ACME and Bind dns Server on pfsense in the same server



  • I have installed ACME and Bind DNS server on the same server, the DNS server works correctly, when I try to validate a certificate for my own domain that is running on the same server I receive an error.
    Which key would be put in my SAN configuration, it is assumed that for the server itself to update a record dynamically no key is required and I receive an error.
    Is there a security risk when having acme and bind on the same server?
    Regards


  • Rebel Alliance Developer Netgate

    ACME is still an nsupdate client in that context. There is nothing special about it being on the same server. It is not "the server itself" -- it's still a client updating a server, and thus requires a key like any other client.



  • Fine..
    so
    i generate the key:
    dnssec-keygen -a HMAC-MD5 -b 512 -n HOST mydomain.cu
    Kmydomain.cu.+157+54710
    cat Kmydomain.cu.+157+54710
    mydomain.cu. IN KEY 512 3 157 blababla-key-string
    put the "blababla-key-string" key in Global setting on Bind DNS server(on pfsense same box):
    key mydomain.cu. {
    algorithm hmac-md5;
    secret "blababla-key-string";
    };
    then i go to ACME config on Domain SAN list add two entries for multi domain and same method DNS-NSupdate / RFC 2136:
    domain name: mydomain.cu
    key: blababla-key-string
    and domain name *.mydomain.cu
    key: blababla-key-string
    the key name is mydomain.cu for both entries
    it is right?


  • Rebel Alliance Developer Netgate

    You need keys for _acme-challenge.<hostname> not just <hostname>.

    I'm not that familiar with the BIND package so I can't comment on the particulars there. Assuming the hosts in the domain have the rights to create/update TXT records you should be fine once you have the right key names/keys in place.



  • @jimp thanks
    i had fix key name so i receiving error:
    On BIND DNS Server
    query-errors: info: client @0x802c74600 127.0.0.1#2069/key _acme-challenge.bicsa.cu (_acme-challenge.bicsa.cu): view Internal-Trusted: query failed (SERVFAIL) for _acme-challenge.bicsa.cu/IN/SOA at query.c:7149
    and ACME Package
    [Thu Jan 10 14:35:38 CST 2019] Multi domain='DNS:bicsa.cu,DNS:.bicsa.cu'
    [Thu Jan 10 14:35:38 CST 2019] Getting domain auth token for each domain
    [Thu Jan 10 14:35:47 CST 2019] Getting webroot for domain='bicsa.cu'
    [Thu Jan 10 14:35:47 CST 2019] Getting webroot for domain='
    .bicsa.cu'
    [Thu Jan 10 14:35:47 CST 2019] Found domain api file: /usr/local/pkg/acme/dnsapi/dns_nsupdate.sh
    [Thu Jan 10 14:35:47 CST 2019] adding _acme-challenge.bicsa.cu. 60 in txt "eeRIORae2UzcuTV1Ha8ySkhLSb3v536aqxmtoTq4C1w"
    response to SOA query was unsuccessful
    [Thu Jan 10 14:35:47 CST 2019] error updating domain
    [Thu Jan 10 14:35:47 CST 2019] Error add txt for domain:_acme-challenge.bicsa.cu
    [Thu Jan 10 14:35:47 CST 2019] Please check log file for more details: /tmp/acme/asterisk.bicsa.cu/acme_issuecert.log



  • @luisenrique said in ACME and Bind dns Server on pfsense in the same server:

    @jimp thanks
    i had fix key name so i receiving error:
    On BIND DNS Server
    query-errors: info: client @0x802c74600 127.0.0.1#2069/key _acme-challenge.bicsa.cu (_acme-challenge.bicsa.cu): view Internal-Trusted: query failed (SERVFAIL) for _acme-challenge.bicsa.cu/IN/SOA at query.c:7149
    and ACME Package
    [Thu Jan 10 14:35:38 CST 2019] Multi domain='DNS:bicsa.cu,DNS:.bicsa.cu'
    [Thu Jan 10 14:35:38 CST 2019] Getting domain auth token for each domain
    [Thu Jan 10 14:35:47 CST 2019] Getting webroot for domain='bicsa.cu'
    [Thu Jan 10 14:35:47 CST 2019] Getting webroot for domain='
    .bicsa.cu'
    [Thu Jan 10 14:35:47 CST 2019] Found domain api file: /usr/local/pkg/acme/dnsapi/dns_nsupdate.sh
    [Thu Jan 10 14:35:47 CST 2019] adding _acme-challenge.bicsa.cu. 60 in txt "eeRIORae2UzcuTV1Ha8ySkhLSb3v536aqxmtoTq4C1w"
    response to SOA query was unsuccessful
    [Thu Jan 10 14:35:47 CST 2019] error updating domain
    [Thu Jan 10 14:35:47 CST 2019] Error add txt for domain:_acme-challenge.bicsa.cu
    [Thu Jan 10 14:35:47 CST 2019] Please check log file for more details: /tmp/acme/asterisk.bicsa.cu/acme_issuecert.log

    the previous error was related to the dns server and it journal file and the zone did not loaded correctly.. afther fix it and validate again i receive this error:
    Thu Jan 10 15:21:03 CST 2019] Multi domain='DNS:bicsa.cu,DNS:.bicsa.cu'
    [Thu Jan 10 15:21:03 CST 2019] Getting domain auth token for each domain
    [Thu Jan 10 15:21:07 CST 2019] Getting webroot for domain='bicsa.cu'
    [Thu Jan 10 15:21:07 CST 2019] Getting webroot for domain='
    .bicsa.cu'
    [Thu Jan 10 15:21:07 CST 2019] Found domain api file: /usr/local/pkg/acme/dnsapi/dns_nsupdate.sh
    [Thu Jan 10 15:21:07 CST 2019] adding _acme-challenge.bicsa.cu. 60 in txt "LyykPuSPAGwu0iR25uaaqqtiRUCTzIjfRazeVsJ8U1A"
    [Thu Jan 10 15:21:07 CST 2019] Sleep 120 seconds for the txt records to take effect
    [Thu Jan 10 15:23:07 CST 2019] bicsa.cu is already verified, skip dns-01.
    [Thu Jan 10 15:23:07 CST 2019] Verifying:*.bicsa.cu
    [Thu Jan 10 15:23:18 CST 2019] Found domain http api file: /usr/local/pkg/acme/dnsapi/dns_nsupdate.sh
    [Thu Jan 10 15:23:18 CST 2019] Skipping nsupdate for TXT on base domain.
    [Thu Jan 10 15:23:18 CST 2019] Removing DNS records.
    [Thu Jan 10 15:23:18 CST 2019] removing _acme-challenge.bicsa.cu. txt
    [Thu Jan 10 15:23:18 CST 2019] *.bicsa.cu:Verify error:DNS problem: NXDOMAIN looking up TXT for _acme-challenge.bicsa.cu
    [Thu Jan 10 15:23:18 CST 2019] Please check log file for more details: /tmp/acme/asterisk.bicsa.cu/acme_issuecert.log

    on the bind dns server logs looks like updating is fine...........
    Jan 10 15:23:18 named 96796 update: info: client @0x802c73c00 127.0.0.1#22872/key _acme-challenge.bicsa.cu: view Internal-Trusted: updating zone 'bicsa.cu/IN': deleting rrset at '_acme-challenge.bicsa.cu' TXT
    Jan 10 15:23:18 named 96796 update-security: info: client @0x802c73c00 127.0.0.1#22872/key _acme-challenge.bicsa.cu: view Internal-Trusted: signer "_acme-challenge.bicsa.cu" approved
    Jan 10 15:23:18 named 96796 queries: info: client @0x802c73c00 127.0.0.1#22872/key _acme-challenge.bicsa.cu (_acme-challenge.bicsa.cu): view Internal-Trusted: query: _acme-challenge.bicsa.cu IN SOA -S (127.0.0.1)



  • I tried something out myself.

    I have this domain called brit-hotel-fumel.net - I'm running my own master "bind" server which control this domain.

    This is the zone info for "brit-hotel-fumel.net" on my bind master :

    zone "brit-hotel-fumel.net" {
    	type master;
    	file "/etc/bind/zones/db.brit-hotel-fumel.net";
    	allow-transfer { "ns-internal-net"; };
    	masterfile-format text;
    	allow-update { key "_acme-challenge.brit-hotel-fumel.net."; };
    	notify-source 188.165.53.87;
    	notify explicit; 
    };
    

    I would like to do this : adding this line to my zone 'brit-hotel-fumel.net" :

    sub.brit-hotel-fumel.net. 86400 A 1.10.10.10
    

    I made a file on pfSense called "update" :

    server 188.165.53.87
    zone brit-hotel-fumel.net
    update add sub.brit-hotel-fumel.net. 86400 A 1.10.10.10
    show
    send
    

    Info : "188.165.53.87" is my master bind server that controls the zone " brit-hotel-fumel.net"

    Another file, called "key" that I copied from /etc/bind/named.conf.local (thus from my bind server settings files ):

    key "_acme-challenge.brit-hotel-fumel.net" {
    	algorithm hmac-md5;
     	secret "nFbjaI7mIMoDI0MpoByObC==";
    };
    

    On pfSense, I run this

    nsupdate -k key -v update
    

    and voila : (bind logs on server ) :

    10-Jan-2019 21:23:45.044 update-security: client 82.127.34.254#42504/key _acme-challenge.brit-hotel-fumel.net: signer "_acme-challenge.brit-hotel-fumel.net" approved
    10-Jan-2019 21:23:45.044 update: client 82.127.34.254#42504/key _acme-challenge.brit-hotel-fumel.net: updating zone 'brit-hotel-fumel.net/IN': adding an RR at 'sub.brit-hotel-fumel.net' A
    

    Now I run this to check :

    [2.4.4-RELEASE][admin@pfsense.brit-hotel-fumel.net]/root: dig sub.brit-hotel-fumel.net +short
    1.10.10.10
    

    If you can reproduce all this, you come close to use acme using the nsupdate method.

    edit :
    my real acme settings :

    0_1547152832042_a0919f2c-902f-42ea-a302-c18614bd0254-image.png

    Btw : I asked for a wild card certificate, just because I can ^^


  • Rebel Alliance Developer Netgate

    @gertjan said in ACME and Bind dns Server on pfsense in the same server:

    Another file, called "key" that I copied from /etc/bind/named.conf.local (thus from my bind server settings files ):

    key "_acme-challenge.brit-hotel-fumel.net" {
    	algorithm hmac-md5;
     	secret "nFbjaI7mIMoDI0MpoByObC==";
    };
    

    0_1547152832042_a0919f2c-902f-42ea-a302-c18614bd0254-image.png

    You scribbled out the key in the image but left it in plain text when you posted the key file contents :-)



  • @jimp said in ACME and Bind dns Server on pfsense in the same server:

    scribbled

    I was pretty sure I would receive that remark ☺
    "nFbjaI7mIMoDI0MpoByObC==" is a fake ^^
    Thanks anyway ✌



  • hi! soory me again...
    I have read several times and tried but I stumble with several errors ...
    try from the command line and from the web config of the pfsense, my dns is updated and it returns this error ...

    [Tue Jan 15 08:43:56 CST 2019] Single domain='enlinea.bicsa.cu'
    [Tue Jan 15 08:43:56 CST 2019] Getting domain auth token for each domain
    [Tue Jan 15 08:43:59 CST 2019] Getting webroot for domain='enlinea.bicsa.cu'
    [Tue Jan 15 08:43:59 CST 2019] Found domain api file: /usr/local/pkg/acme/dnsapi/dns_nsupdate.sh
    [Tue Jan 15 08:43:59 CST 2019] adding _acme-challenge.enlinea.bicsa.cu. 60 in txt "6QQT6KeWz_Cpe1tKBU0tcoR6a_FL6EGPZqHJXvAN5bk"
    [Tue Jan 15 08:43:59 CST 2019] Sleep 120 seconds for the txt records to take effect
    [Tue Jan 15 08:46:00 CST 2019] Verifying:enlinea.bicsa.cu
    [Tue Jan 15 08:46:04 CST 2019] Found domain http api file: /usr/local/pkg/acme/dnsapi/dns_nsupdate.sh
    [Tue Jan 15 08:46:04 CST 2019] Removing DNS records.
    [Tue Jan 15 08:46:04 CST 2019] enlinea.bicsa.cu:Verify error:DNS problem: NXDOMAIN looking up TXT for _acme-challenge.enlinea.bicsa.cu
    [Tue Jan 15 08:46:04 CST 2019] key /tmp/acme/bicsa/enlinea.bicsa.cunsupdate.key is unreadable
    [Tue Jan 15 08:46:04 CST 2019] Error rm webroot api for domain:dns_nsupdate
    [Tue Jan 15 08:46:04 CST 2019] key /tmp/acme/bicsa/enlinea.bicsa.cunsupdate.key is unreadable
    [Tue Jan 15 08:46:04 CST 2019] Error removing txt for domain:_acme-challenge.enlinea.bicsa.cu
    [Tue Jan 15 08:46:04 CST 2019] Please check log file for more details: /tmp/acme/bicsa/acme_issuecert.log
    after query my dns server i see:
    [root@temis ~]# dig _acme-challenge.enlinea.bicsa.cu txt

    ; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.68.rc1.el6_10.1 <<>> _acme-challenge.enlinea.bicsa.cu txt
    ;; global options: +cmd
    ;; Got answer:
    ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 1699
    ;; flags: qr rd ra; QUERY: 1, ANSWER: 6, AUTHORITY: 0, ADDITIONAL: 0

    ;; QUESTION SECTION:
    ;_acme-challenge.enlinea.bicsa.cu. IN TXT

    ;; ANSWER SECTION:
    _acme-challenge.enlinea.bicsa.cu. 60 IN TXT "-CyGI3mBvSqjfP8F-SWBAGBRVB88k4LXRgM3jTGGu-U"
    _acme-challenge.enlinea.bicsa.cu. 60 IN TXT "rLgLQa2nh2Wo1COaZ04vouNb5qoMLDJcrrL4_XNoOic"
    _acme-challenge.enlinea.bicsa.cu. 60 IN TXT "TOzYyEBH-u5u2Lm-Z1ownM2h2Ja45GviqvWMnlxdkuY"
    _acme-challenge.enlinea.bicsa.cu. 60 IN TXT "6QQT6KeWz_Cpe1tKBU0tcoR6a_FL6EGPZqHJXvAN5bk"
    _acme-challenge.enlinea.bicsa.cu. 60 IN TXT "fE6plJ7PstkuXhLhbHqNFamLTpSJq6MZn9l2BzbXYCE"
    _acme-challenge.enlinea.bicsa.cu. 60 IN TXT "_BxnR2jrVJFYbRw9JqR8tzVma2JsBVuuU6B7gANh_bg"

    ;; Query time: 2373 msec
    ;; SERVER: 127.0.0.1#53(127.0.0.1)
    ;; WHEN: Tue Jan 15 09:44:41 2019
    ;; MSG SIZE rcvd: 386
    after trying several times I notice that the txt record of each attempt is not eliminated, the key is correctly in the direcotio and matches the one specified in the config..



  • here capture of my config.
    0_1547561593901_Screenshot_2019-01-15 ns1 bicsa cu - Services Acme Certificate options Edit.png
    and my keys on Global Setting of the bind config on pfsense.
    0_1547561836127_Screenshot_2019-01-15 ns1 bicsa cu - Package BIND DNS Settings Settings.png



  • @luisenrique said in ACME and Bind dns Server on pfsense in the same server:

    after trying several times I notice that the txt record of each attempt is not eliminated

    Your TXT records confirm what you saw.

    The logs say the very same thing :

    @luisenrique said in ACME and Bind dns Server on pfsense in the same server:

    [Tue Jan 15 08:46:04 CST 2019] Error rm webroot api for domain:dns_nsupdate

    rm (or "remove") means "delete file".
    The Letencrypt "test server" can't find (==resolve) the record " _acme-challenge.enlinea.bicsa.cu" which means the DNS name server (s !! - there should be least 2 of them) of the domain "bicsa.cu" didn't have the subdomain "_acme-challenge.enlinea".
    This can happens when synchronisation is functioning well.The TXT subdomain was set on the master DNS server, but wasn't synced in 120 seconds with the slave dns server).

    Check :
    Your name servers :
    dig bicsa.cu any +short
    ....
    ns2.bicsa.cu.
    ns1.bicsa.cu.
    ....

    root@ns311465:~# dig @ns2.bicsa.cu _acme-challenge.enlinea.bicsa.cu TXT +short
    "s1ChQK6dg8tvuYY1Nb05W5i9zQc1S1iqMtevjiw1uCs"
    "DDzVdoZ6o2T_YqRZ2o5uybK4GjXAZ6jU3DaYXAhfnV4"
    "F6LjsjDmIwWPrw6K6EFthVUxaocmusRApXRPnRbkyCo"

    root@ns311465:~# dig @ns1.bicsa.cu _acme-challenge.enlinea.bicsa.cu TXT +short

    .... nothing = no good;

    Btw : you have serious DNSSEC troubles .....
    DNSSEC should be perfect .... or your site will not be found on the net.
    Use http://dnsviz.net/ to check .(you"re good for some nights without sleep).
    It is feasible thought : http://dnsviz.net/d/test-domaine.fr/XD5boA/dnssec/ (one of my domains).

    If the LE test server used the NS1 (your) name server (not synced) it will error out (it says : NXDOMAIN looking up TXT for _acme-challenge.enlinea.bicsa.cu).
    Like : see here https://zonemaster.iis.se/?resultid=e3f70901711cfd8f .... which looks .... not good.

    Btw :
    @luisenrique said in ACME and Bind dns Server on pfsense in the same server:

    dig _acme-challenge.enlinea.bicsa.cu txt

    When I run

    dig _acme-challenge.enlinea.bicsa.cu TXT +short
    

    from a server server I own (some where in France) I see .... nothing - no result.
    What I see is what the LE test servers see : nothing (answer also known as 'NXDOMAIN').
    Check your DNS setup.


Log in to reply