Acme and Dyn

Gil

I still have issues with this.
It fails on adding _acme-challenge.....
error updating domain

The TSIG is correct.
Perhaps a couple of screenshots?

This is so convoluted for a major dyndns provider.

piperspace

I am now having some Acme success with DynDNS on Pfsense 2.4.4-p2 with Acme package 0.5.4_1. I no longer need to engage in script hacking.

Below is a screenshot of my Amce config.

Gil

I reset the script back to the original.

My settings:

Error message:

I probably need to get a better understanding of how this process works, can i use a DynDNS as the Zone?

piperspace

No. DynDns.net is not your zone. The parameter you are using for that looks ok. But you are using additional parameters I don’t know about.

I have DynDns Standard DNS which lacks a proper API thus requiring nsupdate. There is also DynDns Pro which may have an API. It’s confusing. Which service do you have? If you have DynDns Pro you are probably barking up wrong tree here.

Also, you can test parameters by connecting to your router and running nsupdate from the command line.

Gil

The additional parameters auto-filled, so I don't know where they came from and I can't seem to edit them. Perhaps, as you point out, I have a dyndns pro service.

piperspace

You might want to delete your config and start over using the DNS-Manual method.

piperspace

So I upgraded Acme to version 0.5.7_1 and this is busted again.

In /tmp/acme/[mycertname] there is a .key file where my parameters have been stored. Except there is a period mysteriously appends to my key name.
When I edit this key file, remove the period and then feed it to nsupdate it works.

I am vexed that Dyn compatibility seems to come and go. Would be willing to beta test new versions if that would be well taken.

clazarowitz

Just wanted to update things. This is still broken in 0.58!
I suspect this is because the team thinks the dyn support is in the dyn section. Well, I know I for one, cannot get a dynid. So I'm stuck with the nsupdate method. Why can't I get a dynid? NO CLUE! I put in my "old" credentials, which I had just logged in with, and it says invalid. I suspect many of us are in the same boat, so PLEASE people, just because you support the new DynID, doesn't mean you've left a bunch of us high and dry!

So, I basically used the script posted above, but for somereason it didn't pull out the keyname. So I added this right below his awk magic
THISNSUPDATE_KEYNAME=awk '{if (NR == 1){ key=substr($2,2,length($2)-3); print key}}' "${THISNSUPDATE_KEY}"
Then, it also didn't include the zone. I'm not sure of the "right way" to get the zone, so here's what I did: ZONE=echo ${fulldomain} | sed 's/_acme-challenge\.//g'
Then I changed the dnsupdate command to dnsupdate -d and added key $THISNSUPDATE_KEYNAME $THISNSUPDATE_KEY
zone $ZONE
This allowed everything to work.

Posting this to help others and provide "cloud" backup of my work :)

piperspace

Recently I got a notice from Oracle. The DYN Standard service I have is being phased out next spring. My option at that time is to migrate to an alternate Oracle product.

My plan is to use up the remaining time on my DYN Standard subscription and then migrate to CloudFlare.

clazarowitz

I got the notice as well, but I have paid domain registrations as well as dyn pro (though I’m not sure I use it anymore...I had originally obtained it so I could do things like device.mysubdomain.dyndns.org...maybe I should audit that.

Regardless, they said it would be “migrated” to an oracle product line. Do they do dns? Or do they mean “rebranded”. Either way, I expect little to change other than eventually...maybe....they’ll fix their dynid bugs :)

piperspace

Just FYI - I have completed migration to Cloudflare’s free service. It includes a DNS which works with Pfsense to handle IP address changes and ACME certificate renewal. No hacking required.

icepic

This may be OBE in a few months, but I just set this up and wanted to pull everything together for Dyn.com ACME updates as I just got it working with info from a number of posts in this thread.

I'm using Version 0.6.5 of the ACME client on 2.4.4-RELEASE-p3 of PFSense.

Dyn.com has 3 products https://help.dyn.com/dyn-dns-products-compared/

Managed DNS - you log in at https://portal.dynect.net/
** "Professional DNS Solution"
Standard DNS - you log in at https://account.dyn.com/
** mange domains, the domain registration recently was migrated to name.com
DynDNS Pro, now just called Dynamic DNS - also at https://account.dyn.com/
** get up to 30 hostnames in prepopulated domains.
The new Oracle Cloud DNS service is completely different.

The "Dyn.com" method only works with Managed DNS.

The nsupdate method works with Standard DNS

server = update.dyndns.com
keyname = see below
Key Algorithm = HMAC-MD5
Key = see below
Zone = your zone to use

You have to get a TSIG key for the keyname and key. The directions are at https://dyn.com/updater/tsig/ and the key itself can be created or updated at https://account.dyn.com/profile/tsig.html

I suspect this will not work for DynDNS Pro as there seems to be no way to create a TXT entry.

Fenil

Hello I am using the pfsense version 2.6.0. I am having still having issue in renewing my dyndns certificate. I am trying to use nsupdate but this what I am having the issue with acme error.PNG acme error1.PNG
I have try all the method that have been post earlier but no luck
I am using dyndns pro service.
Can anyone can write the full script of nsupdate that would be really help full ?

Gertjan

@fenil said in Acme and Dyn:

I am using dyndns pro service.
Can anyone can write the full script of nsupdate that would be really help full ?

dyndns.org pro did : https://help.dyn.com/tsig/

Instead of
update add $HOST.$ZONE 60 A 10.0.0.1
the acme API plugin dns_nsupdate.sh uses :
update add ${fulldomain}. 60 in txt "${txtvalue}"

to add this :

Fenil

@gertjan
Hey man I have contact dyndns pro tech people also and they are saying they cannot accept TXT or API method but they gave me is TSIG key. They only use is nsupdate and I am not able to understand where to make changes property in order to make it work with pfsense.

can we bypass TXT method in pfsense acme ?

Gertjan

@fenil said in Acme and Dyn:

can we bypass TXT method in pfsense acme ?

The method used has been chosen by you.
Because you chose to use "dyndns pro" so you have to the "dyndns pro" method.
As said : see https://help.dyn.com/tsig/ which is a very close approach to the old nsupdate method.

Example : I use my own domain name server (bind), not the ones offered by by registrar (they do offer an API, and an interface has be written, and is present for acme.sh - see many examples here).

when I replace $ZONE, $KEY_NAME $KEY_HMAC with my info, I could add a txt record named "myzone.mydomain.tld" that contains "hello".

[22.05-RELEASE][admin@pfSense.xxxxx-hotel-fumel.net]/root: nsupdate -d
> server ns1.xxxx-hotel-fumel.net
> zone xxxxx-hotel-fumel.net
> key hmac-sha512:update eYQiVAutEEAxxxxxxxxxxxxxxxVoCxOQ/jwBeA10EPeE7vwEdFT11QYs1YhO9zDCaJwzkuZp0w==
> update add myzone.xxxxx-hotel-fumel.net 60 TXT "hello"
> send
Sending update to 2001:41d0:2:927b::3#53
Outgoing update query:
;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id:  46154
;; flags:; ZONE: 1, PREREQ: 0, UPDATE: 1, ADDITIONAL: 1
;; ZONE SECTION:
;xxxxx-hotel-fumel.net.          IN      SOA

;; UPDATE SECTION:
myzone.xxxxxxx-hotel-fumel.net. 60 IN      TXT     "hello"

;; TSIG PSEUDOSECTION:
update.                 0       ANY     TSIG    hmac-sha512. 1664436399 300 64 6+N5xxxxxxxxxxxxhRMphgp69wR 2+t+aFdoPsF8plurhcN0Xo4GpMuQsg== 46154 NOERROR 0


Reply from update query:
;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id:  46154
;; flags: qr; ZONE: 1, PREREQ: 0, UPDATE: 0, ADDITIONAL: 1
;; ZONE SECTION:
;xxxx-hotel-fumel.net.          IN      SOA

;; TSIG PSEUDOSECTION:
update.                 0       ANY     TSIG    hmac-sha512. 1664436399 300 64 IoxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxLsQunveQ5o hwTwviKjz79jiO8Bdre57PF4zzSlZA== 46154 NOERROR 0

> quit

On my master domain dns server (bind) , I saw :

29-Sep-2022 09:26:39.225 update-security: client @0x7f842439cb60 2001:470:1f12:5c0::2#50387/key update: signer "update" approved
29-Sep-2022 09:26:39.225 update: client @0x7f842439cb60 2001:470:1f12:xxx:2#50387/key update: updating zone 'xxxx-hotel-fumel.net/IN': adding an RR at 'myzone.xxxx-hotel-fumel.net' TXT "hello"

Now, lets dig :

[22.05-RELEASE][admin@pfSense.xxxx-hotel-fumel.net]/root: dig myzone.xxxx-hotel-fumel.net TXT +short
"hello"

The acme.sh dnsapi look like pure rocket science, but the concept is actually simple.
You have to prove to Letsencrypt that you own (== rent) your domain name.
There are several ways to do this, and one is : if you can prove that you can access and modify your domain "zone", Letsencrypt accepts that as a proof. It's this domain name that will get stored in your certificate after all.
And if you also can access the place were, for example, the web server files are placed, you can have that web server use the certificate, so the entire https (TLS) scheme start to work.

Fenil

@gertjan I try the way you explain with the shell command but still it is showing this error

Gertjan

@fenil

Without knowing what dyndns.org uses as a 'TSIG', I suspect it isn't the old and insecure :

are you sure it isn't something like :

like the one I used against my own bind based name server ?

Fenil

@gertjan I have try with both setting and it is still the same.

Fenil

@gertjan Don't Worry I bought different domain name from NO-IP and the certificate started working with it.
Thank you for your help.