Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Using ACME with Bind9 package and Cloudflare

    Scheduled Pinned Locked Moved ACME
    9 Posts 2 Posters 1.1k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • A
      appollonius333
      last edited by appollonius333

      Maybe this is a bit of a dumb 'question' but I am trying to get my ACME (Letsencrypt) working within my homelab.
      What I am trying to accomplish is that I have a private domain called 'lab.nl' which is being hosted by the Bind9 package that has been installed via PFsense.
      I am trying to get letsencrypt certificates to certain hosts via PFsense so I have a central certificate manager but for some reason this does not work.

      I followed this instruction https://crepaldi.us/2020/06/25/issuing-lets-encrypt-certificates-on-your-pfsense-using-acme/
      And it does add the TXT record to the Cloudflare DNS (Where I also created the lab.nl domain to verify for the letsencrypt certificates).
      But for some reason I get this:
      a77e447e-d4a2-415a-b713-197989588d49-afbeelding.png

      Which is strange as the TXT record is being created within the Cloudflare DNS...
      The tokens/api keys are all in the right place, but for some reason it does not want to work.

      Did someone have the similar error if so how did you resolve this?
      Or if someone has an alternative to this, then please let me know as well :)

      GertjanG 1 Reply Last reply Reply Quote 0
      • GertjanG
        Gertjan @appollonius333
        last edited by

        Why using bind locally ?

        acme uses it's API (which one ?) to communicate with the "master DNS" of your zone.
        That must be one of these 3 :

        Domain nameservers:
   ns1.openprovider.nl
   ns2.openprovider.be
   ns3.openprovider.eu

        Are these cloudfaire DNS's ?
        Strange, they are all in the same AS....

        @appollonius333 said in Using ACME with Bind9 package and Cloudflare:

        Which is strange as the TXT record is being created within the Cloudflare DNS...

        2e520967-29ca-4a5c-ab25-c1d8f974c4f3-image.png

        The acme script created a record, but got a no-go result.

        Look here for more info :

        192602c2-f4fb-44f1-bef4-d31621509dbd-image.png

        No "help me" PM's please. Use the forum, the community will thank you.
        Edit : and where are the logs ??

        A 1 Reply Last reply Reply Quote 0
        • A
          appollonius333 @Gertjan
          last edited by appollonius333

          @gertjan

          Thanks for your reply, I use BIND as local DNS as I might need it in the future as well for DNS handling.

          this is the log within acme_issuecert.log:

          [Mon Mar 29 12:09:56 CEST 2021] Not valid yet, let's wait 10 seconds and check next one.
[Mon Mar 29 12:09:56 CEST 2021] _p_txtdomain='_acme-challenge.firewall.lab.nl'
[Mon Mar 29 12:09:56 CEST 2021] Cloudflare purge TXT record for domain _acme-challenge.firewall.lab.nl
[Mon Mar 29 12:09:56 CEST 2021] POST
[Mon Mar 29 12:09:56 CEST 2021] _post_url='https://cloudflare-dns.com/api/v1/purge?domain=_acme-challenge.firewall.lab.nl&type=TXT'
[Mon Mar 29 12:09:56 CEST 2021] body
[Mon Mar 29 12:09:56 CEST 2021] _postContentType
[Mon Mar 29 12:09:56 CEST 2021] Http already initialized.
[Mon Mar 29 12:09:56 CEST 2021] _CURL='curl -L --silent --dump-header /tmp/acme/Firewall//http.header '
[Mon Mar 29 12:09:57 CEST 2021] _ret='0'
[Mon Mar 29 12:09:57 CEST 2021] response='{"msg":"Purge request queued. Please wait a few seconds and verify the request was successful."}'

          For some reason it is not being able to purge the TXT record from the cloudflare DNS, it can add it succesfully but not purge it when it has been validated..

          1 Reply Last reply Reply Quote 0
          • A
            appollonius333
            last edited by appollonius333

            I believe the certificates are being created, but the TXT records cannot be removed somehow..
            dbf09fb6-1980-4a84-bf54-f9ece1bc5530-afbeelding.png

            Aha I believe I now see the error which you mentioned above as well:

            [Mon Mar 29 13:21:35 CEST 2021] response='{"Status":3,"TC":false,"RD":true,"RA":true,"AD":true,"CD":false,"Question":[{"name":"_acme-challenge.firewall.lab.nl","type":16}],"Authority":[{"name":"lab.nl","type":6,"TTL":3600,"data":"ns1.openprovider.nl. dns.openprovider.eu. 2020062402 10800 3600 604800 3600"}]}'
false[Mon Mar 29 13:21:35 CEST 2021] _answers
false[Mon Mar 29 13:21:35 CEST 2021] Not valid yet, let's wait 10 seconds and check next one.
false[Mon Mar 29 13:21:35 CEST 2021] _p_txtdomain='_acme-challenge.firewall.lab.nl'
false[Mon Mar 29 13:21:35 CEST 2021] Cloudflare purge TXT record for domain _acme-challenge.firewall.lab.nl
false[Mon Mar 29 13:21:35 CEST 2021] POST
false[Mon Mar 29 13:21:35 CEST 2021] _post_url='https://cloudflare-dns.com/api/v1/purge?domain=_acme-challenge.firewall.lab.nl&type=TXT'
false[Mon Mar 29 13:21:35 CEST 2021] body
false[Mon Mar 29 13:21:35 CEST 2021] _postContentType
false[Mon Mar 29 13:21:35 CEST 2021] Http already initialized.
false[Mon Mar 29 13:21:35 CEST 2021] _CURL='curl -L --silent --dump-header /tmp/acme/Firewall//http.header '
false[Mon Mar 29 13:21:36 CEST 2021] _ret='0'
false[Mon Mar 29 13:21:36 CEST 2021] response='{"msg":"Purge request queued. Please wait a few seconds and verify the request was successful."}'

            It is indeed referring to ns1.openprovider.nl I think this has to be a Cloudflare name server? But then again why does it use these DNS providers instead of cloudflare?

            GertjanG 1 Reply Last reply Reply Quote 0
            • GertjanG
              Gertjan @appollonius333
              last edited by Gertjan

              @appollonius333 said in Using ACME with Bind9 package and Cloudflare:

              It is indeed referring to ns1.openprovider.nl I think this has to be a Cloudflare name server? But then again why does it use these DNS providers instead of cloudflare?

              Because it asks the SOA for lab.net.
              Like

              dig lab.nl SOA +short

              The 3 DNS servers are listed by the registrar.
              You can and should change them for the cloudfaire DNS servers. Login with the registrat's GUI, there where you have the domain name, and change the DNS servers.

              Or : why not : use the API that this opendsn.xx is using, if they offer you such to the DNS subsystem (why doing business with cloudfaire anyway).

              No "help me" PM's please. Use the forum, the community will thank you.
              Edit : and where are the logs ??

              A 1 Reply Last reply Reply Quote 0
              • A
                appollonius333 @Gertjan
                last edited by

                @gertjan said in Using ACME with Bind9 package and Cloudflare:

                dig lab.nl SOA +short

                Well lab.nl is not a registered domain, it is a domain within my local lan. I do have another domain which is registered at OVH, but lab.nl is not registered anywhere but my private LAN.

                GertjanG 1 Reply Last reply Reply Quote 0
                • GertjanG
                  Gertjan @appollonius333
                  last edited by Gertjan

                  @appollonius333 said in Using ACME with Bind9 package and Cloudflare:

                  Well lab.nl is not a registered domain, it is a domain within my local lan

                  In that case you can't ask Letsencrypt for a cert.
                  edit : neither any other cert broker.
                  See here https://letsencrypt.org/about/

                  The very first one : where they say it's "free" :

                  Free: Anyone who owns a domain name can use Let’s Encrypt to obtain a trusted certificate at zero cost.

                  You'll be needing a domain name registered (and these are never free) with a registrar, so they can 'expose' at least two name servers (they could be yours btw).

                  Btw : acme has a API that can accesses the OVH API to offers handle the cert request0

                  No "help me" PM's please. Use the forum, the community will thank you.
                  Edit : and where are the logs ??

                  A 1 Reply Last reply Reply Quote 0
                  • A
                    appollonius333 @Gertjan
                    last edited by appollonius333

                    @gertjan Ahh well thats a shame, I think I'll have to use my own domain then for my homelab. You think it will do any harm to use a public domain for my private network? I hear people saying yes because it increases your attack surface but others also say no because they do not know where the 'domain' is aiming to. Also nobody knows the domain exempt me.

                    GertjanG 1 Reply Last reply Reply Quote 0
                    • GertjanG
                      Gertjan @appollonius333
                      last edited by

                      @appollonius333 said in Using ACME with Bind9 package and Cloudflare:

                      You think it will do any harm to use a public domain for my private network?

                      As long as the you own (= rented) the domain name : you have no choice.
                      You can only asks for certs for domain names for which you can prove that you control.

                      @appollonius333 said in Using ACME with Bind9 package and Cloudflare:

                      I hear people saying yes because it increases your attack surface but others also say no because they do not know where the 'domain' is aiming to. Also nobody knows the domain exempt me.

                      Yeah, there are also people that want phones without numbers.
                      An cars without licence plates.
                      Etc.
                      If you want to use a public 'thing', you have to conform to the usage rules of the public thing.
                      IP addresses and host names can't really be hidden.

                      Asking a cert from Letsencrypt for a domain name doesn't make that domain name publicly known, although it will figure on yet another (huge !) list ^^

                      Your domain name doesn't have to point to the IP of your WAN, or something like that.
                      But that's what I'm doing :
                      I have this my-domaine.net that I'm actually using just for my LAN, like pfSense, my NASes, printers and such. I'm not really using this domain name on the net. I have acme.sh asking for a wild car cert, so I can create host names with a cert like
                      pfsense.my-domaine.net, nas .my-domaine.net, printer1.my-domaine.net, printer2.my-domaine.net, airco.my-domaine.net etc. Now all these devices have https access.

                      I did create a sub domain like home.my-domaine.net on the name server (my own 'bind' based name servers) on the internet, have this sub domain pointing to my WAN IP (using DDNS if it's not static) so I can access my pfsense from else here, using OpenVPN. this is what I'm doing (and not related to acme).

                      Btw : lab.nl is a domain that is owned (rented) by some one. You can't use it.

                      No "help me" PM's please. Use the forum, the community will thank you.
                      Edit : and where are the logs ??

                      1 Reply Last reply Reply Quote 0
                      • First post
                        Last post
                      Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.