Let's Encrypt & ACME



  • Hi,

    I have letsencrypt setup as CA within "Account Keys"

    I can successfully acquire a certificate when setting :

    • Domainname to "domain.com" and
    • Method to "DNS-NSupdate / RFC 2136"

    Yet, when logging into pfsense, the certificate warning "NET::ERR_CERT_COMMON_NAME_INVALID" is raised.

    However, setting the Domainname to the FQDN of the appliance, i.e. pfsense.domain.com, an Issue/Renew of the certificate results in:

    **[@time] adding _acme-challenge.pfsense.domain.com. 60 in txt "YOyoIfeZKqvNzBTVPI"
    ; TSIG error with server: tsig indicates error
    update failed: NOTAUTH(BADKEY)
    [@time] error updating domain
    [@time] Error add txt for domain:_acme-challenge.pfsense.domain.com
    

    Simply changing the Domainname from "pfsense.domain.com" to "domain.com" and the certificate is once again issued successfully, yet with an invalid CN.

    Is "_acme-challenge.pfsense" seen as a subdomain of "domain.com" whereby BIND 9.10.3 then doesn't allow updating of the domain.com zone regardless of the correct key being specified for the domain?...

    I'm a bit lost on this one. Any help will be greatly appreciated.

    Thanks



  • This post is deleted!


  • Setting

    "Key Name" to "pfsense" and
    "Zone" to "domain.com"

    still tries to create TXT record
    _acme-challenge.pfsense.domain.com
    rather than
    pfsense.domain.com

    [@time] adding _acme-challenge.pfsense.domain.com. 60 in txt "VTTcvhklvFWaDrbJc"
    ; TSIG error with server: tsig indicates error
    update failed: NOTAUTH(BADKEY)
    [@time] error updating domain
    [@time] Error add txt for domain:_acme-challenge.pfsense.domain.com
    


  • And then found it !

    Take note of the difference between the key-file and key-name within the key-file.



  • @Peek said in Let's Encrypt & ACME:

    _acme-challenge.pfsense.domain.com

    What about asking for a wildcard cert for root "domain.com" ?
    Using
    domain.com
    and
    *.domain.com
    (twice) as "Domainname".

    You can use pfsense.domain.com, another.domain.com and something-else.domain.com, they will all 'work'.

    edit : btw :
    _acme-challenge.pfsense.domain.com
    is a sub domain do shouldn't exist already. It's just a 'random' place holder, so the acme check server can test for a TXT filed in "_acme-challenge.pfsense.domain.com" - which should contain the "VTTcvhklvFWaDrbJc" phrase. This proves that you control the domain "domain.com", thus the certificate can be handed over to you.


Log in to reply