ACMEv2 / RFC 2136 / dyn.com: Unable to update TXT record via script

gstos · Jan 15, 2019, 1:53 PM

Trying to use RFC 2136 to issue an ACMEv2 certificate via pfSense. I can manually add the TXT entry with nsupdate with the settings that I got from dyndns.com website. However, the pfSense script fails. It seems that the zone is not being properly set (as per the log below). Any clue on what I have being doing wrong?

(PS: domain changed to example.com and hashes omitted on purpose)
(PS2: pfsense v. 2.4.4-RELEASE-p2 (amd64) / acme v. 0.5.1)

Domain SAN list settings:

Mode: enabled
Domainname: example.com
Method: DNS-NSupdate / RFC 2136
Server: update.dyndns.com
Key Name: (empty) (tried also _acme-challenge.example.com)
Key Algorithm: HMAC-MD5
Key: (TSIG key name) (TSIG key emac)
Enable DNS alias mode: (empty)

acme_cert.log

[Tue Jan 15 10:59:17 -02 2019] d='example.com'
[Tue Jan 15 10:59:17 -02 2019] _d_alias
[Tue Jan 15 10:59:17 -02 2019] txtdomain='_acme-challenge.example.com'
[Tue Jan 15 10:59:17 -02 2019] base64 single line.
[Tue Jan 15 10:59:17 -02 2019] txt='[omitted]'
[Tue Jan 15 10:59:17 -02 2019] d_api='/usr/local/pkg/acme/dnsapi/dns_nsupdate.sh'
[Tue Jan 15 10:59:17 -02 2019] Found domain api file: /usr/local/pkg/acme/dnsapi/dns_nsupdate.sh
[Tue Jan 15 10:59:17 -02 2019] dns_nsupdate_add exists=0
[Tue Jan 15 10:59:17 -02 2019] APP
[Tue Jan 15 10:59:17 -02 2019] 5:NSUPDATE_SERVER='update.dyndns.com'
[Tue Jan 15 10:59:17 -02 2019] APP
[Tue Jan 15 10:59:17 -02 2019] 6:NSUPDATE_SERVER_PORT=''
[Tue Jan 15 10:59:17 -02 2019] APP
[Tue Jan 15 10:59:17 -02 2019] 7:NSUPDATE_KEY='/tmp/acme/test_wildcard_example.com/example.comnsupdate_acme-challenge.example.com.key'
[Tue Jan 15 10:59:17 -02 2019] APP
[Tue Jan 15 10:59:17 -02 2019] 8:NSUPDATE_ZONE=''
[Tue Jan 15 10:59:17 -02 2019] adding _acme-challenge.example.com. 60 in txt "(omitted)"
[Tue Jan 15 10:59:17 -02 2019] error updating domain
[Tue Jan 15 10:59:17 -02 2019] Error add txt for domain:_acme-challenge.example.com
[Tue Jan 15 10:59:17 -02 2019] pid
[Tue Jan 15 10:59:17 -02 2019] No need to restore nginx, skip.

$ nsupdate -d
> server update.dyndns.com
> zone example.com
> key (TSIG key name) (TSIG key hmac)
> update add _test.example.com. 60 IN TXT "something"
> send
Sending update to 162.88.175.16#53
Outgoing update query:
;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id:   7826
;; flags:; ZONE: 1, PREREQ: 0, UPDATE: 1, ADDITIONAL: 1
;; ZONE SECTION:
;example.com.		IN	SOA

;; UPDATE SECTION:
_test.example.com.	60	IN	TXT	"something"

;; TSIG PSEUDOSECTION:
(omitted)		0	ANY	TSIG	hmac-md5.sig-alg.reg.int. 1547556691 300 16 (omitted) 7826 NOERROR 0


Reply from update query:
;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id:   7826
;; flags: qr aa; ZONE: 1, PREREQ: 0, UPDATE: 0, ADDITIONAL: 1
;; ZONE SECTION:
;example.com.		IN	SOA

;; TSIG PSEUDOSECTION:
(omitted)		0	ANY	TSIG	hmac-md5.sig-alg.reg.int. 1547556691 300 16 (omitted) 7826 NOERROR 0 

$

Gertjan · Jan 18, 2019, 8:45 AM

@gstos said in ACMEv2 / RFC 2136 / dyn.com: Unable to update TXT record via script:

_test.example.com.

Right after your manual update test, a

dig _test.example.com TXT

confirms the zone is udated ? The text record is updated ?

Also : get your NS (name servers) with

dig example.com NS

and query them all, like
dig @ns1.exemple.com _test.example.com TXT
dig @ns2.exemple.com _test.example.com TXT

if they are not the same, DNS syncing wasn't done yet.
Use a bigger delay DNS-Sleep if needed.
Check your general zone with (for example) https://zonemaster.iis.se/

jimp · Jan 18, 2019, 2:13 PM

That NSUPDATE_ZONE field is not supported in the ACME package GUI yet, and it might be that you need to set that for the update to work.

gstos · Jan 18, 2019, 6:39 PM

@jimp
Thanks a lot! Since I am trying to obtain a wildcard certificate, I need to figure another way out to validate my DNS. I haven't tried to validate via API access yet, but this is probably the way to go for now!

Also thanks to @Gertjan. Dully noticed! The script is not touching the DNS. I forgot to include that relevant piece of information in my original post, though. It looks like the zone is required for dyndns, as the TIGS key is unique per user and a user can manage more than one zone under its account. It is speculation, I know, but there is some logic behind...

forbinscolossus · Feb 19, 2019, 3:24 AM

@jimp I've run into this issue as well, and when manually testing the "ZONE" directive is required in my case as well [Using DYN Standard DNS]

Do you have any clue as to when NSUPDATE_ZONE could be added? Would adding a ticket speed that along?

jimp · Feb 19, 2019, 4:08 AM

https://forum.netgate.com/topic/139845/acme-0-5-2-update

Gertjan · Feb 19, 2019, 4:25 PM

@forbinscolossus said in ACMEv2 / RFC 2136 / dyn.com: Unable to update TXT record via script:

Would adding a ticket speed that along?

Upgrading your acme package will do ^^

forbinscolossus · Feb 20, 2019, 2:33 AM

Odd... the now the LOG doesn't match the error traceback for data. [Anonymized]

acme_issuecert.log:

[Tue Feb 19 21:14:53 EST 2019] Found domain api file: /usr/local/pkg/acme/dnsapi/dns_nsupdate.sh
[Tue Feb 19 21:14:53 EST 2019] dns_nsupdate_add exists=0
[Tue Feb 19 21:14:53 EST 2019] APP
[Tue Feb 19 21:14:53 EST 2019] 5:NSUPDATE_SERVER='update.dyndns.com'
[Tue Feb 19 21:14:53 EST 2019] APP
[Tue Feb 19 21:14:53 EST 2019] 6:NSUPDATE_SERVER_PORT=''
[Tue Feb 19 21:14:53 EST 2019] APP
[Tue Feb 19 21:14:53 EST 2019] 7:NSUPDATE_KEY='/tmp/acme/[domain].org-copy/extern1.[domain].orgnsupdate_acme-challenge.extern1.[domain].org.key'
[Tue Feb 19 21:14:53 EST 2019] APP
[Tue Feb 19 21:14:53 EST 2019] 8:NSUPDATE_ZONE=''
[Tue Feb 19 21:14:53 EST 2019] adding _acme-challenge.extern1.[domain].org. 60 in txt "[data]"
[Tue Feb 19 21:14:53 EST 2019] error updating domain
[Tue Feb 19 21:14:53 EST 2019] Error add txt for domain:_acme-challenge.extern1.[domain].org

Onscreen error:

Array
(
[path] => /etc:/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/bin/
[PATH] => /etc:/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/bin/
[NSUPDATE_SERVER] => /tmp/acme/[domain].org-copy/extern1.[domain].orgnsupdate
[NSUPDATE_KEYNAME] => [tsig_key]
[NSUPDATE_KEYALGO] => 157
[NSUPDATE_KEY] => /tmp/acme/[domain].org-copy/extern1.[domain].orgnsupdate
[NSUPDATE_ZONE] => [domain].org
)
[Tue Feb 19 21:14:50 EST 2019] Registering account
[Tue Feb 19 21:14:51 EST 2019] Already registered
[Tue Feb 19 21:14:51 EST 2019] ACCOUNT_THUMBPRINT='[thumbprint]'
[Tue Feb 19 21:14:51 EST 2019] Single domain='extern1.[domain].org'
[Tue Feb 19 21:14:51 EST 2019] Getting domain auth token for each domain
[Tue Feb 19 21:14:53 EST 2019] Getting webroot for domain='extern1.[domain].org'
[Tue Feb 19 21:14:53 EST 2019] Found domain api file: /usr/local/pkg/acme/dnsapi/dns_nsupdate.sh
[Tue Feb 19 21:14:53 EST 2019] adding _acme-challenge.extern1.[domain].org. 60 in txt "[data]"
[Tue Feb 19 21:14:54 EST 2019] Removing DNS records.
dns_request_getresponse: expected a TSIG or SIG(0)
[Tue Feb 19 21:14:53 EST 2019] error updating domain
[Tue Feb 19 21:14:53 EST 2019] Error add txt for domain:_acme-challenge.extern1.[domain].org
[Tue Feb 19 21:14:53 EST 2019] Please check log file for more details: /tmp/acme/[domain].org-copy/acme_issuecert.log
[Tue Feb 19 21:14:54 EST 2019] key /tmp/acme/[domain].org-copy/extern1.[domain].orgnsupdate.key is unreadable
[Tue Feb 19 21:14:54 EST 2019] Error removing txt for domain:_acme-challenge.extern1.[domain].org

forbinscolossus · Feb 20, 2019, 2:33 AM