ACME with bind: Invalid Signature

hbauer · Jun 10, 2019, 9:44 AM

I tried to follow the pfsense hangout for configuring pfsense with letsencrypt. But despite verifying my configuration numerous time I dont find my error.

This is my configuration (names and keys are dummy but correct):

On my BIND Server I have run

dnssec-keygen -a HMAC-MD5 -b 512 -n HOST internal-net

My Bind Konfiguration is small and like this.

key "internal-net" {
 algorithm HMAC-MD5;
 secret "longscretekey........";
};

zone "internal.net." {
   type master;
   file "/etc/bind/zones/db.internal.net";
   update-policy           {
            grant internal-net  name _acme-challenge.pfsense.internal.net. txt;
    };
};

On my pfsense I create an account and then a certificate

This is the error I see in the bind server

request has invalid signature: TSIG _acme-challenge.pfsense.internal.net: tsig verify failure (BADKEY)

Any ideas?

dennysmatthew1 · Jun 10, 2019, 10:06 AM

@hbauer you should try sslforfree.com, cuz they are use lets encrypt and you can download the certificate and upload to your pfsense router...

sorry for my bad english :)

hbauer · Jun 10, 2019, 10:22 AM

I found my error. With this configuration you have to add "internal-net" to the optional "key name"

dennysmatthew1 · Jun 10, 2019, 10:25 AM

i think you must enable your port forwarding before doing it

hbauer · Jun 10, 2019, 10:31 AM

@dennysmatthew1 said in ACME with bind: Invalid Signature:

i think you must enable your port forwarding before doing it

no. not needed

dennysmatthew1 · Jun 10, 2019, 10:36 AM

but i did it not in pfsense its in mikrotik...

dennysmatthew1 · Jun 10, 2019, 10:38 AM

i expose my localhost, use ngrok localhost exposer and i have a web site and then use the sslforfree.com solution

Gertjan · Jun 10, 2019, 10:43 AM

@hbauer said in ACME with bind: Invalid Signature:

dont find my error

I did.
It's here :

So is your key name (used by bind) :
_acme-challenge.pfsense.internal.net.
?
If so, nothing to do ...
If not, well, error.

@dennysmatthew1 said in ACME with bind: Invalid Signature:

@hbauer you should try sslforfree.com, cuz they are use lets encrypt and you can download the certificate and upload to your pfsense router...
sorry for my bad english :)

Why ?
@hbauer has a domain name (although not internal.net ;) ) - and pfSense with the acme package. Thus a "real set it and forget it" situation.

@dennysmatthew1 said in ACME with bind: Invalid Signature:

i think you must enable your port forwarding before doing it

Why ?
The bind server @hbauer is using is probably somewhere on the Internet, not behind its pfSense server.

dennysmatthew1 · Jun 10, 2019, 10:49 AM

i'm sorry i still newbie, i can tell what i can do...

maybe another people can answer the @hbauer question...

Gertjan · Jun 10, 2019, 10:51 AM

@dennysmatthew1 said in ACME with bind: Invalid Signature:

i'm sorry i still newbie, i can tell what i can do...
maybe another people can answer the @hbauer question...

Don't tell : start reading first and you will find out that he already found the solution.

dennysmatthew1 · Jun 10, 2019, 10:52 AM

@Gertjan i think you right...

dennysmatthew1 · Jun 10, 2019, 11:04 AM

i have a question, how to make a captive portal in a newer pfsense os? plz someone answer...

Gertjan · Jun 10, 2019, 11:30 AM

That's not a Home > pfSense Packages > ACME related question.
Check here for question and many (more !) answers.

And the manual.

And the movies.

dennysmatthew1 · Jun 10, 2019, 12:06 PM

@Gertjan thanks, very appriciated...