Certificate with multiple SAN from two different DNS accounts result in failure



  • I have two different domains, both hosted on godaddy but under different accounts (thus having their own independent api keys). When I tried to generate wildcard certificate for domain "A" (by providing a.com and *.a.com) it works fine and generate the certificate. However if I add domain "B" (by providing b.com and *.b.com) to same certificate, issuing of the certificate is failed due to DNS verification failure. I did dig down the logs and found DNS update script is using api key/secret for domain "B" for both the domains. On further digging it turns out that domain key is stored in accountconf.conf with SAVED_GD_Key and SAVED_GD_Secret dictionary keys. Although different keys and secrets are provided on UI but on save the last entry wins and that's what is causing this problem since even domain "A" dns update is being attempted using domain "B" account keys which of-course will not work.
    If it helps, I am using 2.4.4-RELEASE-p1 and acme package 0.3.2_4 on my system. I was trying complete setup using letsencrypt-staging-2 (Let's Encrypt Staging V2) so as to ascertain its working before moving to letsencrypt-production-2 issuance.
    Seems like a bug to me and it will be impacting everyone who's having similar scenario. Does any one have any workaround for this issue?
    Please suggest if I should raise a bug for this issue.


  • Rebel Alliance Moderator

    Did you try updating your ACME package first? Current version is 0.5.1 so it could perhaps be already fixed.



  • There's no option on pfsense UI to upgrade acme package to 0.5.1. "System->Package Manager->Installed Packages" shows it to be latest. Is there any way I can install updated package from CLI? I am comfortable with CLI so just need pointer/instruction and I'll attempt with 0.5.1 and post back the results here.


  • Rebel Alliance Moderator

    You are sure, you're on 2.4.4-p1 (or p2)? Somehow sounds like you're on an old Firmware or your DNS/updates aren't refreshed properly.

    You could try to SSH into your box and run a pkg update and check the output if the pkg sources could be refreshed.

    Edit: The team has acknowledged problems with the update URLs at the moment, so if they have it covered, you should see the updates again after refreshing.


  • Rebel Alliance Developer Netgate

    The update server issues today are likely why the newer version didn't show. Check again and update now.

    That said, it wouldn't surprise me if this was an upstream bug in the acme.sh dnsapi script for that provider. The nsupdate script didn't handle multiple keys until we made some significant changes to it and fed it info slightly differently.



  • I did update packages using pkg update command line and post that I was able to upgrade acme to 0.5.2 from UI. Post upgrade, I created same configuration again and it's the same issue this time as well. Wrong secret/key used for first domain.



  • Can I contribute to nsupdate script as patch? I do understand we'll have to store different key/secret under different keys and use them contextually in every DNS operation. I did look into Submitting a Pull Request via Github page and did browse pfSense/FreeBSD-ports on github but couldn't find acme there. Looks like I am looking into wrong place. Can you please point me in right direction so that I am able to contribute back in case I am able to fix it?


  • Rebel Alliance Developer Netgate

    @apundir said in Certificate with multiple SAN from two different DNS accounts result in failure:

    Can I contribute to nsupdate script as patch? I do understand we'll have to store different key/secret under different keys and use them contextually in every DNS operation. I did look into Submitting a Pull Request via Github page and did browse pfSense/FreeBSD-ports on github but couldn't find acme there. Looks like I am looking into wrong place. Can you please point me in right direction so that I am able to contribute back in case I am able to fix it?

    Not sure I follow what you are saying about nsupdate. The changes to nsupdate work fine, but they are specific to how the pfSense ACME package calls nsupdate and thus aren't a good candidate to submit upstream back into acme.sh.

    If you are talking about changing the GoDaddy script in a similar way, then you can submit a PR to us for that. The files are under https://github.com/pfsense/FreeBSD-ports/tree/devel/security/pfSense-pkg-acme and the GoDaddy script specifically is at https://github.com/pfsense/FreeBSD-ports/blob/devel/security/pfSense-pkg-acme/files/usr/local/pkg/acme/dnsapi/dns_gd.sh


Log in to reply