-
Hello,
we installed the pfSense 2.3.4 with the latest acme package 0.1.16. This is the first try with nsupdate and the acme lets encrypt script. I guess the package and the script is doing well, as i know that hundreds of correct working installations are out there.
First of all, i verifyed our key, by using it manualy with nsupdate. I was able to add new TXT Records to my domain. So i paste the Key into the GUI and renew the certificate. This ends with an error "wrong domainkey".
After hours of testing and troubleshooting i take a look at:
[Tue May 9 09:23:55 CEST 2017] 5:NSUPDATE_KEY='/tmp/acme/gw.edu.ksan.de/gw.edu.ksan.de/nsupdate_acme-challenge.gw.edu.ksan.de.key'
i think here is my problem, because the file always shown the wrong bit size "_acme-challenge.gw.edu.ksan.de IN KEY 513 3 157 <key>". It added always +1 at the end of the bit size. I think the correct output have to had _acme-challenge.gw.edu.ksan.de IN KEY 512 3 157 <key>. If you change from HMAC-MD5 Host key to HMAC-SHA256 the file generate the line with 257 bit insted of 256. So what is wrong?
Regards
Markusacme_issuecert.log:
[Tue May 9 09:23:55 CEST 2017] Found domain api file: /usr/local/pkg/acme/dnsapi/dns_nsupdate.sh
[Tue May 9 09:23:55 CEST 2017] dns_nsupdate_add exists=0
[Tue May 9 09:23:55 CEST 2017] APP
[Tue May 9 09:23:55 CEST 2017] 4:NSUPDATE_SERVER='80.69.207.90'
[Tue May 9 09:23:55 CEST 2017] APP
[Tue May 9 09:23:55 CEST 2017] 5:NSUPDATE_KEY='/tmp/acme/gw.edu.ksan.de/gw.edu.ksan.de/nsupdate_acme-challenge.gw.edu.ksan.de.key'
[Tue May 9 09:23:55 CEST 2017] adding _acme-challenge.gw.edu.ksan.de. 60 in txt "mBZW1-W7oiGV-wSgzUTsB5_yYsgOtlp5pYh69TEgu1k"
[Tue May 9 09:23:55 CEST 2017] error updating domain
[Tue May 9 09:23:55 CEST 2017] Error add txt for domain:_acme-challenge.gw.edu.ksan.de
[Tue May 9 09:23:55 CEST 2017] pid
[Tue May 9 09:23:55 CEST 2017] No need to restore nginx, skip.
[Tue May 9 09:23:55 CEST 2017] _clearupdns
[Tue May 9 09:23:55 CEST 2017] Dns not added, skip.
[Tue May 9 09:23:55 CEST 2017] _on_issue_err
[Tue May 9 09:23:55 CEST 2017] Please check log file for more details: /tmp/acme/gw.edu.ksan.de/acme_issuecert.logGUI Message by renewing the certificate:
gw.edu.ksan.de
Renewing certificateaccount: test
server: letsencrypt-staging/usr/local/pkg/acme/acme.sh –issue -d 'gw.edu.ksan.de' --home '/tmp/acme/gw.edu.ksan.de/' --accountconf '/tmp/acme/gw.edu.ksan.de/accountconf.conf' --force --reloadCmd '/tmp/acme/gw.edu.ksan.de/reloadcmd.sh' --dns 'dns_nsupdate' --log-level 3 --log '/tmp/acme/gw.edu.ksan.de/acme_issuecert.log'
Array
(
[path] => /etc:/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/bin/
[PATH] => /etc:/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/bin/
[NSUPDATE_SERVER] => /tmp/acme/gw.edu.ksan.de/gw.edu.ksan.de/nsupdate
[NSUPDATE_KEYTYPE] => host
[NSUPDATE_KEYALGO] => 157
[NSUPDATE_KEY] => /tmp/acme/gw.edu.ksan.de/gw.edu.ksan.de/nsupdate
)
[Thu May 11 07:43:32 CEST 2017] Single domain='gw.edu.ksan.de'
[Thu May 11 07:43:32 CEST 2017] Getting domain auth token for each domain
[Thu May 11 07:43:32 CEST 2017] Getting webroot for domain='gw.edu.ksan.de'
[Thu May 11 07:43:32 CEST 2017] Getting new-authz for domain='gw.edu.ksan.de'
[Thu May 11 07:44:01 CEST 2017] The new-authz request is ok.
[Thu May 11 07:44:01 CEST 2017] Found domain api file: /usr/local/pkg/acme/dnsapi/dns_nsupdate.sh
[Thu May 11 07:44:01 CEST 2017] adding _acme-challenge.gw.edu.ksan.de. 60 in txt "tLPosFoRVD_FYUO9KQf5wK0Ht-E2tXNx9HxWIm5reU0"
; TSIG error with server: tsig indicates error
update failed: NOTAUTH(BADKEY)
[Thu May 11 07:44:01 CEST 2017] error updating domain
[Thu May 11 07:44:01 CEST 2017] Error add txt for domain:_acme-challenge.gw.edu.ksan.de
[Thu May 11 07:44:01 CEST 2017] Please check log file for more details: /tmp/acme/gw.edu.ksan.de/acme_issuecert.log</key></key> -
The bit size is not the problem. I have ~20 systems using nsupdate and they all show that way, and they all work.
You most likely have a mismatch between your key and the hostname (_acme-challenge.gw.edu.ksan.de). Check the name server logs for more info, make sure it actually has that key defined for _acme-challenge.gw.edu.ksan.de, and that the key is loaded in the name server. It's really simple to add a key and forget to refresh the name server config so it never gets picked up. It's also possible that the key for _acme-challenge.gw.edu.ksan.de isn't set to allow updates for TXT records.
-
Hello Jimp,
thanks for your suggestion. DNS is one of the first thinks i checked but meanwhile i think thats the problem. I fail to see something. We use the bind package on the pfSense. At the global settings tab, i post this one: key "gw.edu.ksan.de" { algorithm hmac-md5; secret "***"; }; and at the zonefile (update-policy) i write on: grant gw.edu.ksan.de zonesub any; . I am wondering that something should be wrong with that, beaucse i checked to add an txt record manualy on the command line.
The bind listen on the WAN interface only. A firewall rule for tcp & udp :53 is working correctly. An A record for gw.edu.ksan.de is set.
I sit down again, take a big coffee and start over.
Supplement: I´m stupid… didnt read your post correctly. After my coffee i understand it. The key is now working but...
[Fri May 12 07:46:16 CEST 2017] original='{
"type": "urn:acme:error:malformed",
"detail": "Unable to update challenge :: The challenge is not pending.",
"status": 400
}'
[Fri May 12 07:46:16 CEST 2017] responseHeaders='HTTP/1.1 100 Continue
Expires: Fri, 12 May 2017 05:46:16 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cacheHTTP/1.1 400 Bad Request
Server: nginx
Content-Type: application/problem+json
Content-Length: 132
Boulder-Request-Id: Fh8KIJOjRbc8D13FlX6R6Ejq9kwYRjbwQpkMrlIsdf8
Boulder-Requester: 2213183
Replay-Nonce: 0zLiCFLC1ifc94TSst6iX_yOw-ZUWazyats7e47spVA
Expires: Fri, 12 May 2017 05:46:16 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Fri, 12 May 2017 05:46:16 GMT
Connection: close
^M'
[Fri May 12 07:46:16 CEST 2017] response='{"type":"urn:acme:error:malformed","detail":"Unable to update challenge :: The challenge is not pending.","status": 400}'now i have to fix this error.
-
Hi jimp,
after i checked the dns logfile i could solve the problem…. i only say internal & external view :-) OMG.
Thanks
Markus -
Shifted today from"DNS-Manual" to "DNS-nsupdate".
However ….
Has a lot of15-May-2017 21:23:40.563 security: client 82.127.34.254#24477: request has invalid signature: TSIG _acme-challenge.brit-hotel-fumel.net: tsig verify failure (BADKEY)But, I have already some kind of "RFC 2136" DDNS running against my bind9 server (a linux box some where the net, that handles all my domain names) from my pfsense box - that works ok.
This made me thinking :
@jimp:….. Check the name server logs for more info, make sure it actually has that key defined for _acme-challenge.gw.edu.ksan.de, and that the key is loaded in the name server. It's really simple to add a key and forget to refresh the name server config so it never gets picked up. It's also possible that the key for _acme-challenge.gw.edu.ksan.de isn't set to allow updates for TXT records.
The "key" name used in bind should be named (all this in in the file /etc/bind/named.conf.local file) :
.... key "_acme-challenge.brit-hotel-fumel.net" { algorithm hmac-md5; secret "nFbjaI7mIMoCxszzcByObA=="; }; key "_acme-challenge.pfsense.brit-hotel-fumel.net" { algorithm hmac-md5; secret "nFbjaI7mIMoCxszzcByObA=="; }; etc. .... .... zone "brit-hotel-fumel.net" { type master; file "/etc/bind/zones/db.brit-hotel-fumel.net"; allow-transfer { "ns-internal-net"; }; update-policy { grant _acme-challenge.brit-hotel-fumel.net name _acme-challenge.brit-hotel-fumel.net. TXT; grant _acme-challenge.diskstation.brit-hotel-fumel.net name _acme-challenge.diskstation.brit-hotel-fumel.net. TXT; grant _acme-challenge.pfsense.brit-hotel-fumel.net name _acme-challenge.pfsense.brit-hotel-fumel.net. TXT; grant _acme-challenge.oli254.brit-hotel-fumel.net name _acme-challenge.oli254.brit-hotel-fumel.net. TXT; grant _acme-challenge.kma98fa5.brit-hotel-fumel.net name _acme-challenge.kma98fa5.brit-hotel-fumel.net. TXT; grant _acme-challenge.portal.brit-hotel-fumel.net name _acme-challenge.portal.brit-hotel-fumel.net. TXT; }; notify-source some-IPv4; notify-source-v6 some-IPv6; notify yes; };… and now I have this
15-May-2017 21:47:31.354 update: client 82.127.34.254#56842/key _acme-challenge.brit-hotel-fumel.net: updating zone 'brit-hotel-fumel.net/IN': adding an RR at '_acme-challenge.brit-hotel-fumel.net' TXT .... 15-May-2017 21:49:52.507 update: client 82.127.34.254#17891/key _acme-challenge.brit-hotel-fumel.net: updating zone 'brit-hotel-fumel.net/IN': deleting rrset at '_acme-challenge.brit-hotel-fumel.net' TXT:)
No more manual hassling with those challenge codes ….. !!
Btw : I have a certificate for my pfsense box, and some devices on my LAN (on those, the new certificates have to be installed manually ...ok)
My action list show :
Enabled|
| /etc/rc.restart_webgui | shell command |My other certificate is for the captive portal.
Question : how to restart the Captive Portal for a zone called "cpzone1" as soon as it's certificate is renewed ? I guess it's a "service".
Can it be as simple as this command "captiveportal:cpzone1" ? (Al-thought running through the scripts like /etc/inc/service-utils.inc proves me wrong - its more complicated)edit : after account key creation, a minor issue : Services => Acme => Certificate options: Edit
The first "Name" field should not contain spaces or the + sign, otherwise you can't see (and edit) the account anymore. -
You should change those keys ASAP, unless they are dummies.
-
You should change those keys ASAP, unless they are dummies.
The keys names are valid - do exists. I'll see what happens ;)
The password is, of course, a random string - not the real one.The key name can be chosen here : Services => Dynamic DNS => RFC 2136 Clients (the "key name" field) - it would be nice if the acme asked this key name instead of making one up.
The acme package auto generates them - and they have to be the same in the config of 'bind' (the remote DNS server). Is it
Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.