ACME and Bind dns Server on pfsense in the same server

luisenrique

I have installed ACME and Bind DNS server on the same server, the DNS server works correctly, when I try to validate a certificate for my own domain that is running on the same server I receive an error.
Which key would be put in my SAN configuration, it is assumed that for the server itself to update a record dynamically no key is required and I receive an error.
Is there a security risk when having acme and bind on the same server?
Regards

jimp

ACME is still an nsupdate client in that context. There is nothing special about it being on the same server. It is not "the server itself" -- it's still a client updating a server, and thus requires a key like any other client.

luisenrique

Fine..
so
i generate the key:
dnssec-keygen -a HMAC-MD5 -b 512 -n HOST mydomain.cu
Kmydomain.cu.+157+54710
cat Kmydomain.cu.+157+54710
mydomain.cu. IN KEY 512 3 157 blababla-key-string
put the "blababla-key-string" key in Global setting on Bind DNS server(on pfsense same box):
key mydomain.cu. {
algorithm hmac-md5;
secret "blababla-key-string";
};
then i go to ACME config on Domain SAN list add two entries for multi domain and same method DNS-NSupdate / RFC 2136:
domain name: mydomain.cu
key: blababla-key-string
and domain name *.mydomain.cu
key: blababla-key-string
the key name is mydomain.cu for both entries
it is right?

jimp

You need keys for _acme-challenge.<hostname> not just <hostname>.

I'm not that familiar with the BIND package so I can't comment on the particulars there. Assuming the hosts in the domain have the rights to create/update TXT records you should be fine once you have the right key names/keys in place.

luisenrique

@jimp thanks
i had fix key name so i receiving error:
On BIND DNS Server
query-errors: info: client @0x802c74600 127.0.0.1#2069/key _acme-challenge.bicsa.cu (_acme-challenge.bicsa.cu): view Internal-Trusted: query failed (SERVFAIL) for _acme-challenge.bicsa.cu/IN/SOA at query.c:7149
and ACME Package
[Thu Jan 10 14:35:38 CST 2019] Multi domain='DNS:bicsa.cu,DNS:.bicsa.cu'
[Thu Jan 10 14:35:38 CST 2019] Getting domain auth token for each domain
[Thu Jan 10 14:35:47 CST 2019] Getting webroot for domain='bicsa.cu'
[Thu Jan 10 14:35:47 CST 2019] Getting webroot for domain='.bicsa.cu'
[Thu Jan 10 14:35:47 CST 2019] Found domain api file: /usr/local/pkg/acme/dnsapi/dns_nsupdate.sh
[Thu Jan 10 14:35:47 CST 2019] adding _acme-challenge.bicsa.cu. 60 in txt "eeRIORae2UzcuTV1Ha8ySkhLSb3v536aqxmtoTq4C1w"
response to SOA query was unsuccessful
[Thu Jan 10 14:35:47 CST 2019] error updating domain
[Thu Jan 10 14:35:47 CST 2019] Error add txt for domain:_acme-challenge.bicsa.cu
[Thu Jan 10 14:35:47 CST 2019] Please check log file for more details: /tmp/acme/asterisk.bicsa.cu/acme_issuecert.log

luisenrique

@luisenrique said in ACME and Bind dns Server on pfsense in the same server:

@jimp thanks
i had fix key name so i receiving error:
On BIND DNS Server
query-errors: info: client @0x802c74600 127.0.0.1#2069/key _acme-challenge.bicsa.cu (_acme-challenge.bicsa.cu): view Internal-Trusted: query failed (SERVFAIL) for _acme-challenge.bicsa.cu/IN/SOA at query.c:7149
and ACME Package
[Thu Jan 10 14:35:38 CST 2019] Multi domain='DNS:bicsa.cu,DNS:.bicsa.cu'
[Thu Jan 10 14:35:38 CST 2019] Getting domain auth token for each domain
[Thu Jan 10 14:35:47 CST 2019] Getting webroot for domain='bicsa.cu'
[Thu Jan 10 14:35:47 CST 2019] Getting webroot for domain='.bicsa.cu'
[Thu Jan 10 14:35:47 CST 2019] Found domain api file: /usr/local/pkg/acme/dnsapi/dns_nsupdate.sh
[Thu Jan 10 14:35:47 CST 2019] adding _acme-challenge.bicsa.cu. 60 in txt "eeRIORae2UzcuTV1Ha8ySkhLSb3v536aqxmtoTq4C1w"
response to SOA query was unsuccessful
[Thu Jan 10 14:35:47 CST 2019] error updating domain
[Thu Jan 10 14:35:47 CST 2019] Error add txt for domain:_acme-challenge.bicsa.cu
[Thu Jan 10 14:35:47 CST 2019] Please check log file for more details: /tmp/acme/asterisk.bicsa.cu/acme_issuecert.log

the previous error was related to the dns server and it journal file and the zone did not loaded correctly.. afther fix it and validate again i receive this error:
Thu Jan 10 15:21:03 CST 2019] Multi domain='DNS:bicsa.cu,DNS:.bicsa.cu'
[Thu Jan 10 15:21:03 CST 2019] Getting domain auth token for each domain
[Thu Jan 10 15:21:07 CST 2019] Getting webroot for domain='bicsa.cu'
[Thu Jan 10 15:21:07 CST 2019] Getting webroot for domain='.bicsa.cu'
[Thu Jan 10 15:21:07 CST 2019] Found domain api file: /usr/local/pkg/acme/dnsapi/dns_nsupdate.sh
[Thu Jan 10 15:21:07 CST 2019] adding _acme-challenge.bicsa.cu. 60 in txt "LyykPuSPAGwu0iR25uaaqqtiRUCTzIjfRazeVsJ8U1A"
[Thu Jan 10 15:21:07 CST 2019] Sleep 120 seconds for the txt records to take effect
[Thu Jan 10 15:23:07 CST 2019] bicsa.cu is already verified, skip dns-01.
[Thu Jan 10 15:23:07 CST 2019] Verifying:*.bicsa.cu
[Thu Jan 10 15:23:18 CST 2019] Found domain http api file: /usr/local/pkg/acme/dnsapi/dns_nsupdate.sh
[Thu Jan 10 15:23:18 CST 2019] Skipping nsupdate for TXT on base domain.
[Thu Jan 10 15:23:18 CST 2019] Removing DNS records.
[Thu Jan 10 15:23:18 CST 2019] removing _acme-challenge.bicsa.cu. txt
[Thu Jan 10 15:23:18 CST 2019] *.bicsa.cu:Verify error:DNS problem: NXDOMAIN looking up TXT for _acme-challenge.bicsa.cu
[Thu Jan 10 15:23:18 CST 2019] Please check log file for more details: /tmp/acme/asterisk.bicsa.cu/acme_issuecert.log

on the bind dns server logs looks like updating is fine...........
Jan 10 15:23:18 named 96796 update: info: client @0x802c73c00 127.0.0.1#22872/key _acme-challenge.bicsa.cu: view Internal-Trusted: updating zone 'bicsa.cu/IN': deleting rrset at '_acme-challenge.bicsa.cu' TXT
Jan 10 15:23:18 named 96796 update-security: info: client @0x802c73c00 127.0.0.1#22872/key _acme-challenge.bicsa.cu: view Internal-Trusted: signer "_acme-challenge.bicsa.cu" approved
Jan 10 15:23:18 named 96796 queries: info: client @0x802c73c00 127.0.0.1#22872/key _acme-challenge.bicsa.cu (_acme-challenge.bicsa.cu): view Internal-Trusted: query: _acme-challenge.bicsa.cu IN SOA -S (127.0.0.1)

Gertjan

I tried something out myself.

I have this domain called brit-hotel-fumel.net - I'm running my own master "bind" server which control this domain.

This is the zone info for "brit-hotel-fumel.net" on my bind master :

zone "brit-hotel-fumel.net" {
	type master;
	file "/etc/bind/zones/db.brit-hotel-fumel.net";
	allow-transfer { "ns-internal-net"; };
	masterfile-format text;
	allow-update { key "_acme-challenge.brit-hotel-fumel.net."; };
	notify-source 188.165.53.87;
	notify explicit; 
};

I would like to do this : adding this line to my zone 'brit-hotel-fumel.net" :

sub.brit-hotel-fumel.net. 86400 A 1.10.10.10

I made a file on pfSense called "update" :

server 188.165.53.87
zone brit-hotel-fumel.net
update add sub.brit-hotel-fumel.net. 86400 A 1.10.10.10
show
send

Info : "188.165.53.87" is my master bind server that controls the zone " brit-hotel-fumel.net"

Another file, called "key" that I copied from /etc/bind/named.conf.local (thus from my bind server settings files ):

key "_acme-challenge.brit-hotel-fumel.net" {
	algorithm hmac-md5;
 	secret "nFbjaI7mIMoDI0MpoByObC==";
};

On pfSense, I run this

nsupdate -k key -v update

and voila : (bind logs on server ) :

10-Jan-2019 21:23:45.044 update-security: client 82.127.34.254#42504/key _acme-challenge.brit-hotel-fumel.net: signer "_acme-challenge.brit-hotel-fumel.net" approved
10-Jan-2019 21:23:45.044 update: client 82.127.34.254#42504/key _acme-challenge.brit-hotel-fumel.net: updating zone 'brit-hotel-fumel.net/IN': adding an RR at 'sub.brit-hotel-fumel.net' A

Now I run this to check :

[2.4.4-RELEASE][admin@pfsense.brit-hotel-fumel.net]/root: dig sub.brit-hotel-fumel.net +short
1.10.10.10

If you can reproduce all this, you come close to use acme using the nsupdate method.

edit :
my real acme settings :

Btw : I asked for a wild card certificate, just because I can ^^

jimp

@gertjan said in ACME and Bind dns Server on pfsense in the same server:

Another file, called "key" that I copied from /etc/bind/named.conf.local (thus from my bind server settings files ):

key "_acme-challenge.brit-hotel-fumel.net" {
	algorithm hmac-md5;
 	secret "nFbjaI7mIMoDI0MpoByObC==";
};

You scribbled out the key in the image but left it in plain text when you posted the key file contents :-)

Gertjan

@jimp said in ACME and Bind dns Server on pfsense in the same server:

scribbled

I was pretty sure I would receive that remark
"nFbjaI7mIMoDI0MpoByObC==" is a fake ^^
Thanks anyway

luisenrique

hi! soory me again...
I have read several times and tried but I stumble with several errors ...
try from the command line and from the web config of the pfsense, my dns is updated and it returns this error ...

[Tue Jan 15 08:43:56 CST 2019] Single domain='enlinea.bicsa.cu'
[Tue Jan 15 08:43:56 CST 2019] Getting domain auth token for each domain
[Tue Jan 15 08:43:59 CST 2019] Getting webroot for domain='enlinea.bicsa.cu'
[Tue Jan 15 08:43:59 CST 2019] Found domain api file: /usr/local/pkg/acme/dnsapi/dns_nsupdate.sh
[Tue Jan 15 08:43:59 CST 2019] adding _acme-challenge.enlinea.bicsa.cu. 60 in txt "6QQT6KeWz_Cpe1tKBU0tcoR6a_FL6EGPZqHJXvAN5bk"
[Tue Jan 15 08:43:59 CST 2019] Sleep 120 seconds for the txt records to take effect
[Tue Jan 15 08:46:00 CST 2019] Verifying:enlinea.bicsa.cu
[Tue Jan 15 08:46:04 CST 2019] Found domain http api file: /usr/local/pkg/acme/dnsapi/dns_nsupdate.sh
[Tue Jan 15 08:46:04 CST 2019] Removing DNS records.
[Tue Jan 15 08:46:04 CST 2019] enlinea.bicsa.cu:Verify error:DNS problem: NXDOMAIN looking up TXT for _acme-challenge.enlinea.bicsa.cu
[Tue Jan 15 08:46:04 CST 2019] key /tmp/acme/bicsa/enlinea.bicsa.cunsupdate.key is unreadable
[Tue Jan 15 08:46:04 CST 2019] Error rm webroot api for domain:dns_nsupdate
[Tue Jan 15 08:46:04 CST 2019] key /tmp/acme/bicsa/enlinea.bicsa.cunsupdate.key is unreadable
[Tue Jan 15 08:46:04 CST 2019] Error removing txt for domain:_acme-challenge.enlinea.bicsa.cu
[Tue Jan 15 08:46:04 CST 2019] Please check log file for more details: /tmp/acme/bicsa/acme_issuecert.log
after query my dns server i see:
[root@temis ~]# dig _acme-challenge.enlinea.bicsa.cu txt

; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.68.rc1.el6_10.1 <<>> _acme-challenge.enlinea.bicsa.cu txt
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 1699
;; flags: qr rd ra; QUERY: 1, ANSWER: 6, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;_acme-challenge.enlinea.bicsa.cu. IN TXT

;; ANSWER SECTION:
_acme-challenge.enlinea.bicsa.cu. 60 IN TXT "-CyGI3mBvSqjfP8F-SWBAGBRVB88k4LXRgM3jTGGu-U"
_acme-challenge.enlinea.bicsa.cu. 60 IN TXT "rLgLQa2nh2Wo1COaZ04vouNb5qoMLDJcrrL4_XNoOic"
_acme-challenge.enlinea.bicsa.cu. 60 IN TXT "TOzYyEBH-u5u2Lm-Z1ownM2h2Ja45GviqvWMnlxdkuY"
_acme-challenge.enlinea.bicsa.cu. 60 IN TXT "6QQT6KeWz_Cpe1tKBU0tcoR6a_FL6EGPZqHJXvAN5bk"
_acme-challenge.enlinea.bicsa.cu. 60 IN TXT "fE6plJ7PstkuXhLhbHqNFamLTpSJq6MZn9l2BzbXYCE"
_acme-challenge.enlinea.bicsa.cu. 60 IN TXT "_BxnR2jrVJFYbRw9JqR8tzVma2JsBVuuU6B7gANh_bg"

;; Query time: 2373 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Tue Jan 15 09:44:41 2019
;; MSG SIZE rcvd: 386
after trying several times I notice that the txt record of each attempt is not eliminated, the key is correctly in the direcotio and matches the one specified in the config..

luisenrique

here capture of my config.

and my keys on Global Setting of the bind config on pfsense.

Gertjan

@luisenrique said in ACME and Bind dns Server on pfsense in the same server:

after trying several times I notice that the txt record of each attempt is not eliminated

Your TXT records confirm what you saw.

The logs say the very same thing :

@luisenrique said in ACME and Bind dns Server on pfsense in the same server:

[Tue Jan 15 08:46:04 CST 2019] Error rm webroot api for domain:dns_nsupdate

rm (or "remove") means "delete file".
The Letencrypt "test server" can't find (==resolve) the record " _acme-challenge.enlinea.bicsa.cu" which means the DNS name server (s !! - there should be least 2 of them) of the domain "bicsa.cu" didn't have the subdomain "_acme-challenge.enlinea".
This can happens when synchronisation is functioning well.The TXT subdomain was set on the master DNS server, but wasn't synced in 120 seconds with the slave dns server).

Check :
Your name servers :
dig bicsa.cu any +short
....
ns2.bicsa.cu.
ns1.bicsa.cu.
....

root@ns311465:~# dig @ns2.bicsa.cu _acme-challenge.enlinea.bicsa.cu TXT +short
"s1ChQK6dg8tvuYY1Nb05W5i9zQc1S1iqMtevjiw1uCs"
"DDzVdoZ6o2T_YqRZ2o5uybK4GjXAZ6jU3DaYXAhfnV4"
"F6LjsjDmIwWPrw6K6EFthVUxaocmusRApXRPnRbkyCo"

root@ns311465:~# dig @ns1.bicsa.cu _acme-challenge.enlinea.bicsa.cu TXT +short

.... nothing = no good;

Btw : you have serious DNSSEC troubles .....
DNSSEC should be perfect .... or your site will not be found on the net.
Use http://dnsviz.net/ to check .(you"re good for some nights without sleep).
It is feasible thought : http://dnsviz.net/d/test-domaine.fr/XD5boA/dnssec/ (one of my domains).

If the LE test server used the NS1 (your) name server (not synced) it will error out (it says : NXDOMAIN looking up TXT for _acme-challenge.enlinea.bicsa.cu).
Like : see here https://zonemaster.iis.se/?resultid=e3f70901711cfd8f .... which looks .... not good.

Btw :
@luisenrique said in ACME and Bind dns Server on pfsense in the same server:

dig _acme-challenge.enlinea.bicsa.cu txt

When I run

dig _acme-challenge.enlinea.bicsa.cu TXT +short

from a server server I own (some where in France) I see .... nothing - no result.
What I see is what the LE test servers see : nothing (answer also known as 'NXDOMAIN').
Check your DNS setup.