDOMAIN)Domain does not exist. You're out of business.
Next : if you really want this to work, you should "own" (== rent) the domain name "fdmoon.co", and you should put at least on of the two name servers for this domain on pfSense, open port "53" so it can answer to requests from anywone who wants to lookup your domain name, etc.
This doc https://doc.pfsense.org/index.php/ACME_package and the fact you use Letsenscrypt implies one thing to start with : you need a registered domain name. (good news : fdmoon.co is available - if "co" as a tld exists)
You should have access to at least one name server of this domain name so you can put in manually the TXT record :_acme-challenge.fdmoon.co IN TXT 'a7JQ-PpmOc77pTVqo8zHB6mHxiMhqC9pjRfYAVKhYPA'Then you wait a bit, so the other (or others) name server(s) synced, and only then you ask Letsenscrypt to validate.
This is the method : https://doc.pfsense.org/index.php/ACME_package => DNS-Manual : it works, but you renew your certificate manually every 90 days or less, because the TXT record changes all the time.This one : "nsupdate" is better because the TXT record is put in place automatically , but you have to have access to a real DNS server that hosts your domain name, like unbound or (also known as "named") running on a dedicated server, a VPS, or why not, some DNS server running on pfSense. This method works great - I'm using it - but you really need to know what a DNS server is, and how to set up this rather particular procedure.
The "FTP Webroot" method is useful if you have a web server running on your LAN or other internal network. acme will use FTP to put in place a file in the webroot of the web server. This procedure will also allow you to renew automatically afterwards.
The "Webroot Local Folder" and "Standalone" methods are possible, but remain manual (but with some very good scripting things could be done automatically).
-
or why not, some DNS server running on pfSense. This method works great - I'm using it - but you really need to know what a DNS server is, and how to set up this rather particular procedure.
Gertjan, can you elaborate on how you set this up?
-
Thanks for your explination.
Now can you help me setting up this certificate without buying any thing, is that possible.and once the let's encrypt certificate is generated, can i use that certificate to filter the HTTPS proxy, instead of manually installing the certificates in all the systems.
-
Now can you help me setting up this certificate without buying any thing, is that possible.
Read here https://letsencrypt.org/getting-started/ first paragraph :
To enable HTTPS on your website, you need to get a certificate (a type of file) from a Certificate Authority (CA). Let’s Encrypt is a CA. In order to get a certificate for your website’s domain from Let’s Encrypt, you have to demonstrate control over the domain.
Using other words : you have to rent (== own) a domain name.and once the let's encrypt certificate is generated, can i use that certificate to filter the HTTPS proxy, instead of manually installing the certificates in all the systems.
As asked already several times ;)
You could ask to include all this in your certificate :
domain-name.tld
pfsense.domain-name.tld
printer.domain-name.tld
nas.domain-name.tld
server.domain-name.tld
doorbell.domain-name.tld
etc.
but it will by YOU importing manually all the certs into
printer.domain-name.tld
nas.domain-name.tld
server.domain-name.tld
doorbell.domain-name.tldOf course, it can be done with scripts, but knowing that there are billions of types of equipment possible, you'll be writing the script.
-
Gertjan, can you elaborate on how you set this up?
Never did so myself.
"DNS-Manual" means that you have to go through the same procedure every 90 days or less.You need a domain name, and you need to have access to "zone information" of this domain name. I guess every registrar gives you this kind of access when you rent a domain name.
So, it's rather easy to set a TXT record with the key info letsencrypt gave you when asking for a certificate or renewing a certificate.
When you add this key, probably using the GUI used by the registrar to administer your domain name, know that you have to wait several minutes or even more, because the zone info has to be synced among at least one other name server that 'hosts' you domain name.
Only when that has been done, you can proceed with the acme interface (pfSense) to ask for a (re) new certificate.I'm using my own dedicated server, and I'm using my own DNS master server that hosts my domain name (actually more then 10).
acme used by pfSEnse has been set up to "talk" to my DNS server, so it can add these TXT records itself in the zone file (the file with all the info related to a domain name).
This is the so called "nsupdate" method, and is fully automated.
