loop error while issuing a cert



  • Hi pfsense masters, I am curretly implementing a pfense BIND + ACME packages, but I am having an issue
    while attempting to issue a certificate for a domain located on my pfSense BIND package, whenever I hit Issue/renew
    the procces gets on a loop which resulted on the following acmeissuecert log

    [Tue Sep 24 13:49:38 CDT 2019] Not valid yet, let's wait 10 seconds and check next one.
    [Tue Sep 24 13:49:38 CDT 2019] _p_txtdomain='_acme-challenge.poblacionqueretaro.gob.mx'
    [Tue Sep 24 13:49:38 CDT 2019] Cloudflare purge TXT record for domain _acme-challenge.poblacionqueretaro.gob.mx
    [Tue Sep 24 13:49:38 CDT 2019] POST
    [Tue Sep 24 13:49:38 CDT 2019] _post_url='https://cloudflare-dns.com/api/v1/purge?domain=_acme-challenge.poblacionqueretaro.gob.mx&type=TXT'
    [Tue Sep 24 13:49:38 CDT 2019] body
    [Tue Sep 24 13:49:38 CDT 2019] _postContentType
    [Tue Sep 24 13:49:38 CDT 2019] Http already initialized.
    [Tue Sep 24 13:49:38 CDT 2019] _CURL='curl -L --silent --dump-header /tmp/acme/pobqueretaro//http.header -g '
    [Tue Sep 24 13:49:39 CDT 2019] _ret='0'
    [Tue Sep 24 13:49:39 CDT 2019] response='Purge request queued. Please wait a few seconds and verify the request was successful.'
    [Tue Sep 24 13:49:46 CDT 2019] Let's wait 10 seconds and check again.
    [Tue Sep 24 13:49:49 CDT 2019] Let's wait 10 seconds and check again.
    [Tue Sep 24 13:49:56 CDT 2019] _is_idn_d='_acme-challenge.poblacionqueretaro.gob.mx'
    [Tue Sep 24 13:49:56 CDT 2019] _idn_temp
    [Tue Sep 24 13:49:56 CDT 2019] _is_idn_d='_acme-challenge.poblacionqueretaro.gob.mx'
    [Tue Sep 24 13:49:56 CDT 2019] _idn_temp
    [Tue Sep 24 13:49:56 CDT 2019] d='poblacionqueretaro.gob.mx'
    [Tue Sep 24 13:49:56 CDT 2019] txtdomain='_acme-challenge.poblacionqueretaro.gob.mx'
    [Tue Sep 24 13:49:56 CDT 2019] aliasDomain='_acme-challenge.poblacionqueretaro.gob.mx'
    [Tue Sep 24 13:49:56 CDT 2019] txt='C7S6WZejslzm8SIg9G9GG2ygFjbruZRCofJpyvrE3gU'
    [Tue Sep 24 13:49:56 CDT 2019] d_api='/usr/local/pkg/acme/dnsapi/dns_nsupdate.sh'
    [Tue Sep 24 13:49:56 CDT 2019] Checking poblacionqueretaro.gob.mx for _acme-challenge.poblacionqueretaro.gob.mx
    [Tue Sep 24 13:49:56 CDT 2019] _c_txtdomain='_acme-challenge.poblacionqueretaro.gob.mx'
    [Tue Sep 24 13:49:56 CDT 2019] _c_aliasdomain='_acme-challenge.poblacionqueretaro.gob.mx'
    [Tue Sep 24 13:49:56 CDT 2019] _c_txt='C7S6WZejslzm8SIg9G9GG2ygFjbruZRCofJpyvrE3gU'
    [Tue Sep 24 13:49:56 CDT 2019] _ns_ep='https://cloudflare-dns.com/dns-query'
    [Tue Sep 24 13:49:56 CDT 2019] _ns_domain='_acme-challenge.poblacionqueretaro.gob.mx'
    [Tue Sep 24 13:49:56 CDT 2019] _ns_type='TXT'
    [Tue Sep 24 13:49:56 CDT 2019] GET
    [Tue Sep 24 13:49:56 CDT 2019] url='https://cloudflare-dns.com/dns-query?name=_acme-challenge.poblacionqueretaro.gob.mx&type=TXT'
    [Tue Sep 24 13:49:56 CDT 2019] timeout=
    [Tue Sep 24 13:49:56 CDT 2019] Http already initialized.
    [Tue Sep 24 13:49:56 CDT 2019] _CURL='curl -L --silent --dump-header /tmp/acme/pobqueretaro//http.header -g '
    [Tue Sep 24 13:49:56 CDT 2019] ret='0'
    [Tue Sep 24 13:49:56 CDT 2019] response='{"Status": 0,"TC": false,"RD": true, "RA": true, "AD": false,"CD": false,"Question":[{"name": "_acme-challenge.poblacionqueretaro.gob.mx.", "type": 16}],"Answer":[{"name": "_acme-challenge.poblacionqueretaro.gob.mx.", "type": 16, "TTL": 10, "data": ""a""}]}'
    [Tue Sep 24 13:49:56 CDT 2019] _answers='"Answer":[
    "name": "_acme-challenge.poblacionqueretaro.gob.mx.", "type": 16, "TTL": 10, "data": ""a""
    ]'
    [Tue Sep 24 13:49:56 CDT 2019] Not valid yet, let's wait 10 seconds and check next one.

    I used the DNSSEC option on the zone so I can get my MD5 code for issuing a cert, but I am not sure if my configuration is correct my zone has the following options selected

    10a5ed9c-bc8d-483b-9f76-e993b718eea4-image.png

    8c0b2dff-7640-4e65-8efe-678ab4fadf9e-image.png

    49f4d09f-34f4-475e-b857-4d53d4aa4b7e-image.png

    5f9266c8-b0d7-4551-b6a4-4437aeed94e9-image.png

    many thanks in advance, Hope someone could help me to figure this out



  • @La6er said in loop error while issuing a cert:

    poblacionqxxxxxxtaro.gob.mx

    DNSSEC is not working for your domain : check http://dnsviz.net/d/poblacionqueretaro.gob.mx/dnssec/ or https://dnssec-analyzer.verisignlabs.com/

    Example http://dnsviz.net/d/papy-team.org/dnssec/

    Btw : you are updating against Cloudfare, and using "bind" locally. Why ? Is bind a master name server for your zone ? Slave name server ? I don't understand the relation.

    edit : I looked at your message again.
    You 'bind' is set up as a master for your domain .... but you disallow zone transfers. Wtf ??
    How can a slave sync then ? Do you have just one name server for your domain ? That can't be true, you break everything then, 2 is the minimum.


Log in to reply