Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    loop error while issuing a cert

    Scheduled Pinned Locked Moved ACME
    2 Posts 2 Posters 909 Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • L
      La6er
      last edited by

      Hi pfsense masters, I am curretly implementing a pfense BIND + ACME packages, but I am having an issue
      while attempting to issue a certificate for a domain located on my pfSense BIND package, whenever I hit Issue/renew
      the procces gets on a loop which resulted on the following acmeissuecert log

      [Tue Sep 24 13:49:38 CDT 2019] Not valid yet, let's wait 10 seconds and check next one.
      [Tue Sep 24 13:49:38 CDT 2019] _p_txtdomain='_acme-challenge.poblacionqueretaro.gob.mx'
      [Tue Sep 24 13:49:38 CDT 2019] Cloudflare purge TXT record for domain _acme-challenge.poblacionqueretaro.gob.mx
      [Tue Sep 24 13:49:38 CDT 2019] POST
      [Tue Sep 24 13:49:38 CDT 2019] _post_url='https://cloudflare-dns.com/api/v1/purge?domain=_acme-challenge.poblacionqueretaro.gob.mx&type=TXT'
      [Tue Sep 24 13:49:38 CDT 2019] body
      [Tue Sep 24 13:49:38 CDT 2019] _postContentType
      [Tue Sep 24 13:49:38 CDT 2019] Http already initialized.
      [Tue Sep 24 13:49:38 CDT 2019] _CURL='curl -L --silent --dump-header /tmp/acme/pobqueretaro//http.header -g '
      [Tue Sep 24 13:49:39 CDT 2019] _ret='0'
      [Tue Sep 24 13:49:39 CDT 2019] response='Purge request queued. Please wait a few seconds and verify the request was successful.'
      [Tue Sep 24 13:49:46 CDT 2019] Let's wait 10 seconds and check again.
      [Tue Sep 24 13:49:49 CDT 2019] Let's wait 10 seconds and check again.
      [Tue Sep 24 13:49:56 CDT 2019] _is_idn_d='_acme-challenge.poblacionqueretaro.gob.mx'
      [Tue Sep 24 13:49:56 CDT 2019] _idn_temp
      [Tue Sep 24 13:49:56 CDT 2019] _is_idn_d='_acme-challenge.poblacionqueretaro.gob.mx'
      [Tue Sep 24 13:49:56 CDT 2019] _idn_temp
      [Tue Sep 24 13:49:56 CDT 2019] d='poblacionqueretaro.gob.mx'
      [Tue Sep 24 13:49:56 CDT 2019] txtdomain='_acme-challenge.poblacionqueretaro.gob.mx'
      [Tue Sep 24 13:49:56 CDT 2019] aliasDomain='_acme-challenge.poblacionqueretaro.gob.mx'
      [Tue Sep 24 13:49:56 CDT 2019] txt='C7S6WZejslzm8SIg9G9GG2ygFjbruZRCofJpyvrE3gU'
      [Tue Sep 24 13:49:56 CDT 2019] d_api='/usr/local/pkg/acme/dnsapi/dns_nsupdate.sh'
      [Tue Sep 24 13:49:56 CDT 2019] Checking poblacionqueretaro.gob.mx for _acme-challenge.poblacionqueretaro.gob.mx
      [Tue Sep 24 13:49:56 CDT 2019] _c_txtdomain='_acme-challenge.poblacionqueretaro.gob.mx'
      [Tue Sep 24 13:49:56 CDT 2019] _c_aliasdomain='_acme-challenge.poblacionqueretaro.gob.mx'
      [Tue Sep 24 13:49:56 CDT 2019] _c_txt='C7S6WZejslzm8SIg9G9GG2ygFjbruZRCofJpyvrE3gU'
      [Tue Sep 24 13:49:56 CDT 2019] _ns_ep='https://cloudflare-dns.com/dns-query'
      [Tue Sep 24 13:49:56 CDT 2019] _ns_domain='_acme-challenge.poblacionqueretaro.gob.mx'
      [Tue Sep 24 13:49:56 CDT 2019] _ns_type='TXT'
      [Tue Sep 24 13:49:56 CDT 2019] GET
      [Tue Sep 24 13:49:56 CDT 2019] url='https://cloudflare-dns.com/dns-query?name=_acme-challenge.poblacionqueretaro.gob.mx&type=TXT'
      [Tue Sep 24 13:49:56 CDT 2019] timeout=
      [Tue Sep 24 13:49:56 CDT 2019] Http already initialized.
      [Tue Sep 24 13:49:56 CDT 2019] _CURL='curl -L --silent --dump-header /tmp/acme/pobqueretaro//http.header -g '
      [Tue Sep 24 13:49:56 CDT 2019] ret='0'
      [Tue Sep 24 13:49:56 CDT 2019] response='{"Status": 0,"TC": false,"RD": true, "RA": true, "AD": false,"CD": false,"Question":[{"name": "_acme-challenge.poblacionqueretaro.gob.mx.", "type": 16}],"Answer":[{"name": "_acme-challenge.poblacionqueretaro.gob.mx.", "type": 16, "TTL": 10, "data": ""a""}]}'
      [Tue Sep 24 13:49:56 CDT 2019] _answers='"Answer":[
      "name": "_acme-challenge.poblacionqueretaro.gob.mx.", "type": 16, "TTL": 10, "data": ""a""
      ]'
      [Tue Sep 24 13:49:56 CDT 2019] Not valid yet, let's wait 10 seconds and check next one.

      I used the DNSSEC option on the zone so I can get my MD5 code for issuing a cert, but I am not sure if my configuration is correct my zone has the following options selected

      10a5ed9c-bc8d-483b-9f76-e993b718eea4-image.png

      8c0b2dff-7640-4e65-8efe-678ab4fadf9e-image.png

      49f4d09f-34f4-475e-b857-4d53d4aa4b7e-image.png

      5f9266c8-b0d7-4551-b6a4-4437aeed94e9-image.png

      many thanks in advance, Hope someone could help me to figure this out

      1 Reply Last reply Reply Quote 0
      • GertjanG
        Gertjan
        last edited by Gertjan

        @La6er said in loop error while issuing a cert:

        poblacionqxxxxxxtaro.gob.mx

        DNSSEC is not working for your domain : check http://dnsviz.net/d/poblacionqueretaro.gob.mx/dnssec/ or https://dnssec-analyzer.verisignlabs.com/

        Example http://dnsviz.net/d/papy-team.org/dnssec/

        Btw : you are updating against Cloudfare, and using "bind" locally. Why ? Is bind a master name server for your zone ? Slave name server ? I don't understand the relation.

        edit : I looked at your message again.
        You 'bind' is set up as a master for your domain .... but you disallow zone transfers. Wtf ??
        How can a slave sync then ? Do you have just one name server for your domain ? That can't be true, you break everything then, 2 is the minimum.

        No "help me" PM's please. Use the forum, the community will thank you.
        Edit : and where are the logs ??

        1 Reply Last reply Reply Quote 0
        • First post
          Last post
        Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.