Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    ACMEv2 / RFC 2136 / dyn.com: Unable to update TXT record via script

    ACME
    4
    9
    986
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • G
      gstos
      last edited by

      Trying to use RFC 2136 to issue an ACMEv2 certificate via pfSense. I can manually add the TXT entry with nsupdate with the settings that I got from dyndns.com website. However, the pfSense script fails. It seems that the zone is not being properly set (as per the log below). Any clue on what I have being doing wrong?

      (PS: domain changed to example.com and hashes omitted on purpose)
      (PS2: pfsense v. 2.4.4-RELEASE-p2 (amd64) / acme v. 0.5.1)

      Domain SAN list settings:

      • Mode: enabled
      • Domainname: example.com
      • Method: DNS-NSupdate / RFC 2136
      • Server: update.dyndns.com
      • Key Name: (empty) (tried also _acme-challenge.example.com)
      • Key Algorithm: HMAC-MD5
      • Key: (TSIG key name) (TSIG key emac)
      • Enable DNS alias mode: (empty)

      acme_cert.log

      [Tue Jan 15 10:59:17 -02 2019] d='example.com'
[Tue Jan 15 10:59:17 -02 2019] _d_alias
[Tue Jan 15 10:59:17 -02 2019] txtdomain='_acme-challenge.example.com'
[Tue Jan 15 10:59:17 -02 2019] base64 single line.
[Tue Jan 15 10:59:17 -02 2019] txt='[omitted]'
[Tue Jan 15 10:59:17 -02 2019] d_api='/usr/local/pkg/acme/dnsapi/dns_nsupdate.sh'
[Tue Jan 15 10:59:17 -02 2019] Found domain api file: /usr/local/pkg/acme/dnsapi/dns_nsupdate.sh
[Tue Jan 15 10:59:17 -02 2019] dns_nsupdate_add exists=0
[Tue Jan 15 10:59:17 -02 2019] APP
[Tue Jan 15 10:59:17 -02 2019] 5:NSUPDATE_SERVER='update.dyndns.com'
[Tue Jan 15 10:59:17 -02 2019] APP
[Tue Jan 15 10:59:17 -02 2019] 6:NSUPDATE_SERVER_PORT=''
[Tue Jan 15 10:59:17 -02 2019] APP
[Tue Jan 15 10:59:17 -02 2019] 7:NSUPDATE_KEY='/tmp/acme/test_wildcard_example.com/example.comnsupdate_acme-challenge.example.com.key'
[Tue Jan 15 10:59:17 -02 2019] APP
[Tue Jan 15 10:59:17 -02 2019] 8:NSUPDATE_ZONE=''
[Tue Jan 15 10:59:17 -02 2019] adding _acme-challenge.example.com. 60 in txt "(omitted)"
[Tue Jan 15 10:59:17 -02 2019] error updating domain
[Tue Jan 15 10:59:17 -02 2019] Error add txt for domain:_acme-challenge.example.com
[Tue Jan 15 10:59:17 -02 2019] pid
[Tue Jan 15 10:59:17 -02 2019] No need to restore nginx, skip.


      $ nsupdate -d
> server update.dyndns.com
> zone example.com
> key (TSIG key name) (TSIG key hmac)
> update add _test.example.com. 60 IN TXT "something"
> send
Sending update to 162.88.175.16#53
Outgoing update query:
;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id:   7826
;; flags:; ZONE: 1, PREREQ: 0, UPDATE: 1, ADDITIONAL: 1
;; ZONE SECTION:
;example.com.		IN	SOA

;; UPDATE SECTION:
_test.example.com.	60	IN	TXT	"something"

;; TSIG PSEUDOSECTION:
(omitted)		0	ANY	TSIG	hmac-md5.sig-alg.reg.int. 1547556691 300 16 (omitted) 7826 NOERROR 0


Reply from update query:
;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id:   7826
;; flags: qr aa; ZONE: 1, PREREQ: 0, UPDATE: 0, ADDITIONAL: 1
;; ZONE SECTION:
;example.com.		IN	SOA

;; TSIG PSEUDOSECTION:
(omitted)		0	ANY	TSIG	hmac-md5.sig-alg.reg.int. 1547556691 300 16 (omitted) 7826 NOERROR 0 

$
      1 Reply Last reply Reply Quote 0
      • GertjanG
        Gertjan
        last edited by Gertjan

        @gstos said in ACMEv2 / RFC 2136 / dyn.com: Unable to update TXT record via script:

        _test.example.com.

        Right after your manual update test, a

        dig _test.example.com TXT

        confirms the zone is udated ? The text record is updated ?

        Also : get your NS (name servers) with

        dig example.com NS

        and query them all, like
        dig @ns1.exemple.com _test.example.com TXT
        dig @ns2.exemple.com _test.example.com TXT

        if they are not the same, DNS syncing wasn't done yet.
        Use a bigger delay DNS-Sleep if needed.
        Check your general zone with (for example) https://zonemaster.iis.se/

        No "help me" PM's please. Use the forum, the community will thank you.
        Edit : and where are the logs ??

        1 Reply Last reply Reply Quote 1
        • jimpJ
          jimp Rebel Alliance Developer Netgate
          last edited by

          That NSUPDATE_ZONE field is not supported in the ACME package GUI yet, and it might be that you need to set that for the update to work.

          Remember: Upvote with the πŸ‘ button for any user/post you find to be helpful, informative, or deserving of recognition!

          Need help fast? Netgate Global Support!

          Do not Chat/PM for help!

          G 1 Reply Last reply Reply Quote 1
          • G
            gstos @jimp
            last edited by

            @jimp
            Thanks a lot! Since I am trying to obtain a wildcard certificate, I need to figure another way out to validate my DNS. I haven't tried to validate via API access yet, but this is probably the way to go for now!

            Also thanks to @Gertjan. Dully noticed! The script is not touching the DNS. I forgot to include that relevant piece of information in my original post, though. It looks like the zone is required for dyndns, as the TIGS key is unique per user and a user can manage more than one zone under its account. It is speculation, I know, but there is some logic behind...

            1 Reply Last reply Reply Quote 0
            • F
              forbinscolossus
              last edited by

              @jimp I've run into this issue as well, and when manually testing the "ZONE" directive is required in my case as well [Using DYN Standard DNS]

              Do you have any clue as to when NSUPDATE_ZONE could be added? Would adding a ticket speed that along?

              GertjanG 1 Reply Last reply Reply Quote 0
              • jimpJ
                jimp Rebel Alliance Developer Netgate
                last edited by

                https://forum.netgate.com/topic/139845/acme-0-5-2-update

                Remember: Upvote with the πŸ‘ button for any user/post you find to be helpful, informative, or deserving of recognition!

                Need help fast? Netgate Global Support!

                Do not Chat/PM for help!

                1 Reply Last reply Reply Quote 0
                • GertjanG
                  Gertjan @forbinscolossus
                  last edited by

                  @forbinscolossus said in ACMEv2 / RFC 2136 / dyn.com: Unable to update TXT record via script:

                  Would adding a ticket speed that along?

                  Upgrading your acme package will do ^^

                  No "help me" PM's please. Use the forum, the community will thank you.
                  Edit : and where are the logs ??

                  1 Reply Last reply Reply Quote 0
                  • F
                    forbinscolossus
                    last edited by forbinscolossus

                    Odd... the now the LOG doesn't match the error traceback for data. [Anonymized]

                    acme_issuecert.log:

                    [Tue Feb 19 21:14:53 EST 2019] Found domain api file: /usr/local/pkg/acme/dnsapi/dns_nsupdate.sh
[Tue Feb 19 21:14:53 EST 2019] dns_nsupdate_add exists=0
[Tue Feb 19 21:14:53 EST 2019] APP
[Tue Feb 19 21:14:53 EST 2019] 5:NSUPDATE_SERVER='update.dyndns.com'
[Tue Feb 19 21:14:53 EST 2019] APP
[Tue Feb 19 21:14:53 EST 2019] 6:NSUPDATE_SERVER_PORT=''
[Tue Feb 19 21:14:53 EST 2019] APP
[Tue Feb 19 21:14:53 EST 2019] 7:NSUPDATE_KEY='/tmp/acme/[domain].org-copy/extern1.[domain].orgnsupdate_acme-challenge.extern1.[domain].org.key'
[Tue Feb 19 21:14:53 EST 2019] APP
[Tue Feb 19 21:14:53 EST 2019] 8:NSUPDATE_ZONE=''
[Tue Feb 19 21:14:53 EST 2019] adding _acme-challenge.extern1.[domain].org. 60 in txt "[data]"
[Tue Feb 19 21:14:53 EST 2019] error updating domain
[Tue Feb 19 21:14:53 EST 2019] Error add txt for domain:_acme-challenge.extern1.[domain].org

                    Onscreen error:

                    Array
(
[path] => /etc:/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/bin/
[PATH] => /etc:/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/bin/
[NSUPDATE_SERVER] => /tmp/acme/[domain].org-copy/extern1.[domain].orgnsupdate
[NSUPDATE_KEYNAME] => [tsig_key]
[NSUPDATE_KEYALGO] => 157
[NSUPDATE_KEY] => /tmp/acme/[domain].org-copy/extern1.[domain].orgnsupdate
[NSUPDATE_ZONE] => [domain].org
)
[Tue Feb 19 21:14:50 EST 2019] Registering account
[Tue Feb 19 21:14:51 EST 2019] Already registered
[Tue Feb 19 21:14:51 EST 2019] ACCOUNT_THUMBPRINT='[thumbprint]'
[Tue Feb 19 21:14:51 EST 2019] Single domain='extern1.[domain].org'
[Tue Feb 19 21:14:51 EST 2019] Getting domain auth token for each domain
[Tue Feb 19 21:14:53 EST 2019] Getting webroot for domain='extern1.[domain].org'
[Tue Feb 19 21:14:53 EST 2019] Found domain api file: /usr/local/pkg/acme/dnsapi/dns_nsupdate.sh
[Tue Feb 19 21:14:53 EST 2019] adding _acme-challenge.extern1.[domain].org. 60 in txt "[data]"
[Tue Feb 19 21:14:54 EST 2019] Removing DNS records.
dns_request_getresponse: expected a TSIG or SIG(0)
[Tue Feb 19 21:14:53 EST 2019] error updating domain
[Tue Feb 19 21:14:53 EST 2019] Error add txt for domain:_acme-challenge.extern1.[domain].org
[Tue Feb 19 21:14:53 EST 2019] Please check log file for more details: /tmp/acme/[domain].org-copy/acme_issuecert.log
[Tue Feb 19 21:14:54 EST 2019] key /tmp/acme/[domain].org-copy/extern1.[domain].orgnsupdate.key is unreadable
[Tue Feb 19 21:14:54 EST 2019] Error removing txt for domain:_acme-challenge.extern1.[domain].org
                    1 Reply Last reply Reply Quote 0
                    • F
                      forbinscolossus
                      last edited by

                      0_1550629984785_acme Config.png

                      1 Reply Last reply Reply Quote 0
                      • First post
                        Last post
                      Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.