Acme DNS-NSupdate / RFC 2136 issue

jimp

How exactly are you testing from the CLI? You probably need to set the zone parameter, it's blank in your output above.

dansgul

Hi,
Many thnkas for the feedback.

In the GUI, I have set the Zone section to the correct zone (cnet.sgul.ac.uk)

On the shell on pfSense

[2.4.4-RELEASE][admin@pfSense.localdomain]/tmp/acme/testing: nsupdate -v -k /tmp/acme/testing/login.cnet.sgul.ac.uknsupdate_acme-challenge.login.cnet.sgul.ac.uk.key
> server 194.82.51.2
> zone cnet.sgul.ac.uk
> update add fiddy.cnet.sgul.ac.uk 3600 a 10.10.10.50
> update add fiddy.cnet.sgul.ac.uk 3600 txt fiddy text
> send
> quit
> 

[2.4.4-RELEASE][admin@pfSense.localdomain]/tmp/acme/testing: dig fiddy.cnet.sgul.ac.uk txt @194.82.51.2

; <<>> DiG 9.12.2-P1 <<>> fiddy.cnet.sgul.ac.uk txt @194.82.51.2
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 56306
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1452
;; QUESTION SECTION:
;fiddy.cnet.sgul.ac.uk.         IN      TXT

;; ANSWER SECTION:
fiddy.cnet.sgul.ac.uk.  3484    IN      TXT     "fiddy" "text"

;; Query time: 4 msec
;; SERVER: 194.82.51.2#53(194.82.51.2)
;; WHEN: Tue Aug 06 00:07:39 UTC 2019
;; MSG SIZE  rcvd: 73

Interestingly, If I omit the "-v" from nsupdate it fails

[2.4.4-RELEASE][admin@pfSense.localdomain]/tmp/acme/testing: nsupdate -k /tmp/acme/testing/login.cnet.sgul.ac.uknsupdate_acme-challenge.login.cnet.sgul.ac.uk.key
> server 194.82.51.2
> zone cnet.sgul.ac.uk
> update add fiddy1.cnet.sgul.ac.uk 3600 a 10.10.10.51
> send
; TSIG error with server: expected a TSIG or SIG(0)
update failed: SERVFAIL
> quit

dansgul

@dansgul

More info on this

It appears accountconf.conf contains an NULL NSUPDATE_ZONE (and is overwritten by dns_nsupdate.sh)

ACME_DIRECTORY='https://acme-v01.api.letsencrypt.org/directory'
ACCOUNT_EMAIL=xxxxxxxx'
LOG_FILE='/tmp/acme/testing/acme_issuecert.log'
LOG_LEVEL='3'
NSUPDATE_SERVER='login.cnet.sgul.ac.uk'
NSUPDATE_SERVER_PORT=''
NSUPDATE_KEY='/tmp/acme/testing/login.cnet.sgul.ac.uknsupdate_acme-challenge.login.cnet.sgul.ac.uk.key'
NSUPDATE_ZONE=''

If I set THISNSUPDATE_ZONE at the top of /usr/local/pkg/acme/dnsapi/dns_nsupdate.sh it can issue a cert

Gertjan

@dansgul said in Acme DNS-NSupdate / RFC 2136 issue:

THISNSUPDATE_ZONE

I've looked for this one before.
It's used before its initialized, so that explains :

@dansgul said in Acme DNS-NSupdate / RFC 2136 issue:

It appears accountconf.conf contains an NULL NSUPDATE_ZONE (and is overwritten by dns_nsupdate.s

very well.

Better yet : can't find "THISNSUPDATE_ZONE" here https://github.com/Neilpang/acme.sh/blob/master/dnsapi/dns_nsupdate.sh

jimp

Are you on the latest version of the ACME package? There was a bug with that a while back IIRC.

The THISNSUPDATE_<x> stuff is just in pfSense. The stock files from acme.sh don't easily support multiple RFC2136 entries on a single cert the way pfSense uses them.

Gertjan

@jimp said in Acme DNS-NSupdate / RFC 2136 issue:

Are you on the latest version of the ACME package? There was a bug with that a while back IIRC.

The THISNSUPDATE_<x> stuff is just in pfSense. The stock files from acme.sh don't easily support multiple RFC2136 entries on a single cert the way pfSense uses them.

Ah, ok.
Have a look at this "THISNSUPDATE_ZONE" in dnsapi/dns_nsupdate.sh - shouldnt it be init (= read) before used and written ?

jimp

Yeah, I thought it was but I'm not seeing it now, either. I'll look into it.

jimp

I just pushed a new version of ACME that should fix this. Give it a try when it shows up for you (0.6)

Gertjan

Saw it.
Tested !
Worked !

dansgul

Hi there, this still isn't working for me; I've upgraded to 0.6
I still see "NSUPDATE_ZONE" as empty and the issue fails. (I know our DNS server needs to have the zone sent for this to work)

[Wed Aug  7 17:23:39 BST 2019] d='login.cnet.sgul.ac.uk'
[Wed Aug  7 17:23:39 BST 2019] _d_alias
[Wed Aug  7 17:23:39 BST 2019] txtdomain='_acme-challenge.login.cnet.sgul.ac.uk'
[Wed Aug  7 17:23:39 BST 2019] base64 single line.
[Wed Aug  7 17:23:39 BST 2019] txt='_WaKP7V9YAEUOHv0Y6MJWEhq7KPImm7n8t6WcSwPqZE'
[Wed Aug  7 17:23:39 BST 2019] d_api='/usr/local/pkg/acme/dnsapi/dns_nsupdate.sh'
[Wed Aug  7 17:23:39 BST 2019] dns_entry='login.cnet.sgul.ac.uk,_acme-challenge.login.cnet.sgul.ac.uk,,dns_nsupdate,_WaKP7V9YAEUOHv0Y6MJWEhq7KPImm7n8t6WcSwPqZE,/usr/local/pkg/acme/dnsapi/dns_nsupdate.sh'
[Wed Aug  7 17:23:39 BST 2019] Found domain api file: /usr/local/pkg/acme/dnsapi/dns_nsupdate.sh
[Wed Aug  7 17:23:39 BST 2019] dns_nsupdate_add exists=0
[Wed Aug  7 17:23:39 BST 2019] Adding txt value: _WaKP7V9YAEUOHv0Y6MJWEhq7KPImm7n8t6WcSwPqZE for domain:  _acme-challenge.login.cnet.sgul.ac.uk
[Wed Aug  7 17:23:39 BST 2019] APP
[Wed Aug  7 17:23:39 BST 2019] 5:NSUPDATE_SERVER='ns1.sgul.ac.uk'
[Wed Aug  7 17:23:39 BST 2019] APP
[Wed Aug  7 17:23:39 BST 2019] 6:NSUPDATE_SERVER_PORT=''
[Wed Aug  7 17:23:39 BST 2019] APP
[Wed Aug  7 17:23:39 BST 2019] 7:NSUPDATE_KEY='/tmp/acme/testing/login.cnet.sgul.ac.uknsupdate_acme-challenge.login.cnet.sgul.ac.uk.key'
[Wed Aug  7 17:23:39 BST 2019] APP
[Wed Aug  7 17:23:39 BST 2019] 8:NSUPDATE_ZONE=''
[Wed Aug  7 17:23:39 BST 2019] adding _acme-challenge.login.cnet.sgul.ac.uk. 60 in txt "_WaKP7V9YAEUOHv0Y6MJWEhq7KPImm7n8t6WcSwPqZE"
[Wed Aug  7 17:23:39 BST 2019] error updating domain
[Wed Aug  7 17:23:39 BST 2019] Error add txt for domain:_acme-challenge.login.cnet.sgul.ac.uk
[Wed Aug  7 17:23:39 BST 2019] _on_issue_err

jimp

OK, I missed a couple bits. I just pushed ACME pkg v 0.6.2 which should work now. I didn't test it completely but I did confirm at least that the zone makes it into the account config and logs where it was missing before.

dansgul

Working now after upgrade to 0.6.2

Many thanks jimp!

VioletDragon

The problem is still present in the latest version. 0.8_1.

Failures on expected a TSIG or SIG(0) even though it's implemented.

Regards

Gertjan

@VioletDragon

Humm. I'm using 'nsupdate' = DNS-NSupdate / RFC 2136.
Works just fine.

nsupdate didn't change for years.

VioletDragon

@Gertjan are you using BIND9?

VioletDragon

@Gertjan are you using BIND9?

Gertjan

@VioletDragon said in Acme DNS-NSupdate / RFC 2136 issue:

@Gertjan are you using BIND9?

Yes.

VioletDragon

@Gertjan could you post your config?

Gertjan

@VioletDragon said in Acme DNS-NSupdate / RFC 2136 issue:

@Gertjan are you using BIND9?

Yes.
Debian 11.10... no .11 just right now.

I can't re test my acme renewal, as I'm in the grace period : a renewal will work and no DNS checks will be done.

But : I'm also using RFC2136 for my pfSense WAN side host name = DynDNS.

Logs on server = bind9 side :

01-Sep-2024 13:21:27.416 update-security: client @0x7f4884148ed0 82.127.99.108#59810/key update: signer "update" approved
01-Sep-2024 13:21:27.416 update: client @0x7f4884148ed0 82.127.26.108#59810/key update: updating zone 'bhf.tld/IN': deleting rrset at 'home.bhf.tld' A
01-Sep-2024 13:21:27.416 update: client @0x7f4884148ed0 82.127.26.108#59810/key update: updating zone 'bhf.tld/IN': adding an RR at 'home.bhf.tld' A 82.135.26.118
01-Sep-2024 13:21:27.416 update: client @0x7f4884148ed0 82.127.26.108#59810/key update: updating zone 'bhf.tld/IN': deleting rrset at 'home.bhf.tld' AAAA
01-Sep-2024 13:21:27.416 update: client @0x7f4884148ed0 82.127.26.108#59810/key update: updating zone 'bhf.tld/IN': adding an RR at 'home.bhf.tld' AAAA 2a01:cb19:beef:dead:92ec:77ff:fe29:392a

VioletDragon

@Gertjan how did you set it up? As I got it working with Certbot but not Acme.