Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Certificate with multiple SAN from two different DNS accounts result in failure

    Scheduled Pinned Locked Moved ACME
    8 Posts 3 Posters 933 Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • A
      apundir
      last edited by

      I have two different domains, both hosted on godaddy but under different accounts (thus having their own independent api keys). When I tried to generate wildcard certificate for domain "A" (by providing a.com and *.a.com) it works fine and generate the certificate. However if I add domain "B" (by providing b.com and *.b.com) to same certificate, issuing of the certificate is failed due to DNS verification failure. I did dig down the logs and found DNS update script is using api key/secret for domain "B" for both the domains. On further digging it turns out that domain key is stored in accountconf.conf with SAVED_GD_Key and SAVED_GD_Secret dictionary keys. Although different keys and secrets are provided on UI but on save the last entry wins and that's what is causing this problem since even domain "A" dns update is being attempted using domain "B" account keys which of-course will not work.
      If it helps, I am using 2.4.4-RELEASE-p1 and acme package 0.3.2_4 on my system. I was trying complete setup using letsencrypt-staging-2 (Let's Encrypt Staging V2) so as to ascertain its working before moving to letsencrypt-production-2 issuance.
      Seems like a bug to me and it will be impacting everyone who's having similar scenario. Does any one have any workaround for this issue?
      Please suggest if I should raise a bug for this issue.

      1 Reply Last reply Reply Quote 0
      • JeGrJ
        JeGr LAYER 8 Moderator
        last edited by JeGr

        Did you try updating your ACME package first? Current version is 0.5.1 so it could perhaps be already fixed.

        Don't forget to upvote πŸ‘ those who kindly offered their time and brainpower to help you!

        If you're interested, I'm available to discuss details of German-speaking paid support (for companies) if needed.

        1 Reply Last reply Reply Quote 0
        • A
          apundir
          last edited by

          There's no option on pfsense UI to upgrade acme package to 0.5.1. "System->Package Manager->Installed Packages" shows it to be latest. Is there any way I can install updated package from CLI? I am comfortable with CLI so just need pointer/instruction and I'll attempt with 0.5.1 and post back the results here.

          1 Reply Last reply Reply Quote 0
          • JeGrJ
            JeGr LAYER 8 Moderator
            last edited by JeGr

            You are sure, you're on 2.4.4-p1 (or p2)? Somehow sounds like you're on an old Firmware or your DNS/updates aren't refreshed properly.

            You could try to SSH into your box and run a pkg update and check the output if the pkg sources could be refreshed.

            Edit: The team has acknowledged problems with the update URLs at the moment, so if they have it covered, you should see the updates again after refreshing.

            Don't forget to upvote πŸ‘ those who kindly offered their time and brainpower to help you!

            If you're interested, I'm available to discuss details of German-speaking paid support (for companies) if needed.

            1 Reply Last reply Reply Quote 0
            • jimpJ
              jimp Rebel Alliance Developer Netgate
              last edited by

              The update server issues today are likely why the newer version didn't show. Check again and update now.

              That said, it wouldn't surprise me if this was an upstream bug in the acme.sh dnsapi script for that provider. The nsupdate script didn't handle multiple keys until we made some significant changes to it and fed it info slightly differently.

              Remember: Upvote with the πŸ‘ button for any user/post you find to be helpful, informative, or deserving of recognition!

              Need help fast? Netgate Global Support!

              Do not Chat/PM for help!

              1 Reply Last reply Reply Quote 1
              • A
                apundir
                last edited by

                I did update packages using pkg update command line and post that I was able to upgrade acme to 0.5.2 from UI. Post upgrade, I created same configuration again and it's the same issue this time as well. Wrong secret/key used for first domain.

                1 Reply Last reply Reply Quote 0
                • A
                  apundir
                  last edited by

                  Can I contribute to nsupdate script as patch? I do understand we'll have to store different key/secret under different keys and use them contextually in every DNS operation. I did look into Submitting a Pull Request via Github page and did browse pfSense/FreeBSD-ports on github but couldn't find acme there. Looks like I am looking into wrong place. Can you please point me in right direction so that I am able to contribute back in case I am able to fix it?

                  jimpJ 1 Reply Last reply Reply Quote 0
                  • jimpJ
                    jimp Rebel Alliance Developer Netgate @apundir
                    last edited by

                    @apundir said in Certificate with multiple SAN from two different DNS accounts result in failure:

                    Can I contribute to nsupdate script as patch? I do understand we'll have to store different key/secret under different keys and use them contextually in every DNS operation. I did look into Submitting a Pull Request via Github page and did browse pfSense/FreeBSD-ports on github but couldn't find acme there. Looks like I am looking into wrong place. Can you please point me in right direction so that I am able to contribute back in case I am able to fix it?

                    Not sure I follow what you are saying about nsupdate. The changes to nsupdate work fine, but they are specific to how the pfSense ACME package calls nsupdate and thus aren't a good candidate to submit upstream back into acme.sh.

                    If you are talking about changing the GoDaddy script in a similar way, then you can submit a PR to us for that. The files are under https://github.com/pfsense/FreeBSD-ports/tree/devel/security/pfSense-pkg-acme and the GoDaddy script specifically is at https://github.com/pfsense/FreeBSD-ports/blob/devel/security/pfSense-pkg-acme/files/usr/local/pkg/acme/dnsapi/dns_gd.sh

                    Remember: Upvote with the πŸ‘ button for any user/post you find to be helpful, informative, or deserving of recognition!

                    Need help fast? Netgate Global Support!

                    Do not Chat/PM for help!

                    1 Reply Last reply Reply Quote 0
                    • First post
                      Last post
                    Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.