4. loop error while issuing a cert

loop error while issuing a cert

  • L

    Hi pfsense masters, I am curretly implementing a pfense BIND + ACME packages, but I am having an issue
    while attempting to issue a certificate for a domain located on my pfSense BIND package, whenever I hit Issue/renew
    the procces gets on a loop which resulted on the following acmeissuecert log

    [Tue Sep 24 13:49:38 CDT 2019] Not valid yet, let's wait 10 seconds and check next one.
    [Tue Sep 24 13:49:38 CDT 2019] _p_txtdomain='_acme-challenge.poblacionqueretaro.gob.mx'
    [Tue Sep 24 13:49:38 CDT 2019] Cloudflare purge TXT record for domain _acme-challenge.poblacionqueretaro.gob.mx
    [Tue Sep 24 13:49:38 CDT 2019] POST
    [Tue Sep 24 13:49:38 CDT 2019] _post_url='https://cloudflare-dns.com/api/v1/purge?domain=_acme-challenge.poblacionqueretaro.gob.mx&type=TXT'
    [Tue Sep 24 13:49:38 CDT 2019] body
    [Tue Sep 24 13:49:38 CDT 2019] _postContentType
    [Tue Sep 24 13:49:38 CDT 2019] Http already initialized.
    [Tue Sep 24 13:49:38 CDT 2019] _CURL='curl -L --silent --dump-header /tmp/acme/pobqueretaro//http.header -g '
    [Tue Sep 24 13:49:39 CDT 2019] _ret='0'
    [Tue Sep 24 13:49:39 CDT 2019] response='Purge request queued. Please wait a few seconds and verify the request was successful.'
    [Tue Sep 24 13:49:46 CDT 2019] Let's wait 10 seconds and check again.
    [Tue Sep 24 13:49:49 CDT 2019] Let's wait 10 seconds and check again.
    [Tue Sep 24 13:49:56 CDT 2019] _is_idn_d='_acme-challenge.poblacionqueretaro.gob.mx'
    [Tue Sep 24 13:49:56 CDT 2019] _idn_temp
    [Tue Sep 24 13:49:56 CDT 2019] _is_idn_d='_acme-challenge.poblacionqueretaro.gob.mx'
    [Tue Sep 24 13:49:56 CDT 2019] _idn_temp
    [Tue Sep 24 13:49:56 CDT 2019] d='poblacionqueretaro.gob.mx'
    [Tue Sep 24 13:49:56 CDT 2019] txtdomain='_acme-challenge.poblacionqueretaro.gob.mx'
    [Tue Sep 24 13:49:56 CDT 2019] aliasDomain='_acme-challenge.poblacionqueretaro.gob.mx'
    [Tue Sep 24 13:49:56 CDT 2019] txt='C7S6WZejslzm8SIg9G9GG2ygFjbruZRCofJpyvrE3gU'
    [Tue Sep 24 13:49:56 CDT 2019] d_api='/usr/local/pkg/acme/dnsapi/dns_nsupdate.sh'
    [Tue Sep 24 13:49:56 CDT 2019] Checking poblacionqueretaro.gob.mx for _acme-challenge.poblacionqueretaro.gob.mx
    [Tue Sep 24 13:49:56 CDT 2019] _c_txtdomain='_acme-challenge.poblacionqueretaro.gob.mx'
    [Tue Sep 24 13:49:56 CDT 2019] _c_aliasdomain='_acme-challenge.poblacionqueretaro.gob.mx'
    [Tue Sep 24 13:49:56 CDT 2019] _c_txt='C7S6WZejslzm8SIg9G9GG2ygFjbruZRCofJpyvrE3gU'
    [Tue Sep 24 13:49:56 CDT 2019] _ns_ep='https://cloudflare-dns.com/dns-query'
    [Tue Sep 24 13:49:56 CDT 2019] _ns_domain='_acme-challenge.poblacionqueretaro.gob.mx'
    [Tue Sep 24 13:49:56 CDT 2019] _ns_type='TXT'
    [Tue Sep 24 13:49:56 CDT 2019] GET
    [Tue Sep 24 13:49:56 CDT 2019] url='https://cloudflare-dns.com/dns-query?name=_acme-challenge.poblacionqueretaro.gob.mx&type=TXT'
    [Tue Sep 24 13:49:56 CDT 2019] timeout=
    [Tue Sep 24 13:49:56 CDT 2019] Http already initialized.
    [Tue Sep 24 13:49:56 CDT 2019] _CURL='curl -L --silent --dump-header /tmp/acme/pobqueretaro//http.header -g '
    [Tue Sep 24 13:49:56 CDT 2019] ret='0'
    [Tue Sep 24 13:49:56 CDT 2019] response='{"Status": 0,"TC": false,"RD": true, "RA": true, "AD": false,"CD": false,"Question":[{"name": "_acme-challenge.poblacionqueretaro.gob.mx.", "type": 16}],"Answer":[{"name": "_acme-challenge.poblacionqueretaro.gob.mx.", "type": 16, "TTL": 10, "data": ""a""}]}'
    [Tue Sep 24 13:49:56 CDT 2019] _answers='"Answer":[
    "name": "_acme-challenge.poblacionqueretaro.gob.mx.", "type": 16, "TTL": 10, "data": ""a""
    ]'
    [Tue Sep 24 13:49:56 CDT 2019] Not valid yet, let's wait 10 seconds and check next one.

    I used the DNSSEC option on the zone so I can get my MD5 code for issuing a cert, but I am not sure if my configuration is correct my zone has the following options selected

    10a5ed9c-bc8d-483b-9f76-e993b718eea4-image.png

    8c0b2dff-7640-4e65-8efe-678ab4fadf9e-image.png

    49f4d09f-34f4-475e-b857-4d53d4aa4b7e-image.png

    5f9266c8-b0d7-4551-b6a4-4437aeed94e9-image.png

    many thanks in advance, Hope someone could help me to figure this out

    0

  • @La6er said in loop error while issuing a cert:

    poblacionqxxxxxxtaro.gob.mx

    DNSSEC is not working for your domain : check http://dnsviz.net/d/poblacionqueretaro.gob.mx/dnssec/ or https://dnssec-analyzer.verisignlabs.com/

    Example http://dnsviz.net/d/papy-team.org/dnssec/

    Btw : you are updating against Cloudfare, and using "bind" locally. Why ? Is bind a master name server for your zone ? Slave name server ? I don't understand the relation.

    edit : I looked at your message again.
    You 'bind' is set up as a master for your domain .... but you disallow zone transfers. Wtf ??
    How can a slave sync then ? Do you have just one name server for your domain ? That can't be true, you break everything then, 2 is the minimum.

    0
Log in to reply
 

Products

Services

Support

News

Resources

Company

Our Mission

We provide leading-edge network security at a fair price - regardless of organizational size or network sophistication. We believe that an open-source security model offers disruptive pricing along with the agility required to quickly address emerging threats.

Subscribe to our Newsletter

Product information, software announcements, and special offers. See our newsletter archive for past announcements.

© Copyright 2019 Rubicon Communications, LLC | Privacy Policy