ACMEv2 / RFC 2136 / dyn.com: Unable to update TXT record via script



  • Trying to use RFC 2136 to issue an ACMEv2 certificate via pfSense. I can manually add the TXT entry with nsupdate with the settings that I got from dyndns.com website. However, the pfSense script fails. It seems that the zone is not being properly set (as per the log below). Any clue on what I have being doing wrong?

    (PS: domain changed to example.com and hashes omitted on purpose)
    (PS2: pfsense v. 2.4.4-RELEASE-p2 (amd64) / acme v. 0.5.1)

    Domain SAN list settings:

    • Mode: enabled
    • Domainname: example.com
    • Method: DNS-NSupdate / RFC 2136
    • Server: update.dyndns.com
    • Key Name: (empty) (tried also _acme-challenge.example.com)
    • Key Algorithm: HMAC-MD5
    • Key: (TSIG key name) (TSIG key emac)
    • Enable DNS alias mode: (empty)

    acme_cert.log

    [Tue Jan 15 10:59:17 -02 2019] d='example.com'
    [Tue Jan 15 10:59:17 -02 2019] _d_alias
    [Tue Jan 15 10:59:17 -02 2019] txtdomain='_acme-challenge.example.com'
    [Tue Jan 15 10:59:17 -02 2019] base64 single line.
    [Tue Jan 15 10:59:17 -02 2019] txt='[omitted]'
    [Tue Jan 15 10:59:17 -02 2019] d_api='/usr/local/pkg/acme/dnsapi/dns_nsupdate.sh'
    [Tue Jan 15 10:59:17 -02 2019] Found domain api file: /usr/local/pkg/acme/dnsapi/dns_nsupdate.sh
    [Tue Jan 15 10:59:17 -02 2019] dns_nsupdate_add exists=0
    [Tue Jan 15 10:59:17 -02 2019] APP
    [Tue Jan 15 10:59:17 -02 2019] 5:NSUPDATE_SERVER='update.dyndns.com'
    [Tue Jan 15 10:59:17 -02 2019] APP
    [Tue Jan 15 10:59:17 -02 2019] 6:NSUPDATE_SERVER_PORT=''
    [Tue Jan 15 10:59:17 -02 2019] APP
    [Tue Jan 15 10:59:17 -02 2019] 7:NSUPDATE_KEY='/tmp/acme/test_wildcard_example.com/example.comnsupdate_acme-challenge.example.com.key'
    [Tue Jan 15 10:59:17 -02 2019] APP
    [Tue Jan 15 10:59:17 -02 2019] 8:NSUPDATE_ZONE=''
    [Tue Jan 15 10:59:17 -02 2019] adding _acme-challenge.example.com. 60 in txt "(omitted)"
    [Tue Jan 15 10:59:17 -02 2019] error updating domain
    [Tue Jan 15 10:59:17 -02 2019] Error add txt for domain:_acme-challenge.example.com
    [Tue Jan 15 10:59:17 -02 2019] pid
    [Tue Jan 15 10:59:17 -02 2019] No need to restore nginx, skip.
    
    
    $ nsupdate -d
    > server update.dyndns.com
    > zone example.com
    > key (TSIG key name) (TSIG key hmac)
    > update add _test.example.com. 60 IN TXT "something"
    > send
    Sending update to 162.88.175.16#53
    Outgoing update query:
    ;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id:   7826
    ;; flags:; ZONE: 1, PREREQ: 0, UPDATE: 1, ADDITIONAL: 1
    ;; ZONE SECTION:
    ;example.com.		IN	SOA
    
    ;; UPDATE SECTION:
    _test.example.com.	60	IN	TXT	"something"
    
    ;; TSIG PSEUDOSECTION:
    (omitted)		0	ANY	TSIG	hmac-md5.sig-alg.reg.int. 1547556691 300 16 (omitted) 7826 NOERROR 0
    
    
    Reply from update query:
    ;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id:   7826
    ;; flags: qr aa; ZONE: 1, PREREQ: 0, UPDATE: 0, ADDITIONAL: 1
    ;; ZONE SECTION:
    ;example.com.		IN	SOA
    
    ;; TSIG PSEUDOSECTION:
    (omitted)		0	ANY	TSIG	hmac-md5.sig-alg.reg.int. 1547556691 300 16 (omitted) 7826 NOERROR 0 
    
    $
    


  • @gstos said in ACMEv2 / RFC 2136 / dyn.com: Unable to update TXT record via script:

    _test.example.com.

    Right after your manual update test, a

    dig _test.example.com TXT
    

    confirms the zone is udated ? The text record is updated ?

    Also : get your NS (name servers) with

    dig example.com NS
    

    and query them all, like
    dig @ns1.exemple.com _test.example.com TXT
    dig @ns2.exemple.com _test.example.com TXT

    if they are not the same, DNS syncing wasn't done yet.
    Use a bigger delay DNS-Sleep if needed.
    Check your general zone with (for example) https://zonemaster.iis.se/


  • Rebel Alliance Developer Netgate

    That NSUPDATE_ZONE field is not supported in the ACME package GUI yet, and it might be that you need to set that for the update to work.



  • @jimp
    Thanks a lot! Since I am trying to obtain a wildcard certificate, I need to figure another way out to validate my DNS. I haven't tried to validate via API access yet, but this is probably the way to go for now!

    Also thanks to @Gertjan. Dully noticed! The script is not touching the DNS. I forgot to include that relevant piece of information in my original post, though. It looks like the zone is required for dyndns, as the TIGS key is unique per user and a user can manage more than one zone under its account. It is speculation, I know, but there is some logic behind...



  • @jimp I've run into this issue as well, and when manually testing the "ZONE" directive is required in my case as well [Using DYN Standard DNS]

    Do you have any clue as to when NSUPDATE_ZONE could be added? Would adding a ticket speed that along?


  • Rebel Alliance Developer Netgate



  • @forbinscolossus said in ACMEv2 / RFC 2136 / dyn.com: Unable to update TXT record via script:

    Would adding a ticket speed that along?

    Upgrading your acme package will do ^^



  • Odd... the now the LOG doesn't match the error traceback for data. [Anonymized]

    acme_issuecert.log:

    [Tue Feb 19 21:14:53 EST 2019] Found domain api file: /usr/local/pkg/acme/dnsapi/dns_nsupdate.sh
    [Tue Feb 19 21:14:53 EST 2019] dns_nsupdate_add exists=0
    [Tue Feb 19 21:14:53 EST 2019] APP
    [Tue Feb 19 21:14:53 EST 2019] 5:NSUPDATE_SERVER='update.dyndns.com'
    [Tue Feb 19 21:14:53 EST 2019] APP
    [Tue Feb 19 21:14:53 EST 2019] 6:NSUPDATE_SERVER_PORT=''
    [Tue Feb 19 21:14:53 EST 2019] APP
    [Tue Feb 19 21:14:53 EST 2019] 7:NSUPDATE_KEY='/tmp/acme/[domain].org-copy/extern1.[domain].orgnsupdate_acme-challenge.extern1.[domain].org.key'
    [Tue Feb 19 21:14:53 EST 2019] APP
    [Tue Feb 19 21:14:53 EST 2019] 8:NSUPDATE_ZONE=''
    [Tue Feb 19 21:14:53 EST 2019] adding _acme-challenge.extern1.[domain].org. 60 in txt "[data]"
    [Tue Feb 19 21:14:53 EST 2019] error updating domain
    [Tue Feb 19 21:14:53 EST 2019] Error add txt for domain:_acme-challenge.extern1.[domain].org
    

    Onscreen error:

    Array
    (
    [path] => /etc:/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/bin/
    [PATH] => /etc:/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/bin/
    [NSUPDATE_SERVER] => /tmp/acme/[domain].org-copy/extern1.[domain].orgnsupdate
    [NSUPDATE_KEYNAME] => [tsig_key]
    [NSUPDATE_KEYALGO] => 157
    [NSUPDATE_KEY] => /tmp/acme/[domain].org-copy/extern1.[domain].orgnsupdate
    [NSUPDATE_ZONE] => [domain].org
    )
    [Tue Feb 19 21:14:50 EST 2019] Registering account
    [Tue Feb 19 21:14:51 EST 2019] Already registered
    [Tue Feb 19 21:14:51 EST 2019] ACCOUNT_THUMBPRINT='[thumbprint]'
    [Tue Feb 19 21:14:51 EST 2019] Single domain='extern1.[domain].org'
    [Tue Feb 19 21:14:51 EST 2019] Getting domain auth token for each domain
    [Tue Feb 19 21:14:53 EST 2019] Getting webroot for domain='extern1.[domain].org'
    [Tue Feb 19 21:14:53 EST 2019] Found domain api file: /usr/local/pkg/acme/dnsapi/dns_nsupdate.sh
    [Tue Feb 19 21:14:53 EST 2019] adding _acme-challenge.extern1.[domain].org. 60 in txt "[data]"
    [Tue Feb 19 21:14:54 EST 2019] Removing DNS records.
    dns_request_getresponse: expected a TSIG or SIG(0)
    [Tue Feb 19 21:14:53 EST 2019] error updating domain
    [Tue Feb 19 21:14:53 EST 2019] Error add txt for domain:_acme-challenge.extern1.[domain].org
    [Tue Feb 19 21:14:53 EST 2019] Please check log file for more details: /tmp/acme/[domain].org-copy/acme_issuecert.log
    [Tue Feb 19 21:14:54 EST 2019] key /tmp/acme/[domain].org-copy/extern1.[domain].orgnsupdate.key is unreadable
    [Tue Feb 19 21:14:54 EST 2019] Error removing txt for domain:_acme-challenge.extern1.[domain].org
    


  • 0_1550629984785_acme Config.png


Log in to reply