Using ACME with Bind9 package and Cloudflare
-
Maybe this is a bit of a dumb 'question' but I am trying to get my ACME (Letsencrypt) working within my homelab.
What I am trying to accomplish is that I have a private domain called 'lab.nl' which is being hosted by the Bind9 package that has been installed via PFsense.
I am trying to get letsencrypt certificates to certain hosts via PFsense so I have a central certificate manager but for some reason this does not work.I followed this instruction https://crepaldi.us/2020/06/25/issuing-lets-encrypt-certificates-on-your-pfsense-using-acme/
And it does add the TXT record to the Cloudflare DNS (Where I also created the lab.nl domain to verify for the letsencrypt certificates).
But for some reason I get this:
Which is strange as the TXT record is being created within the Cloudflare DNS...
The tokens/api keys are all in the right place, but for some reason it does not want to work.Did someone have the similar error if so how did you resolve this?
Or if someone has an alternative to this, then please let me know as well :) -
Why using bind locally ?
acme uses it's API (which one ?) to communicate with the "master DNS" of your zone.
That must be one of these 3 :Domain nameservers: ns1.openprovider.nl ns2.openprovider.be ns3.openprovider.eu
Are these cloudfaire DNS's ?
Strange, they are all in the same AS....@appollonius333 said in Using ACME with Bind9 package and Cloudflare:
Which is strange as the TXT record is being created within the Cloudflare DNS...
The acme script created a record, but got a no-go result.
Look here for more info :
-
Thanks for your reply, I use BIND as local DNS as I might need it in the future as well for DNS handling.
this is the log within acme_issuecert.log:
[Mon Mar 29 12:09:56 CEST 2021] Not valid yet, let's wait 10 seconds and check next one. [Mon Mar 29 12:09:56 CEST 2021] _p_txtdomain='_acme-challenge.firewall.lab.nl' [Mon Mar 29 12:09:56 CEST 2021] Cloudflare purge TXT record for domain _acme-challenge.firewall.lab.nl [Mon Mar 29 12:09:56 CEST 2021] POST [Mon Mar 29 12:09:56 CEST 2021] _post_url='https://cloudflare-dns.com/api/v1/purge?domain=_acme-challenge.firewall.lab.nl&type=TXT' [Mon Mar 29 12:09:56 CEST 2021] body [Mon Mar 29 12:09:56 CEST 2021] _postContentType [Mon Mar 29 12:09:56 CEST 2021] Http already initialized. [Mon Mar 29 12:09:56 CEST 2021] _CURL='curl -L --silent --dump-header /tmp/acme/Firewall//http.header ' [Mon Mar 29 12:09:57 CEST 2021] _ret='0' [Mon Mar 29 12:09:57 CEST 2021] response='{"msg":"Purge request queued. Please wait a few seconds and verify the request was successful."}'
For some reason it is not being able to purge the TXT record from the cloudflare DNS, it can add it succesfully but not purge it when it has been validated..
-
I believe the certificates are being created, but the TXT records cannot be removed somehow..
Aha I believe I now see the error which you mentioned above as well:
[Mon Mar 29 13:21:35 CEST 2021] response='{"Status":3,"TC":false,"RD":true,"RA":true,"AD":true,"CD":false,"Question":[{"name":"_acme-challenge.firewall.lab.nl","type":16}],"Authority":[{"name":"lab.nl","type":6,"TTL":3600,"data":"ns1.openprovider.nl. dns.openprovider.eu. 2020062402 10800 3600 604800 3600"}]}' false[Mon Mar 29 13:21:35 CEST 2021] _answers false[Mon Mar 29 13:21:35 CEST 2021] Not valid yet, let's wait 10 seconds and check next one. false[Mon Mar 29 13:21:35 CEST 2021] _p_txtdomain='_acme-challenge.firewall.lab.nl' false[Mon Mar 29 13:21:35 CEST 2021] Cloudflare purge TXT record for domain _acme-challenge.firewall.lab.nl false[Mon Mar 29 13:21:35 CEST 2021] POST false[Mon Mar 29 13:21:35 CEST 2021] _post_url='https://cloudflare-dns.com/api/v1/purge?domain=_acme-challenge.firewall.lab.nl&type=TXT' false[Mon Mar 29 13:21:35 CEST 2021] body false[Mon Mar 29 13:21:35 CEST 2021] _postContentType false[Mon Mar 29 13:21:35 CEST 2021] Http already initialized. false[Mon Mar 29 13:21:35 CEST 2021] _CURL='curl -L --silent --dump-header /tmp/acme/Firewall//http.header ' false[Mon Mar 29 13:21:36 CEST 2021] _ret='0' false[Mon Mar 29 13:21:36 CEST 2021] response='{"msg":"Purge request queued. Please wait a few seconds and verify the request was successful."}'
It is indeed referring to ns1.openprovider.nl I think this has to be a Cloudflare name server? But then again why does it use these DNS providers instead of cloudflare?
-
@appollonius333 said in Using ACME with Bind9 package and Cloudflare:
It is indeed referring to ns1.openprovider.nl I think this has to be a Cloudflare name server? But then again why does it use these DNS providers instead of cloudflare?
Because it asks the SOA for lab.net.
Likedig lab.nl SOA +short
The 3 DNS servers are listed by the registrar.
You can and should change them for the cloudfaire DNS servers. Login with the registrat's GUI, there where you have the domain name, and change the DNS servers.Or : why not : use the API that this opendsn.xx is using, if they offer you such to the DNS subsystem (why doing business with cloudfaire anyway).
-
@gertjan said in Using ACME with Bind9 package and Cloudflare:
dig lab.nl SOA +short
Well lab.nl is not a registered domain, it is a domain within my local lan. I do have another domain which is registered at OVH, but lab.nl is not registered anywhere but my private LAN.
-
@appollonius333 said in Using ACME with Bind9 package and Cloudflare:
Well lab.nl is not a registered domain, it is a domain within my local lan
In that case you can't ask Letsencrypt for a cert.
edit : neither any other cert broker.
See here https://letsencrypt.org/about/The very first one : where they say it's "free" :
Free: Anyone who owns a domain name can use Let’s Encrypt to obtain a trusted certificate at zero cost.
You'll be needing a domain name registered (and these are never free) with a registrar, so they can 'expose' at least two name servers (they could be yours btw).
Btw : acme has a API that can accesses the OVH API to offers handle the cert request0
-
@gertjan Ahh well thats a shame, I think I'll have to use my own domain then for my homelab. You think it will do any harm to use a public domain for my private network? I hear people saying yes because it increases your attack surface but others also say no because they do not know where the 'domain' is aiming to. Also nobody knows the domain exempt me.
-
@appollonius333 said in Using ACME with Bind9 package and Cloudflare:
You think it will do any harm to use a public domain for my private network?
As long as the you own (= rented) the domain name : you have no choice.
You can only asks for certs for domain names for which you can prove that you control.@appollonius333 said in Using ACME with Bind9 package and Cloudflare:
I hear people saying yes because it increases your attack surface but others also say no because they do not know where the 'domain' is aiming to. Also nobody knows the domain exempt me.
Yeah, there are also people that want phones without numbers.
An cars without licence plates.
Etc.
If you want to use a public 'thing', you have to conform to the usage rules of the public thing.
IP addresses and host names can't really be hidden.Asking a cert from Letsencrypt for a domain name doesn't make that domain name publicly known, although it will figure on yet another (huge !) list ^^
Your domain name doesn't have to point to the IP of your WAN, or something like that.
But that's what I'm doing :
I have this my-domaine.net that I'm actually using just for my LAN, like pfSense, my NASes, printers and such. I'm not really using this domain name on the net. I have acme.sh asking for a wild car cert, so I can create host names with a cert like
pfsense.my-domaine.net, nas .my-domaine.net, printer1.my-domaine.net, printer2.my-domaine.net, airco.my-domaine.net etc. Now all these devices have https access.I did create a sub domain like home.my-domaine.net on the name server (my own 'bind' based name servers) on the internet, have this sub domain pointing to my WAN IP (using DDNS if it's not static) so I can access my pfsense from else here, using OpenVPN. this is what I'm doing (and not related to acme).
Btw : lab.nl is a domain that is owned (rented) by some one. You can't use it.