Let´s Encrypt Error with nsupdate



  • Hello,

    we installed the pfSense 2.3.4 with the latest acme package 0.1.16. This is the first try with nsupdate and the acme lets encrypt script. I guess the package and the script is doing well, as i know that hundreds of correct working installations are out there.

    First of all, i verifyed our key, by using it manualy with nsupdate. I was able to add new TXT Records to my domain. So i paste the Key into the GUI and renew the certificate. This ends with an error "wrong domainkey".

    After hours of testing and troubleshooting i take a look at:

    [Tue May  9 09:23:55 CEST 2017] 5:NSUPDATE_KEY='/tmp/acme/gw.edu.ksan.de/gw.edu.ksan.de/nsupdate_acme-challenge.gw.edu.ksan.de.key'

    i think here is my problem, because the file always shown the wrong bit size "_acme-challenge.gw.edu.ksan.de IN KEY 513 3 157 <key>". It added always +1 at the end of the bit size. I think the correct output have to had _acme-challenge.gw.edu.ksan.de IN KEY 512 3 157 <key>. If you change from HMAC-MD5 Host key to HMAC-SHA256 the file generate the line with 257 bit insted of 256. So what is wrong?

    Regards
    Markus

    acme_issuecert.log:

    [Tue May  9 09:23:55 CEST 2017] Found domain api file: /usr/local/pkg/acme/dnsapi/dns_nsupdate.sh
    [Tue May  9 09:23:55 CEST 2017] dns_nsupdate_add exists=0
    [Tue May  9 09:23:55 CEST 2017] APP
    [Tue May  9 09:23:55 CEST 2017] 4:NSUPDATE_SERVER='80.69.207.90'
    [Tue May  9 09:23:55 CEST 2017] APP
    [Tue May  9 09:23:55 CEST 2017] 5:NSUPDATE_KEY='/tmp/acme/gw.edu.ksan.de/gw.edu.ksan.de/nsupdate_acme-challenge.gw.edu.ksan.de.key'
    [Tue May  9 09:23:55 CEST 2017] adding _acme-challenge.gw.edu.ksan.de. 60 in txt "mBZW1-W7oiGV-wSgzUTsB5_yYsgOtlp5pYh69TEgu1k"
    [Tue May  9 09:23:55 CEST 2017] error updating domain
    [Tue May  9 09:23:55 CEST 2017] Error add txt for domain:_acme-challenge.gw.edu.ksan.de
    [Tue May  9 09:23:55 CEST 2017] pid
    [Tue May  9 09:23:55 CEST 2017] No need to restore nginx, skip.
    [Tue May  9 09:23:55 CEST 2017] _clearupdns
    [Tue May  9 09:23:55 CEST 2017] Dns not added, skip.
    [Tue May  9 09:23:55 CEST 2017] _on_issue_err
    [Tue May  9 09:23:55 CEST 2017] Please check log file for more details: /tmp/acme/gw.edu.ksan.de/acme_issuecert.log

    GUI Message by renewing the certificate:

    gw.edu.ksan.de
    Renewing certificateaccount: test
    server: letsencrypt-staging

    /usr/local/pkg/acme/acme.sh –issue -d 'gw.edu.ksan.de' --home '/tmp/acme/gw.edu.ksan.de/' --accountconf '/tmp/acme/gw.edu.ksan.de/accountconf.conf' --force --reloadCmd '/tmp/acme/gw.edu.ksan.de/reloadcmd.sh' --dns 'dns_nsupdate' --log-level 3 --log '/tmp/acme/gw.edu.ksan.de/acme_issuecert.log'

    Array
    (
    [path] => /etc:/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/bin/
    [PATH] => /etc:/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/bin/
    [NSUPDATE_SERVER] => /tmp/acme/gw.edu.ksan.de/gw.edu.ksan.de/nsupdate
    [NSUPDATE_KEYTYPE] => host
    [NSUPDATE_KEYALGO] => 157
    [NSUPDATE_KEY] => /tmp/acme/gw.edu.ksan.de/gw.edu.ksan.de/nsupdate
    )
    [Thu May 11 07:43:32 CEST 2017] Single domain='gw.edu.ksan.de'
    [Thu May 11 07:43:32 CEST 2017] Getting domain auth token for each domain
    [Thu May 11 07:43:32 CEST 2017] Getting webroot for domain='gw.edu.ksan.de'
    [Thu May 11 07:43:32 CEST 2017] Getting new-authz for domain='gw.edu.ksan.de'
    [Thu May 11 07:44:01 CEST 2017] The new-authz request is ok.
    [Thu May 11 07:44:01 CEST 2017] Found domain api file: /usr/local/pkg/acme/dnsapi/dns_nsupdate.sh
    [Thu May 11 07:44:01 CEST 2017] adding _acme-challenge.gw.edu.ksan.de. 60 in txt "tLPosFoRVD_FYUO9KQf5wK0Ht-E2tXNx9HxWIm5reU0"
    ; TSIG error with server: tsig indicates error
    update failed: NOTAUTH(BADKEY)
    [Thu May 11 07:44:01 CEST 2017] error updating domain
    [Thu May 11 07:44:01 CEST 2017] Error add txt for domain:_acme-challenge.gw.edu.ksan.de
    [Thu May 11 07:44:01 CEST 2017] Please check log file for more details: /tmp/acme/gw.edu.ksan.de/acme_issuecert.log</key></key>


  • Rebel Alliance Developer Netgate

    The bit size is not the problem. I have ~20 systems using nsupdate and they all show that way, and they all work.

    You most likely have a mismatch between your key and the hostname (_acme-challenge.gw.edu.ksan.de). Check the name server logs for more info, make sure it actually has that key defined for _acme-challenge.gw.edu.ksan.de, and that the key is loaded in the name server. It's really simple to add a key and forget to refresh the name server config so it never gets picked up. It's also possible that the key for _acme-challenge.gw.edu.ksan.de isn't set to allow updates for TXT records.



  • Hello Jimp,

    thanks for your suggestion. DNS is one of the first thinks i checked but meanwhile i think thats the problem. I fail to see something. We use the bind package on the pfSense. At the global settings tab, i post this one: key "gw.edu.ksan.de" { algorithm hmac-md5; secret "***"; };  and at the zonefile (update-policy) i write on: grant gw.edu.ksan.de zonesub any; . I am wondering that something should be wrong with that, beaucse i checked to add an txt record manualy on the command line.

    The bind listen on the WAN interface only. A firewall rule for tcp & udp :53 is working correctly. An A record for gw.edu.ksan.de is set.

    I sit down again, take a big coffee and start over.

    Supplement: I´m stupid… didnt read your post correctly. After my coffee i understand it. The key is now working but...

    [Fri May 12 07:46:16 CEST 2017] original='{
      "type": "urn:acme:error:malformed",
      "detail": "Unable to update challenge :: The challenge is not pending.",
      "status": 400
    }'
    [Fri May 12 07:46:16 CEST 2017] responseHeaders='HTTP/1.1 100 Continue
    Expires: Fri, 12 May 2017 05:46:16 GMT
    Cache-Control: max-age=0, no-cache, no-store
    Pragma: no-cache

    HTTP/1.1 400 Bad Request
    Server: nginx
    Content-Type: application/problem+json
    Content-Length: 132
    Boulder-Request-Id: Fh8KIJOjRbc8D13FlX6R6Ejq9kwYRjbwQpkMrlIsdf8
    Boulder-Requester: 2213183
    Replay-Nonce: 0zLiCFLC1ifc94TSst6iX_yOw-ZUWazyats7e47spVA
    Expires: Fri, 12 May 2017 05:46:16 GMT
    Cache-Control: max-age=0, no-cache, no-store
    Pragma: no-cache
    Date: Fri, 12 May 2017 05:46:16 GMT
    Connection: close
    ^M'
    [Fri May 12 07:46:16 CEST 2017] response='{"type":"urn:acme:error:malformed","detail":"Unable to update challenge :: The challenge is not pending.","status": 400}'

    now i have to fix this error.



  • Hi jimp,

    after i checked the dns logfile i could solve the problem…. i only say internal & external view :-) OMG.

    Thanks
    Markus



  • Shifted today from"DNS-Manual" to "DNS-nsupdate".

    However ….
    Has a lot of

    15-May-2017 21:23:40.563 security: client 82.127.34.254#24477: request has invalid signature: TSIG _acme-challenge.brit-hotel-fumel.net: tsig verify failure (BADKEY)
    

    But, I have already some kind of "RFC 2136" DDNS running against my bind9 server (a linux box some where the net, that handles all my domain names) from my pfsense box - that works ok.

    This made me thinking :
    @jimp:

    ….. Check the name server logs for more info, make sure it actually has that key defined for _acme-challenge.gw.edu.ksan.de, and that the key is loaded in the name server. It's really simple to add a key and forget to refresh the name server config so it never gets picked up. It's also possible that the key for _acme-challenge.gw.edu.ksan.de isn't set to allow updates for TXT records.

    The "key" name used in bind should be named (all this in in the file /etc/bind/named.conf.local file) :

    ....
    key "_acme-challenge.brit-hotel-fumel.net" {
        algorithm hmac-md5;
         secret "nFbjaI7mIMoCxszzcByObA==";
    }; 
    
    key "_acme-challenge.pfsense.brit-hotel-fumel.net" {
        algorithm hmac-md5;
         secret "nFbjaI7mIMoCxszzcByObA==";
    }; 
    etc.     
    ....
    
    ....
    zone "brit-hotel-fumel.net" {
        type master;
        file "/etc/bind/zones/db.brit-hotel-fumel.net";
        allow-transfer { "ns-internal-net"; };
        update-policy {
            grant _acme-challenge.brit-hotel-fumel.net name _acme-challenge.brit-hotel-fumel.net. TXT;
            grant _acme-challenge.diskstation.brit-hotel-fumel.net name _acme-challenge.diskstation.brit-hotel-fumel.net. TXT;
            grant _acme-challenge.pfsense.brit-hotel-fumel.net name _acme-challenge.pfsense.brit-hotel-fumel.net. TXT;
            grant _acme-challenge.oli254.brit-hotel-fumel.net name _acme-challenge.oli254.brit-hotel-fumel.net. TXT;
            grant _acme-challenge.kma98fa5.brit-hotel-fumel.net name _acme-challenge.kma98fa5.brit-hotel-fumel.net. TXT;
            grant _acme-challenge.portal.brit-hotel-fumel.net name _acme-challenge.portal.brit-hotel-fumel.net. TXT;
             };
        notify-source some-IPv4;
        notify-source-v6 some-IPv6;
        notify yes;
    };
    
    

    … and now I have this

    15-May-2017 21:47:31.354 update: client 82.127.34.254#56842/key _acme-challenge.brit-hotel-fumel.net: updating zone 'brit-hotel-fumel.net/IN': adding an RR at '_acme-challenge.brit-hotel-fumel.net' TXT
    ....
    15-May-2017 21:49:52.507 update: client 82.127.34.254#17891/key _acme-challenge.brit-hotel-fumel.net: updating zone 'brit-hotel-fumel.net/IN': deleting rrset at '_acme-challenge.brit-hotel-fumel.net' TXT
    
    

    :)

    No more manual hassling with those challenge codes ….. !!

    Btw : I have a certificate for my pfsense box, and some devices on my LAN (on those, the new certificates have to be installed manually ...ok)
    My action list show :
    Enabled

    |
    | /etc/rc.restart_webgui | shell command |

    My other certificate is for the captive portal.
    Question : how to restart the Captive Portal for a zone called "cpzone1" as soon as it's certificate is renewed ? I guess it's a "service".
    Can it be as simple as this command "captiveportal:cpzone1" ? (Al-thought running through the scripts like /etc/inc/service-utils.inc proves me wrong - its more complicated)

    edit : after account key creation, a minor issue : Services => Acme => Certificate options: Edit
    The first "Name" field should not contain spaces or the + sign, otherwise you can't see (and edit) the account anymore.


  • Rebel Alliance Developer Netgate

    You should change those keys ASAP, unless they are dummies.



  • @jimp:

    You should change those keys ASAP, unless they are dummies.

    The keys names are valid - do exists. I'll see what happens ;)
    The password is, of course, a random string - not the real one.

    The key name can be chosen here : Services => Dynamic DNS => RFC 2136 Clients (the "key name" field) - it would be nice if the acme asked this key name instead of making one up.
    The acme package auto generates them - and they have to be the same in the config of 'bind' (the remote DNS server). Is it


Log in to reply