Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    DoH Verification Method

    Scheduled Pinned Locked Moved ACME
    7 Posts 4 Posters 1.2k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • J
      jb09
      last edited by jb09

      Hi, my firewall was attempting to auto renew my certificate but produced this error? Running 0.6.5 with Cloudflare, any ideas?

      System Logs:
      Mar 2 03:36:56 ACME [Mon Mar 2 03:36:32 EST 2020] Please refer to https://curl.haxx.se/libcurl/c/libcurl-errors.html for error code: 60
      Mar 2 03:36:56 ACME [Mon Mar 2 03:36:53 EST 2020] check dns error.
      Mar 2 03:36:56 ACME [Mon Mar 2 03:36:53 EST 2020] Please check log file for more details: /tmp/acme/xxxxxxx.com/acme_issuecert.log
      Mar 2 03:36:56 php ACME, Failed to renew certificate for xxxxxxxxx

      ACME Log:

      [Mon Mar  2 03:16:18 EST 2020] Let's check each dns records now. Sleep 20 seconds first.
[Mon Mar  2 03:16:38 EST 2020] _is_idn_d='_acme-challenge.xxxxx.com'
[Mon Mar  2 03:16:38 EST 2020] _idn_temp
[Mon Mar  2 03:16:38 EST 2020] _is_idn_d='_acme-challenge.xxxxx.com'
[Mon Mar  2 03:16:38 EST 2020] _idn_temp
[Mon Mar  2 03:16:38 EST 2020] d='xxxxxx.com'
[Mon Mar  2 03:16:38 EST 2020] txtdomain='_acme-challenge.xxxxxx.com'
[Mon Mar  2 03:16:38 EST 2020] aliasDomain='_acme-challenge.xxxxxx.com'
[Mon Mar  2 03:16:38 EST 2020] txt=‘xxxx'
[Mon Mar  2 03:16:38 EST 2020] d_api='/usr/local/pkg/acme/dnsapi/dns_cf.sh'
[Mon Mar  2 03:16:38 EST 2020] Checking Xxxxx.com for _acme-challenge.xxxxxx.com
[Mon Mar  2 03:16:38 EST 2020] _c_txtdomain='_acme-challenge.xxxxxx.com'
[Mon Mar  2 03:16:38 EST 2020] _c_aliasdomain='_acme-challenge.Xxxxx.com'
[Mon Mar  2 03:16:38 EST 2020] _c_txt='Xxxxxx'
[Mon Mar  2 03:16:38 EST 2020] Detect dns server first.
[Mon Mar  2 03:16:38 EST 2020] GET
[Mon Mar  2 03:16:38 EST 2020] url='https://cloudflare-dns.com'
[Mon Mar  2 03:16:38 EST 2020] timeout=
[Mon Mar  2 03:16:38 EST 2020] Http already initialized.
[Mon Mar  2 03:16:38 EST 2020] _CURL='curl -L --silent --dump-header /tmp/acme/xxxxxx.com//http.header  -g '
[Mon Mar  2 03:16:39 EST 2020] Please refer to https://curl.haxx.se/libcurl/c/libcurl-errors.html for error code: 60
      J 1 Reply Last reply Reply Quote 0
      • J
        jb09 @jb09
        last edited by

        Resolved, pfBlockerNG was blocking DNS over HTTPS requests (DoH). I don’t recall this being an issue before though, was there a change made in the last 2 months to verify using this method?

        1 Reply Last reply Reply Quote 0
        • GertjanG
          Gertjan
          last edited by

          cloudflare-dns.com was on a list that you selected as being used "pfBlockerNG" ?

          No "help me" PM's please. Use the forum, the community will thank you.
          Edit : and where are the logs ??

          J 1 Reply Last reply Reply Quote 0
          • J
            jb09 @Gertjan
            last edited by jb09

            @Gertjan I have a custom list of known DoH servers in an attempt to prevent DoH requests bypassing my other rules.

            Feed found here: https://heuristicsecurity.com/dohservers.txt

            1 Reply Last reply Reply Quote 0
            • jimpJ
              jimp Rebel Alliance Developer Netgate
              last edited by

              It can't block DoH so it blocks either the hostname from being resolved, or the IP address that it resolves to (depending on how you set it up)

              So you basically told it to block Cloudflare DNS while you also need to use Cloudflare DNS. You can't have it both ways through the same resolver.

              You could tell pfSense not to use localhost for DNS (Under System > General) but you'd lose some of the benefits of allowing the firewall to use the resolver.

              Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

              Need help fast? Netgate Global Support!

              Do not Chat/PM for help!

              1 Reply Last reply Reply Quote 0
              • R
                Risfold
                last edited by

                I have just started having the same issue, and came across this thread in researching it. I hope to revive the discussion. I also use the above referenced DoT/DoH blocking list. I block the the domains and IPs via pfblocker for LAN clients to stop any circumvention of DNS or hard coded DNS in clients. I alternatively use DoT from unbound in pfsense.

                The acme.sh discussion of this addition appears to be here, added mid-February 2020. It is discussed as "support" for DoH, but it appears to be implemented more as a change rather than an option.

                I fully support the addition of DoH in acme.sh, even as a default, but is there a way to turn off the use of acme.sh's use of DoH, and return to using the firewall for DNS? I could temporarily disable my blocking of DoH but that would defeat the purpose of automated certificates.

                R 1 Reply Last reply Reply Quote 0
                • R
                  Risfold @Risfold
                  last edited by

                  @Risfold said in DoH Verification Method:

                  I have just started having the same issue, and came across this thread in researching it. I hope to revive the discussion. I also use the above referenced DoT/DoH blocking list. I block the the domains and IPs via pfblocker for LAN clients to stop any circumvention of DNS or hard coded DNS in clients. I alternatively use DoT from unbound in pfsense.

                  The acme.sh discussion of this addition appears to be here, added mid-February 2020. It is discussed as "support" for DoH, but it appears to be implemented more as a change rather than an option.

                  I fully support the addition of DoH in acme.sh, even as a default, but is there a way to turn off the use of acme.sh's use of DoH, and return to using the firewall for DNS? I could temporarily disable my blocking of DoH but that would defeat the purpose of automated certificates.

                  Work around noted here.

                  add dnssleep time of 180

                  1 Reply Last reply Reply Quote 0
                  • First post
                    Last post
                  Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.