-
ACME is still an nsupdate client in that context. There is nothing special about it being on the same server. It is not "the server itself" -- it's still a client updating a server, and thus requires a key like any other client.
-
Fine..
so
i generate the key:
dnssec-keygen -a HMAC-MD5 -b 512 -n HOST mydomain.cu
Kmydomain.cu.+157+54710
cat Kmydomain.cu.+157+54710
mydomain.cu. IN KEY 512 3 157 blababla-key-string
put the "blababla-key-string" key in Global setting on Bind DNS server(on pfsense same box):
key mydomain.cu. {
algorithm hmac-md5;
secret "blababla-key-string";
};
then i go to ACME config on Domain SAN list add two entries for multi domain and same method DNS-NSupdate / RFC 2136:
domain name: mydomain.cu
key: blababla-key-string
and domain name *.mydomain.cu
key: blababla-key-string
the key name is mydomain.cu for both entries
it is right? -
You need keys for
_acme-challenge.<hostname>
not just<hostname>
.I'm not that familiar with the BIND package so I can't comment on the particulars there. Assuming the hosts in the domain have the rights to create/update TXT records you should be fine once you have the right key names/keys in place.
-
@jimp thanks
i had fix key name so i receiving error:
On BIND DNS Server
query-errors: info: client @0x802c74600 127.0.0.1#2069/key _acme-challenge.bicsa.cu (_acme-challenge.bicsa.cu): view Internal-Trusted: query failed (SERVFAIL) for _acme-challenge.bicsa.cu/IN/SOA at query.c:7149
and ACME Package
[Thu Jan 10 14:35:38 CST 2019] Multi domain='DNS:bicsa.cu,DNS:.bicsa.cu'
[Thu Jan 10 14:35:38 CST 2019] Getting domain auth token for each domain
[Thu Jan 10 14:35:47 CST 2019] Getting webroot for domain='bicsa.cu'
[Thu Jan 10 14:35:47 CST 2019] Getting webroot for domain='.bicsa.cu'
[Thu Jan 10 14:35:47 CST 2019] Found domain api file: /usr/local/pkg/acme/dnsapi/dns_nsupdate.sh
[Thu Jan 10 14:35:47 CST 2019] adding _acme-challenge.bicsa.cu. 60 in txt "eeRIORae2UzcuTV1Ha8ySkhLSb3v536aqxmtoTq4C1w"
response to SOA query was unsuccessful
[Thu Jan 10 14:35:47 CST 2019] error updating domain
[Thu Jan 10 14:35:47 CST 2019] Error add txt for domain:_acme-challenge.bicsa.cu
[Thu Jan 10 14:35:47 CST 2019] Please check log file for more details: /tmp/acme/asterisk.bicsa.cu/acme_issuecert.log -
@luisenrique said in ACME and Bind dns Server on pfsense in the same server:
@jimp thanks
i had fix key name so i receiving error:
On BIND DNS Server
query-errors: info: client @0x802c74600 127.0.0.1#2069/key _acme-challenge.bicsa.cu (_acme-challenge.bicsa.cu): view Internal-Trusted: query failed (SERVFAIL) for _acme-challenge.bicsa.cu/IN/SOA at query.c:7149
and ACME Package
[Thu Jan 10 14:35:38 CST 2019] Multi domain='DNS:bicsa.cu,DNS:.bicsa.cu'
[Thu Jan 10 14:35:38 CST 2019] Getting domain auth token for each domain
[Thu Jan 10 14:35:47 CST 2019] Getting webroot for domain='bicsa.cu'
[Thu Jan 10 14:35:47 CST 2019] Getting webroot for domain='.bicsa.cu'
[Thu Jan 10 14:35:47 CST 2019] Found domain api file: /usr/local/pkg/acme/dnsapi/dns_nsupdate.sh
[Thu Jan 10 14:35:47 CST 2019] adding _acme-challenge.bicsa.cu. 60 in txt "eeRIORae2UzcuTV1Ha8ySkhLSb3v536aqxmtoTq4C1w"
response to SOA query was unsuccessful
[Thu Jan 10 14:35:47 CST 2019] error updating domain
[Thu Jan 10 14:35:47 CST 2019] Error add txt for domain:_acme-challenge.bicsa.cu
[Thu Jan 10 14:35:47 CST 2019] Please check log file for more details: /tmp/acme/asterisk.bicsa.cu/acme_issuecert.logthe previous error was related to the dns server and it journal file and the zone did not loaded correctly.. afther fix it and validate again i receive this error:
Thu Jan 10 15:21:03 CST 2019] Multi domain='DNS:bicsa.cu,DNS:.bicsa.cu'
[Thu Jan 10 15:21:03 CST 2019] Getting domain auth token for each domain
[Thu Jan 10 15:21:07 CST 2019] Getting webroot for domain='bicsa.cu'
[Thu Jan 10 15:21:07 CST 2019] Getting webroot for domain='.bicsa.cu'
[Thu Jan 10 15:21:07 CST 2019] Found domain api file: /usr/local/pkg/acme/dnsapi/dns_nsupdate.sh
[Thu Jan 10 15:21:07 CST 2019] adding _acme-challenge.bicsa.cu. 60 in txt "LyykPuSPAGwu0iR25uaaqqtiRUCTzIjfRazeVsJ8U1A"
[Thu Jan 10 15:21:07 CST 2019] Sleep 120 seconds for the txt records to take effect
[Thu Jan 10 15:23:07 CST 2019] bicsa.cu is already verified, skip dns-01.
[Thu Jan 10 15:23:07 CST 2019] Verifying:*.bicsa.cu
[Thu Jan 10 15:23:18 CST 2019] Found domain http api file: /usr/local/pkg/acme/dnsapi/dns_nsupdate.sh
[Thu Jan 10 15:23:18 CST 2019] Skipping nsupdate for TXT on base domain.
[Thu Jan 10 15:23:18 CST 2019] Removing DNS records.
[Thu Jan 10 15:23:18 CST 2019] removing _acme-challenge.bicsa.cu. txt
[Thu Jan 10 15:23:18 CST 2019] *.bicsa.cu:Verify error:DNS problem: NXDOMAIN looking up TXT for _acme-challenge.bicsa.cu
[Thu Jan 10 15:23:18 CST 2019] Please check log file for more details: /tmp/acme/asterisk.bicsa.cu/acme_issuecert.logon the bind dns server logs looks like updating is fine...........
Jan 10 15:23:18 named 96796 update: info: client @0x802c73c00 127.0.0.1#22872/key _acme-challenge.bicsa.cu: view Internal-Trusted: updating zone 'bicsa.cu/IN': deleting rrset at '_acme-challenge.bicsa.cu' TXT
Jan 10 15:23:18 named 96796 update-security: info: client @0x802c73c00 127.0.0.1#22872/key _acme-challenge.bicsa.cu: view Internal-Trusted: signer "_acme-challenge.bicsa.cu" approved
Jan 10 15:23:18 named 96796 queries: info: client @0x802c73c00 127.0.0.1#22872/key _acme-challenge.bicsa.cu (_acme-challenge.bicsa.cu): view Internal-Trusted: query: _acme-challenge.bicsa.cu IN SOA -S (127.0.0.1) -
I tried something out myself.
I have this domain called brit-hotel-fumel.net - I'm running my own master "bind" server which control this domain.
This is the zone info for "brit-hotel-fumel.net" on my bind master :
zone "brit-hotel-fumel.net" { type master; file "/etc/bind/zones/db.brit-hotel-fumel.net"; allow-transfer { "ns-internal-net"; }; masterfile-format text; allow-update { key "_acme-challenge.brit-hotel-fumel.net."; }; notify-source 188.165.53.87; notify explicit; };
I would like to do this : adding this line to my zone 'brit-hotel-fumel.net" :
sub.brit-hotel-fumel.net. 86400 A 1.10.10.10
I made a file on pfSense called "update" :
server 188.165.53.87 zone brit-hotel-fumel.net update add sub.brit-hotel-fumel.net. 86400 A 1.10.10.10 show send
Info : "188.165.53.87" is my master bind server that controls the zone " brit-hotel-fumel.net"
Another file, called "key" that I copied from /etc/bind/named.conf.local (thus from my bind server settings files ):
key "_acme-challenge.brit-hotel-fumel.net" { algorithm hmac-md5; secret "nFbjaI7mIMoDI0MpoByObC=="; };
On pfSense, I run this
nsupdate -k key -v update
and voila : (bind logs on server ) :
10-Jan-2019 21:23:45.044 update-security: client 82.127.34.254#42504/key _acme-challenge.brit-hotel-fumel.net: signer "_acme-challenge.brit-hotel-fumel.net" approved 10-Jan-2019 21:23:45.044 update: client 82.127.34.254#42504/key _acme-challenge.brit-hotel-fumel.net: updating zone 'brit-hotel-fumel.net/IN': adding an RR at 'sub.brit-hotel-fumel.net' A
Now I run this to check :
[2.4.4-RELEASE][admin@pfsense.brit-hotel-fumel.net]/root: dig sub.brit-hotel-fumel.net +short 1.10.10.10
If you can reproduce all this, you come close to use acme using the nsupdate method.
edit :
my real acme settings :Btw : I asked for a wild card certificate, just because I can ^^
-
@gertjan said in ACME and Bind dns Server on pfsense in the same server:
Another file, called "key" that I copied from /etc/bind/named.conf.local (thus from my bind server settings files ):
key "_acme-challenge.brit-hotel-fumel.net" { algorithm hmac-md5; secret "nFbjaI7mIMoDI0MpoByObC=="; };
You scribbled out the key in the image but left it in plain text when you posted the key file contents :-)
-
@jimp said in ACME and Bind dns Server on pfsense in the same server:
scribbled
I was pretty sure I would receive that remark
"nFbjaI7mIMoDI0MpoByObC==" is a fake ^^
Thanks anyway -
hi! soory me again...
I have read several times and tried but I stumble with several errors ...
try from the command line and from the web config of the pfsense, my dns is updated and it returns this error ...[Tue Jan 15 08:43:56 CST 2019] Single domain='enlinea.bicsa.cu'
[Tue Jan 15 08:43:56 CST 2019] Getting domain auth token for each domain
[Tue Jan 15 08:43:59 CST 2019] Getting webroot for domain='enlinea.bicsa.cu'
[Tue Jan 15 08:43:59 CST 2019] Found domain api file: /usr/local/pkg/acme/dnsapi/dns_nsupdate.sh
[Tue Jan 15 08:43:59 CST 2019] adding _acme-challenge.enlinea.bicsa.cu. 60 in txt "6QQT6KeWz_Cpe1tKBU0tcoR6a_FL6EGPZqHJXvAN5bk"
[Tue Jan 15 08:43:59 CST 2019] Sleep 120 seconds for the txt records to take effect
[Tue Jan 15 08:46:00 CST 2019] Verifying:enlinea.bicsa.cu
[Tue Jan 15 08:46:04 CST 2019] Found domain http api file: /usr/local/pkg/acme/dnsapi/dns_nsupdate.sh
[Tue Jan 15 08:46:04 CST 2019] Removing DNS records.
[Tue Jan 15 08:46:04 CST 2019] enlinea.bicsa.cu:Verify error:DNS problem: NXDOMAIN looking up TXT for _acme-challenge.enlinea.bicsa.cu
[Tue Jan 15 08:46:04 CST 2019] key /tmp/acme/bicsa/enlinea.bicsa.cunsupdate.key is unreadable
[Tue Jan 15 08:46:04 CST 2019] Error rm webroot api for domain:dns_nsupdate
[Tue Jan 15 08:46:04 CST 2019] key /tmp/acme/bicsa/enlinea.bicsa.cunsupdate.key is unreadable
[Tue Jan 15 08:46:04 CST 2019] Error removing txt for domain:_acme-challenge.enlinea.bicsa.cu
[Tue Jan 15 08:46:04 CST 2019] Please check log file for more details: /tmp/acme/bicsa/acme_issuecert.log
after query my dns server i see:
[root@temis ~]# dig _acme-challenge.enlinea.bicsa.cu txt; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.68.rc1.el6_10.1 <<>> _acme-challenge.enlinea.bicsa.cu txt
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 1699
;; flags: qr rd ra; QUERY: 1, ANSWER: 6, AUTHORITY: 0, ADDITIONAL: 0;; QUESTION SECTION:
;_acme-challenge.enlinea.bicsa.cu. IN TXT;; ANSWER SECTION:
_acme-challenge.enlinea.bicsa.cu. 60 IN TXT "-CyGI3mBvSqjfP8F-SWBAGBRVB88k4LXRgM3jTGGu-U"
_acme-challenge.enlinea.bicsa.cu. 60 IN TXT "rLgLQa2nh2Wo1COaZ04vouNb5qoMLDJcrrL4_XNoOic"
_acme-challenge.enlinea.bicsa.cu. 60 IN TXT "TOzYyEBH-u5u2Lm-Z1ownM2h2Ja45GviqvWMnlxdkuY"
_acme-challenge.enlinea.bicsa.cu. 60 IN TXT "6QQT6KeWz_Cpe1tKBU0tcoR6a_FL6EGPZqHJXvAN5bk"
_acme-challenge.enlinea.bicsa.cu. 60 IN TXT "fE6plJ7PstkuXhLhbHqNFamLTpSJq6MZn9l2BzbXYCE"
_acme-challenge.enlinea.bicsa.cu. 60 IN TXT "_BxnR2jrVJFYbRw9JqR8tzVma2JsBVuuU6B7gANh_bg";; Query time: 2373 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Tue Jan 15 09:44:41 2019
;; MSG SIZE rcvd: 386
after trying several times I notice that the txt record of each attempt is not eliminated, the key is correctly in the direcotio and matches the one specified in the config.. -
here capture of my config.
and my keys on Global Setting of the bind config on pfsense.
-
@luisenrique said in ACME and Bind dns Server on pfsense in the same server:
after trying several times I notice that the txt record of each attempt is not eliminated
Your TXT records confirm what you saw.
The logs say the very same thing :
@luisenrique said in ACME and Bind dns Server on pfsense in the same server:
[Tue Jan 15 08:46:04 CST 2019] Error rm webroot api for domain:dns_nsupdate
rm (or "remove") means "delete file".
The Letencrypt "test server" can't find (==resolve) the record " _acme-challenge.enlinea.bicsa.cu" which means the DNS name server (s !! - there should be least 2 of them) of the domain "bicsa.cu" didn't have the subdomain "_acme-challenge.enlinea".
This can happens when synchronisation is functioning well.The TXT subdomain was set on the master DNS server, but wasn't synced in 120 seconds with the slave dns server).Check :
Your name servers :
dig bicsa.cu any +short
....
ns2.bicsa.cu.
ns1.bicsa.cu.
....root@ns311465:~# dig @ns2.bicsa.cu _acme-challenge.enlinea.bicsa.cu TXT +short
"s1ChQK6dg8tvuYY1Nb05W5i9zQc1S1iqMtevjiw1uCs"
"DDzVdoZ6o2T_YqRZ2o5uybK4GjXAZ6jU3DaYXAhfnV4"
"F6LjsjDmIwWPrw6K6EFthVUxaocmusRApXRPnRbkyCo"root@ns311465:~# dig @ns1.bicsa.cu _acme-challenge.enlinea.bicsa.cu TXT +short
.... nothing = no good;
Btw : you have serious DNSSEC troubles .....
DNSSEC should be perfect .... or your site will not be found on the net.
Use http://dnsviz.net/ to check .(you"re good for some nights without sleep).
It is feasible thought : http://dnsviz.net/d/test-domaine.fr/XD5boA/dnssec/ (one of my domains).If the LE test server used the NS1 (your) name server (not synced) it will error out (it says : NXDOMAIN looking up TXT for _acme-challenge.enlinea.bicsa.cu).
Like : see here https://zonemaster.iis.se/?resultid=e3f70901711cfd8f .... which looks .... not good.Btw :
@luisenrique said in ACME and Bind dns Server on pfsense in the same server:dig _acme-challenge.enlinea.bicsa.cu txt
When I run
dig _acme-challenge.enlinea.bicsa.cu TXT +short
from a server server I own (some where in France) I see .... nothing - no result.
What I see is what the LE test servers see : nothing (answer also known as 'NXDOMAIN').
Check your DNS setup.