Navigation

    Netgate Discussion Forum
    • Register
    • Login
    • Search
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search

    Cert Renewal Failed using DNS-Godaddy

    ACME
    1
    1
    256
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • ahking19
      ahking19 last edited by

      I been using the acme package about a 18 months without any issues.
      2.4.4-RELEASE-p1
      acme 0.3.2_4 using DNS-Godaddy plugin method

      I upgraded to 2.4.4-p1 on 12/5. On 12/7 I received email notification that "3:18:22 ACME, Failed to renew certificate for WebConfigurator". I don't know if this is a bug in 2.4.4-p1 or just a coincidence that my cert was due for renewal 2 days after upgrading.

      I looked at the acme_issuecert.log and it shows that the DNS record was added but it fails verification.

      I logged into GoDaddy admin and saw that I have an existing TXT record for _acme-challenge.xxxx with an empty value. I reran the cert renewal from pfSense and refreshed the DNS manager and saw that a new TXT record had been created with a value. I now suspected why the verification was failing - I have 2 records for _acme-challenge.xxxx.
      I knew from the acme log that it sleeps 120 seconds for the TXT record to go into affect, so I delete the acme_challenge record with empty value. Verification was successful and my cert was renewed.

      My question is this a reproducible bug? And how should the cert renewal process work?

      1. does it create a new DNS entry each time it renews? Cleaning up after itself and removing the record.
      2. should it look for and use an existing DNS record, updating the value? Cleaning up after itself and removing the record value only.

      It seems like it should be #2 and looking at the acme log there is a lookup for existing records.

      Getting existing records
      [Mon Dec 10 09:48:05 PST 2018] domains/gesi.net/records/TXT/_acme-challenge.firewall
      [Mon Dec 10 09:48:05 PST 2018] GET
      [Mon Dec 10 09:48:05 PST 2018] url='https://api.godaddy.com/v1/domains/gesi.net/records/TXT/_acme-challenge.firewall'
      [Mon Dec 10 09:48:05 PST 2018] timeout=
      [Mon Dec 10 09:48:05 PST 2018] curl exists=0
      [Mon Dec 10 09:48:05 PST 2018] wget exists=127
      [Mon Dec 10 09:48:05 PST 2018] _CURL='curl -L --silent --dump-header /tmp/acme/WebConfigurator//http.header -g '
      [Mon Dec 10 09:48:05 PST 2018] ret='0'
      [Mon Dec 10 09:48:05 PST 2018] response='[{"data":"","name":"_acme-challenge.firewall","ttl":600,"type":"TXT"},{"data":"Ez7qNRaHeqSsfRFhn7dKGEoIdwlqwthwgxxxxxxxxxx","name":"_acme-challenge.firewall","ttl":600,"type":"TXT"}]'

      After my cert was renewed I refreshed the DNS manager and I do still have the _acme-challenge record but the value is now empty again.

      Thanks
      -Andrew

      1 Reply Last reply Reply Quote 0
      • First post
        Last post

      Products

      • Platform Overview
      • TNSR
      • pfSense
      • Appliances

      Services

      • Training
      • Professional Services

      Support

      • Subscription Plans
      • Contact Support
      • Product Lifecycle
      • Documentation

      News

      • Media Coverage
      • Press
      • Events

      Resources

      • Blog
      • FAQ
      • Find a Partner
      • Resource Library
      • Security Information

      Company

      • About Us
      • Careers
      • Partners
      • Contact Us
      • Legal
      Our Mission

      We provide leading-edge network security at a fair price - regardless of organizational size or network sophistication. We believe that an open-source security model offers disruptive pricing along with the agility required to quickly address emerging threats.

      Subscribe to our Newsletter

      Product information, software announcements, and special offers. See our newsletter archive to sign up for future newsletters and to read past announcements.

      © 2021 Rubicon Communications, LLC | Privacy Policy