Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    ACME and Bind dns Server on pfsense in the same server

    Scheduled Pinned Locked Moved ACME
    12 Posts 3 Posters 2.8k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • L
      luisenrique
      last edited by

      I have installed ACME and Bind DNS server on the same server, the DNS server works correctly, when I try to validate a certificate for my own domain that is running on the same server I receive an error.
      Which key would be put in my SAN configuration, it is assumed that for the server itself to update a record dynamically no key is required and I receive an error.
      Is there a security risk when having acme and bind on the same server?
      Regards

      1 Reply Last reply Reply Quote 0
      • jimpJ
        jimp Rebel Alliance Developer Netgate
        last edited by

        ACME is still an nsupdate client in that context. There is nothing special about it being on the same server. It is not "the server itself" -- it's still a client updating a server, and thus requires a key like any other client.

        Remember: Upvote with the πŸ‘ button for any user/post you find to be helpful, informative, or deserving of recognition!

        Need help fast? Netgate Global Support!

        Do not Chat/PM for help!

        L 1 Reply Last reply Reply Quote 1
        • L
          luisenrique @jimp
          last edited by

          Fine..
          so
          i generate the key:
          dnssec-keygen -a HMAC-MD5 -b 512 -n HOST mydomain.cu
          Kmydomain.cu.+157+54710
          cat Kmydomain.cu.+157+54710
          mydomain.cu. IN KEY 512 3 157 blababla-key-string
          put the "blababla-key-string" key in Global setting on Bind DNS server(on pfsense same box):
          key mydomain.cu. {
          algorithm hmac-md5;
          secret "blababla-key-string";
          };
          then i go to ACME config on Domain SAN list add two entries for multi domain and same method DNS-NSupdate / RFC 2136:
          domain name: mydomain.cu
          key: blababla-key-string
          and domain name *.mydomain.cu
          key: blababla-key-string
          the key name is mydomain.cu for both entries
          it is right?

          1 Reply Last reply Reply Quote 0
          • jimpJ
            jimp Rebel Alliance Developer Netgate
            last edited by

            You need keys for _acme-challenge.<hostname> not just <hostname>.

            I'm not that familiar with the BIND package so I can't comment on the particulars there. Assuming the hosts in the domain have the rights to create/update TXT records you should be fine once you have the right key names/keys in place.

            Remember: Upvote with the πŸ‘ button for any user/post you find to be helpful, informative, or deserving of recognition!

            Need help fast? Netgate Global Support!

            Do not Chat/PM for help!

            L 1 Reply Last reply Reply Quote 1
            • L
              luisenrique @jimp
              last edited by

              @jimp thanks
              i had fix key name so i receiving error:
              On BIND DNS Server
              query-errors: info: client @0x802c74600 127.0.0.1#2069/key _acme-challenge.bicsa.cu (_acme-challenge.bicsa.cu): view Internal-Trusted: query failed (SERVFAIL) for _acme-challenge.bicsa.cu/IN/SOA at query.c:7149
              and ACME Package
              [Thu Jan 10 14:35:38 CST 2019] Multi domain='DNS:bicsa.cu,DNS:.bicsa.cu'
              [Thu Jan 10 14:35:38 CST 2019] Getting domain auth token for each domain
              [Thu Jan 10 14:35:47 CST 2019] Getting webroot for domain='bicsa.cu'
              [Thu Jan 10 14:35:47 CST 2019] Getting webroot for domain='
              .bicsa.cu'
              [Thu Jan 10 14:35:47 CST 2019] Found domain api file: /usr/local/pkg/acme/dnsapi/dns_nsupdate.sh
              [Thu Jan 10 14:35:47 CST 2019] adding _acme-challenge.bicsa.cu. 60 in txt "eeRIORae2UzcuTV1Ha8ySkhLSb3v536aqxmtoTq4C1w"
              response to SOA query was unsuccessful
              [Thu Jan 10 14:35:47 CST 2019] error updating domain
              [Thu Jan 10 14:35:47 CST 2019] Error add txt for domain:_acme-challenge.bicsa.cu
              [Thu Jan 10 14:35:47 CST 2019] Please check log file for more details: /tmp/acme/asterisk.bicsa.cu/acme_issuecert.log

              L 1 Reply Last reply Reply Quote 0
              • L
                luisenrique @luisenrique
                last edited by

                @luisenrique said in ACME and Bind dns Server on pfsense in the same server:

                @jimp thanks
                i had fix key name so i receiving error:
                On BIND DNS Server
                query-errors: info: client @0x802c74600 127.0.0.1#2069/key _acme-challenge.bicsa.cu (_acme-challenge.bicsa.cu): view Internal-Trusted: query failed (SERVFAIL) for _acme-challenge.bicsa.cu/IN/SOA at query.c:7149
                and ACME Package
                [Thu Jan 10 14:35:38 CST 2019] Multi domain='DNS:bicsa.cu,DNS:.bicsa.cu'
                [Thu Jan 10 14:35:38 CST 2019] Getting domain auth token for each domain
                [Thu Jan 10 14:35:47 CST 2019] Getting webroot for domain='bicsa.cu'
                [Thu Jan 10 14:35:47 CST 2019] Getting webroot for domain='
                .bicsa.cu'
                [Thu Jan 10 14:35:47 CST 2019] Found domain api file: /usr/local/pkg/acme/dnsapi/dns_nsupdate.sh
                [Thu Jan 10 14:35:47 CST 2019] adding _acme-challenge.bicsa.cu. 60 in txt "eeRIORae2UzcuTV1Ha8ySkhLSb3v536aqxmtoTq4C1w"
                response to SOA query was unsuccessful
                [Thu Jan 10 14:35:47 CST 2019] error updating domain
                [Thu Jan 10 14:35:47 CST 2019] Error add txt for domain:_acme-challenge.bicsa.cu
                [Thu Jan 10 14:35:47 CST 2019] Please check log file for more details: /tmp/acme/asterisk.bicsa.cu/acme_issuecert.log

                the previous error was related to the dns server and it journal file and the zone did not loaded correctly.. afther fix it and validate again i receive this error:
                Thu Jan 10 15:21:03 CST 2019] Multi domain='DNS:bicsa.cu,DNS:.bicsa.cu'
                [Thu Jan 10 15:21:03 CST 2019] Getting domain auth token for each domain
                [Thu Jan 10 15:21:07 CST 2019] Getting webroot for domain='bicsa.cu'
                [Thu Jan 10 15:21:07 CST 2019] Getting webroot for domain='
                .bicsa.cu'
                [Thu Jan 10 15:21:07 CST 2019] Found domain api file: /usr/local/pkg/acme/dnsapi/dns_nsupdate.sh
                [Thu Jan 10 15:21:07 CST 2019] adding _acme-challenge.bicsa.cu. 60 in txt "LyykPuSPAGwu0iR25uaaqqtiRUCTzIjfRazeVsJ8U1A"
                [Thu Jan 10 15:21:07 CST 2019] Sleep 120 seconds for the txt records to take effect
                [Thu Jan 10 15:23:07 CST 2019] bicsa.cu is already verified, skip dns-01.
                [Thu Jan 10 15:23:07 CST 2019] Verifying:*.bicsa.cu
                [Thu Jan 10 15:23:18 CST 2019] Found domain http api file: /usr/local/pkg/acme/dnsapi/dns_nsupdate.sh
                [Thu Jan 10 15:23:18 CST 2019] Skipping nsupdate for TXT on base domain.
                [Thu Jan 10 15:23:18 CST 2019] Removing DNS records.
                [Thu Jan 10 15:23:18 CST 2019] removing _acme-challenge.bicsa.cu. txt
                [Thu Jan 10 15:23:18 CST 2019] *.bicsa.cu:Verify error:DNS problem: NXDOMAIN looking up TXT for _acme-challenge.bicsa.cu
                [Thu Jan 10 15:23:18 CST 2019] Please check log file for more details: /tmp/acme/asterisk.bicsa.cu/acme_issuecert.log

                on the bind dns server logs looks like updating is fine...........
                Jan 10 15:23:18 named 96796 update: info: client @0x802c73c00 127.0.0.1#22872/key _acme-challenge.bicsa.cu: view Internal-Trusted: updating zone 'bicsa.cu/IN': deleting rrset at '_acme-challenge.bicsa.cu' TXT
                Jan 10 15:23:18 named 96796 update-security: info: client @0x802c73c00 127.0.0.1#22872/key _acme-challenge.bicsa.cu: view Internal-Trusted: signer "_acme-challenge.bicsa.cu" approved
                Jan 10 15:23:18 named 96796 queries: info: client @0x802c73c00 127.0.0.1#22872/key _acme-challenge.bicsa.cu (_acme-challenge.bicsa.cu): view Internal-Trusted: query: _acme-challenge.bicsa.cu IN SOA -S (127.0.0.1)

                1 Reply Last reply Reply Quote 0
                • GertjanG
                  Gertjan
                  last edited by Gertjan

                  I tried something out myself.

                  I have this domain called brit-hotel-fumel.net - I'm running my own master "bind" server which control this domain.

                  This is the zone info for "brit-hotel-fumel.net" on my bind master :

                  zone "brit-hotel-fumel.net" {
                  	type master;
                  	file "/etc/bind/zones/db.brit-hotel-fumel.net";
                  	allow-transfer { "ns-internal-net"; };
                  	masterfile-format text;
                  	allow-update { key "_acme-challenge.brit-hotel-fumel.net."; };
                  	notify-source 188.165.53.87;
                  	notify explicit; 
                  };
                  

                  I would like to do this : adding this line to my zone 'brit-hotel-fumel.net" :

                  sub.brit-hotel-fumel.net. 86400 A 1.10.10.10
                  

                  I made a file on pfSense called "update" :

                  server 188.165.53.87
                  zone brit-hotel-fumel.net
                  update add sub.brit-hotel-fumel.net. 86400 A 1.10.10.10
                  show
                  send
                  

                  Info : "188.165.53.87" is my master bind server that controls the zone " brit-hotel-fumel.net"

                  Another file, called "key" that I copied from /etc/bind/named.conf.local (thus from my bind server settings files ):

                  key "_acme-challenge.brit-hotel-fumel.net" {
                  	algorithm hmac-md5;
                   	secret "nFbjaI7mIMoDI0MpoByObC==";
                  };
                  

                  On pfSense, I run this

                  nsupdate -k key -v update
                  

                  and voila : (bind logs on server ) :

                  10-Jan-2019 21:23:45.044 update-security: client 82.127.34.254#42504/key _acme-challenge.brit-hotel-fumel.net: signer "_acme-challenge.brit-hotel-fumel.net" approved
                  10-Jan-2019 21:23:45.044 update: client 82.127.34.254#42504/key _acme-challenge.brit-hotel-fumel.net: updating zone 'brit-hotel-fumel.net/IN': adding an RR at 'sub.brit-hotel-fumel.net' A
                  

                  Now I run this to check :

                  [2.4.4-RELEASE][admin@pfsense.brit-hotel-fumel.net]/root: dig sub.brit-hotel-fumel.net +short
                  1.10.10.10
                  

                  If you can reproduce all this, you come close to use acme using the nsupdate method.

                  edit :
                  my real acme settings :

                  0_1547152832042_a0919f2c-902f-42ea-a302-c18614bd0254-image.png

                  Btw : I asked for a wild card certificate, just because I can ^^

                  No "help me" PM's please. Use the forum, the community will thank you.
                  Edit : and where are the logs ??

                  jimpJ 1 Reply Last reply Reply Quote 0
                  • jimpJ
                    jimp Rebel Alliance Developer Netgate @Gertjan
                    last edited by

                    @gertjan said in ACME and Bind dns Server on pfsense in the same server:

                    Another file, called "key" that I copied from /etc/bind/named.conf.local (thus from my bind server settings files ):

                    key "_acme-challenge.brit-hotel-fumel.net" {
                    	algorithm hmac-md5;
                     	secret "nFbjaI7mIMoDI0MpoByObC==";
                    };
                    

                    0_1547152832042_a0919f2c-902f-42ea-a302-c18614bd0254-image.png

                    You scribbled out the key in the image but left it in plain text when you posted the key file contents :-)

                    Remember: Upvote with the πŸ‘ button for any user/post you find to be helpful, informative, or deserving of recognition!

                    Need help fast? Netgate Global Support!

                    Do not Chat/PM for help!

                    GertjanG 1 Reply Last reply Reply Quote 1
                    • GertjanG
                      Gertjan @jimp
                      last edited by

                      @jimp said in ACME and Bind dns Server on pfsense in the same server:

                      scribbled

                      I was pretty sure I would receive that remark ☺
                      "nFbjaI7mIMoDI0MpoByObC==" is a fake ^^
                      Thanks anyway ✌

                      No "help me" PM's please. Use the forum, the community will thank you.
                      Edit : and where are the logs ??

                      L 1 Reply Last reply Reply Quote 1
                      • L
                        luisenrique @Gertjan
                        last edited by

                        hi! soory me again...
                        I have read several times and tried but I stumble with several errors ...
                        try from the command line and from the web config of the pfsense, my dns is updated and it returns this error ...

                        [Tue Jan 15 08:43:56 CST 2019] Single domain='enlinea.bicsa.cu'
                        [Tue Jan 15 08:43:56 CST 2019] Getting domain auth token for each domain
                        [Tue Jan 15 08:43:59 CST 2019] Getting webroot for domain='enlinea.bicsa.cu'
                        [Tue Jan 15 08:43:59 CST 2019] Found domain api file: /usr/local/pkg/acme/dnsapi/dns_nsupdate.sh
                        [Tue Jan 15 08:43:59 CST 2019] adding _acme-challenge.enlinea.bicsa.cu. 60 in txt "6QQT6KeWz_Cpe1tKBU0tcoR6a_FL6EGPZqHJXvAN5bk"
                        [Tue Jan 15 08:43:59 CST 2019] Sleep 120 seconds for the txt records to take effect
                        [Tue Jan 15 08:46:00 CST 2019] Verifying:enlinea.bicsa.cu
                        [Tue Jan 15 08:46:04 CST 2019] Found domain http api file: /usr/local/pkg/acme/dnsapi/dns_nsupdate.sh
                        [Tue Jan 15 08:46:04 CST 2019] Removing DNS records.
                        [Tue Jan 15 08:46:04 CST 2019] enlinea.bicsa.cu:Verify error:DNS problem: NXDOMAIN looking up TXT for _acme-challenge.enlinea.bicsa.cu
                        [Tue Jan 15 08:46:04 CST 2019] key /tmp/acme/bicsa/enlinea.bicsa.cunsupdate.key is unreadable
                        [Tue Jan 15 08:46:04 CST 2019] Error rm webroot api for domain:dns_nsupdate
                        [Tue Jan 15 08:46:04 CST 2019] key /tmp/acme/bicsa/enlinea.bicsa.cunsupdate.key is unreadable
                        [Tue Jan 15 08:46:04 CST 2019] Error removing txt for domain:_acme-challenge.enlinea.bicsa.cu
                        [Tue Jan 15 08:46:04 CST 2019] Please check log file for more details: /tmp/acme/bicsa/acme_issuecert.log
                        after query my dns server i see:
                        [root@temis ~]# dig _acme-challenge.enlinea.bicsa.cu txt

                        ; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.68.rc1.el6_10.1 <<>> _acme-challenge.enlinea.bicsa.cu txt
                        ;; global options: +cmd
                        ;; Got answer:
                        ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 1699
                        ;; flags: qr rd ra; QUERY: 1, ANSWER: 6, AUTHORITY: 0, ADDITIONAL: 0

                        ;; QUESTION SECTION:
                        ;_acme-challenge.enlinea.bicsa.cu. IN TXT

                        ;; ANSWER SECTION:
                        _acme-challenge.enlinea.bicsa.cu. 60 IN TXT "-CyGI3mBvSqjfP8F-SWBAGBRVB88k4LXRgM3jTGGu-U"
                        _acme-challenge.enlinea.bicsa.cu. 60 IN TXT "rLgLQa2nh2Wo1COaZ04vouNb5qoMLDJcrrL4_XNoOic"
                        _acme-challenge.enlinea.bicsa.cu. 60 IN TXT "TOzYyEBH-u5u2Lm-Z1ownM2h2Ja45GviqvWMnlxdkuY"
                        _acme-challenge.enlinea.bicsa.cu. 60 IN TXT "6QQT6KeWz_Cpe1tKBU0tcoR6a_FL6EGPZqHJXvAN5bk"
                        _acme-challenge.enlinea.bicsa.cu. 60 IN TXT "fE6plJ7PstkuXhLhbHqNFamLTpSJq6MZn9l2BzbXYCE"
                        _acme-challenge.enlinea.bicsa.cu. 60 IN TXT "_BxnR2jrVJFYbRw9JqR8tzVma2JsBVuuU6B7gANh_bg"

                        ;; Query time: 2373 msec
                        ;; SERVER: 127.0.0.1#53(127.0.0.1)
                        ;; WHEN: Tue Jan 15 09:44:41 2019
                        ;; MSG SIZE rcvd: 386
                        after trying several times I notice that the txt record of each attempt is not eliminated, the key is correctly in the direcotio and matches the one specified in the config..

                        L GertjanG 2 Replies Last reply Reply Quote 0
                        • L
                          luisenrique @luisenrique
                          last edited by

                          here capture of my config.
                          0_1547561593901_Screenshot_2019-01-15 ns1 bicsa cu - Services Acme Certificate options Edit.png
                          and my keys on Global Setting of the bind config on pfsense.
                          0_1547561836127_Screenshot_2019-01-15 ns1 bicsa cu - Package BIND DNS Settings Settings.png

                          1 Reply Last reply Reply Quote 0
                          • GertjanG
                            Gertjan @luisenrique
                            last edited by Gertjan

                            @luisenrique said in ACME and Bind dns Server on pfsense in the same server:

                            after trying several times I notice that the txt record of each attempt is not eliminated

                            Your TXT records confirm what you saw.

                            The logs say the very same thing :

                            @luisenrique said in ACME and Bind dns Server on pfsense in the same server:

                            [Tue Jan 15 08:46:04 CST 2019] Error rm webroot api for domain:dns_nsupdate

                            rm (or "remove") means "delete file".
                            The Letencrypt "test server" can't find (==resolve) the record " _acme-challenge.enlinea.bicsa.cu" which means the DNS name server (s !! - there should be least 2 of them) of the domain "bicsa.cu" didn't have the subdomain "_acme-challenge.enlinea".
                            This can happens when synchronisation is functioning well.The TXT subdomain was set on the master DNS server, but wasn't synced in 120 seconds with the slave dns server).

                            Check :
                            Your name servers :
                            dig bicsa.cu any +short
                            ....
                            ns2.bicsa.cu.
                            ns1.bicsa.cu.
                            ....

                            root@ns311465:~# dig @ns2.bicsa.cu _acme-challenge.enlinea.bicsa.cu TXT +short
                            "s1ChQK6dg8tvuYY1Nb05W5i9zQc1S1iqMtevjiw1uCs"
                            "DDzVdoZ6o2T_YqRZ2o5uybK4GjXAZ6jU3DaYXAhfnV4"
                            "F6LjsjDmIwWPrw6K6EFthVUxaocmusRApXRPnRbkyCo"

                            root@ns311465:~# dig @ns1.bicsa.cu _acme-challenge.enlinea.bicsa.cu TXT +short

                            .... nothing = no good;

                            Btw : you have serious DNSSEC troubles .....
                            DNSSEC should be perfect .... or your site will not be found on the net.
                            Use http://dnsviz.net/ to check .(you"re good for some nights without sleep).
                            It is feasible thought : http://dnsviz.net/d/test-domaine.fr/XD5boA/dnssec/ (one of my domains).

                            If the LE test server used the NS1 (your) name server (not synced) it will error out (it says : NXDOMAIN looking up TXT for _acme-challenge.enlinea.bicsa.cu).
                            Like : see here https://zonemaster.iis.se/?resultid=e3f70901711cfd8f .... which looks .... not good.

                            Btw :
                            @luisenrique said in ACME and Bind dns Server on pfsense in the same server:

                            dig _acme-challenge.enlinea.bicsa.cu txt

                            When I run

                            dig _acme-challenge.enlinea.bicsa.cu TXT +short
                            

                            from a server server I own (some where in France) I see .... nothing - no result.
                            What I see is what the LE test servers see : nothing (answer also known as 'NXDOMAIN').
                            Check your DNS setup.

                            No "help me" PM's please. Use the forum, the community will thank you.
                            Edit : and where are the logs ??

                            1 Reply Last reply Reply Quote 0
                            • First post
                              Last post
                            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.