loop error while issuing a cert

La6er

Hi pfsense masters, I am curretly implementing a pfense BIND + ACME packages, but I am having an issue
while attempting to issue a certificate for a domain located on my pfSense BIND package, whenever I hit Issue/renew
the procces gets on a loop which resulted on the following acmeissuecert log

[Tue Sep 24 13:49:38 CDT 2019] Not valid yet, let's wait 10 seconds and check next one.
[Tue Sep 24 13:49:38 CDT 2019] _p_txtdomain='_acme-challenge.poblacionqueretaro.gob.mx'
[Tue Sep 24 13:49:38 CDT 2019] Cloudflare purge TXT record for domain _acme-challenge.poblacionqueretaro.gob.mx
[Tue Sep 24 13:49:38 CDT 2019] POST
[Tue Sep 24 13:49:38 CDT 2019] _post_url='https://cloudflare-dns.com/api/v1/purge?domain=_acme-challenge.poblacionqueretaro.gob.mx&type=TXT'
[Tue Sep 24 13:49:38 CDT 2019] body
[Tue Sep 24 13:49:38 CDT 2019] _postContentType
[Tue Sep 24 13:49:38 CDT 2019] Http already initialized.
[Tue Sep 24 13:49:38 CDT 2019] _CURL='curl -L --silent --dump-header /tmp/acme/pobqueretaro//http.header -g '
[Tue Sep 24 13:49:39 CDT 2019] _ret='0'
[Tue Sep 24 13:49:39 CDT 2019] response='Purge request queued. Please wait a few seconds and verify the request was successful.'
[Tue Sep 24 13:49:46 CDT 2019] Let's wait 10 seconds and check again.
[Tue Sep 24 13:49:49 CDT 2019] Let's wait 10 seconds and check again.
[Tue Sep 24 13:49:56 CDT 2019] _is_idn_d='_acme-challenge.poblacionqueretaro.gob.mx'
[Tue Sep 24 13:49:56 CDT 2019] _idn_temp
[Tue Sep 24 13:49:56 CDT 2019] _is_idn_d='_acme-challenge.poblacionqueretaro.gob.mx'
[Tue Sep 24 13:49:56 CDT 2019] _idn_temp
[Tue Sep 24 13:49:56 CDT 2019] d='poblacionqueretaro.gob.mx'
[Tue Sep 24 13:49:56 CDT 2019] txtdomain='_acme-challenge.poblacionqueretaro.gob.mx'
[Tue Sep 24 13:49:56 CDT 2019] aliasDomain='_acme-challenge.poblacionqueretaro.gob.mx'
[Tue Sep 24 13:49:56 CDT 2019] txt='C7S6WZejslzm8SIg9G9GG2ygFjbruZRCofJpyvrE3gU'
[Tue Sep 24 13:49:56 CDT 2019] d_api='/usr/local/pkg/acme/dnsapi/dns_nsupdate.sh'
[Tue Sep 24 13:49:56 CDT 2019] Checking poblacionqueretaro.gob.mx for _acme-challenge.poblacionqueretaro.gob.mx
[Tue Sep 24 13:49:56 CDT 2019] _c_txtdomain='_acme-challenge.poblacionqueretaro.gob.mx'
[Tue Sep 24 13:49:56 CDT 2019] _c_aliasdomain='_acme-challenge.poblacionqueretaro.gob.mx'
[Tue Sep 24 13:49:56 CDT 2019] _c_txt='C7S6WZejslzm8SIg9G9GG2ygFjbruZRCofJpyvrE3gU'
[Tue Sep 24 13:49:56 CDT 2019] _ns_ep='https://cloudflare-dns.com/dns-query'
[Tue Sep 24 13:49:56 CDT 2019] _ns_domain='_acme-challenge.poblacionqueretaro.gob.mx'
[Tue Sep 24 13:49:56 CDT 2019] _ns_type='TXT'
[Tue Sep 24 13:49:56 CDT 2019] GET
[Tue Sep 24 13:49:56 CDT 2019] url='https://cloudflare-dns.com/dns-query?name=_acme-challenge.poblacionqueretaro.gob.mx&type=TXT'
[Tue Sep 24 13:49:56 CDT 2019] timeout=
[Tue Sep 24 13:49:56 CDT 2019] Http already initialized.
[Tue Sep 24 13:49:56 CDT 2019] _CURL='curl -L --silent --dump-header /tmp/acme/pobqueretaro//http.header -g '
[Tue Sep 24 13:49:56 CDT 2019] ret='0'
[Tue Sep 24 13:49:56 CDT 2019] response='{"Status": 0,"TC": false,"RD": true, "RA": true, "AD": false,"CD": false,"Question":[{"name": "_acme-challenge.poblacionqueretaro.gob.mx.", "type": 16}],"Answer":[{"name": "_acme-challenge.poblacionqueretaro.gob.mx.", "type": 16, "TTL": 10, "data": ""a""}]}'
[Tue Sep 24 13:49:56 CDT 2019] _answers='"Answer":[
"name": "_acme-challenge.poblacionqueretaro.gob.mx.", "type": 16, "TTL": 10, "data": ""a""
]'
[Tue Sep 24 13:49:56 CDT 2019] Not valid yet, let's wait 10 seconds and check next one.

I used the DNSSEC option on the zone so I can get my MD5 code for issuing a cert, but I am not sure if my configuration is correct my zone has the following options selected

many thanks in advance, Hope someone could help me to figure this out

Gertjan

@La6er said in loop error while issuing a cert:

poblacionqxxxxxxtaro.gob.mx

DNSSEC is not working for your domain : check http://dnsviz.net/d/poblacionqueretaro.gob.mx/dnssec/ or https://dnssec-analyzer.verisignlabs.com/

Example http://dnsviz.net/d/papy-team.org/dnssec/

Btw : you are updating against Cloudfare, and using "bind" locally. Why ? Is bind a master name server for your zone ? Slave name server ? I don't understand the relation.

edit : I looked at your message again.
You 'bind' is set up as a master for your domain .... but you disallow zone transfers. Wtf ??
How can a slave sync then ? Do you have just one name server for your domain ? That can't be true, you break everything then, 2 is the minimum.