acme when dns provider does not allow dns challenge

tn1rpi3

Hi *

I'm intending to host a bunch of virtual servers in a DMZ using ha-proxy on pfsense.
For the site certificate I use the acme package.

The problem is that my dns provider (world4you.com) does not allow me to

• manually enter TXT records or even
• change the dns server to point to pfsense as a resolver

What are my options apart from changing the provider?

Appreciate your response.

Reinhard

Gertjan

@tn1rpi3 said in acme when dns provider does not allow dns challenge:

manually enter TXT records or even

Domain names are you choice. All registrars do the same basic job - the difference is
what 'other' services they offer. An 'accesible" DNS system is one of them.
Let's say you found a valid reason to move elsewhere ;)

@tn1rpi3 said in acme when dns provider does not allow dns challenge:

change the dns server to point to pfsense as a resolver

No way.
The DNS resolver is NOT a full fledged domain name server - neither slave neither master.
True, you could de-activate the resolver (unbound) not using the Forwarder (dnsmasq) neither, and install a package called bind that can full-fill the local (pfSense and LANs) DNS needs and also being a DNS domain name master or salve.
Normally, these needed DNS domain name servers are being offered by your registrar.
acme will update the master DNS domain name server (and the master will inform / update the slave). If you don't know very well how bind works, I strongly advise you to stay away from it. It's like ... apache2 or postfix : huge programs with huge set up parameters that can't be made easier by using a GUI like pfSense. Just install the bind package and see for yourself.

Btw : you saw https://www.world4you.com/en/webhosting/gratis-ssl-zertifikat.html ?

johnpoz

@tn1rpi3 said in acme when dns provider does not allow dns challenge:

What are my options apart from changing the provider?

manually enter TXT records or even

Pretty much zero - why would you use them as a dns provider? They sound freaking horrible!!!

Its not like your dns can not be hosted for any domain you actually have registered with a registrar... Did you register the domain with them - and they are holding it hostage?

There is a big difference between a registrar and a hosting service... Do you actually own the domain, or did let them register it for you, and they actually own it?

If you own it you can move it to any registrar you want that supports that .tld - and then use their dns, or point to whatever dns provider you want to, or yeah host your own if you want, etc.. Just not via dnsmasq or unbound. Those are not meant to be authoritative NS.. Nor would I suggest you host your dns actually on pfsense, or your own network... But there are plenty of places to host dns for FREE or very low cost that provides you with full access to whatever records you want to create via simple web gui.

tn1rpi3

@Gertjan been there with bind, huge.. Not a choice, but thx.

johnpoz

I wouldn't suggest you host your public dns locally anyway... I have been using bind for something like 30 years... And I wouldn't host my own public dns on my own connection - even if you paid me to do it ;)

Pick a DNS service that is what they DO... They have global dns anycast networks.. It would be impossible for you to provide such connectivity on your connection, provide for the ddos protection, etc. etc..

Host your own local dns locally - anything else.. Get one of the major players to do it... Anything else is just asking for issues and problems and just old PITA..

tn1rpi3

@johnpoz said in acme when dns provider does not allow dns challenge:

Do you actually own the domain, or did let them register it for you

I'm not entirely sure. I registered it with world4you. I pay an annual fee for it.
I always thought I'd own it, since 'whois' used to show my name with it (before it got security conscious).

Gertjan

@tn1rpi3 said in acme when dns provider does not allow dns challenge:

since 'whois' used to show my name with it (before it got security conscious).

That's one proof that you can't really hide yourself on the net.
When you rent - you can't own or buy for life - a domain name, people have the right to know what person or identity is behind it.

@tn1rpi3 said in acme when dns provider does not allow dns challenge:

I'm not entirely sure. I registered it with world4you. I pay an annual fee for it.

Thus they are more like a classic hosting company that throws in domain names into the package.
Nifty stuff like you being able to change DNS related settings by API isn't included. For them : this means one hell of a support issue less to amuse.

johnpoz

Do you have access to where it registered? They can still own it and put in your name for whois.

Do you not have the option with them to move your domain? Ie transfer it to a different registrar..

I have domains on quite a few different registrars - if your domain, they have to let you transfer it to a different one..

Does this company have any info about doing transfer - ask them how you move your domain to a different registrar? Quite often its cheaper to just go with actual registrar then paying your webhost to handle it for you... Many of them don't actually let you own it, but its theirs and they just let you use it.. I would never register a domain with a webhost.

Just ask them, hey I want to move my domainXYZ.com to a different registrar because your dns blows! And you want let me point to my own NS, etc.

tn1rpi3

@Gertjan DNS related settings are restricted to filling in the server names for DNS.

tn1rpi3

@johnpoz I got word from them that I'm actually the owner.
Still waiting for response on the transfer question..
I'm sitting in Austria. Can you possibly recommend a decent provider?

johnpoz

Doesn't matter really where the registrar is.. What is the tld is all that matters since some registrars do no support specific tld's

Can you delegate on their site - who the ns are for your domain? If so don't really need to move to different registrar - you could just point to a dns service..

So you just looking for registrar that has decent dns services - works with acme? I have domains with both namecheap and dynadot.. What is the tld of your domain? .com, .net, .at ?

tn1rpi3

@johnpoz The mgmt interface does allow to point to other dns servers. TLD's a .com

johnpoz

Well if you can just point to different ns, host your domain at any of the fine fully featured dns.. Do you want free? Or do you not mind paying a few bucks... We host some work domains here for dns..

https://dnsmadeeasy.com/

Clouldflare is full featured dns, FREE level.. I have one of my domains there.. also hurricane electric offers full featured FREE dns services. I have domain there as well... And then I do have a play domain that I host off my own vps boxes..

I would prob say you check out cloudflare first..

tn1rpi3

@johnpoz I just got a basic Cloudflare account. DNS settings at my provider now point to cloudflare servers, update is pending. - Acme settings for DNS-Cloudflare require 1. Cloudflare API Key, 2. API Email Address, 3. API Token and 4. API Account ID. --> I don't see any of these in my Cloudflare account though. Could you provide some Cloudflare wisdom, plz?

tn1rpi3

@johnpoz Transfer to Cloudflare nameservers is now completed. It took some five days (‘status pending)’, then I was able to retrieve the necessary API keys for DNS challenge. (btw: It would appear logical that you can't get them right away, my bad..) - I’ll be creating the certificate this weekend and report back if all went well.

tn1rpi3

@johnpoz Meanwhile my registrar has trouble getting the settings for DNSSEC right. I don't know why but I've been waiting for a working config since Nov. 18th. - Needless to say that I can neither update the certificate right now, nor is the site accessible at all.

johnpoz

Yeah its sad state affairs to be honest, since to be accredited its a requirement to support dnssec..

This was made a requirement back in 2013
https://www.icann.org/en/system/files/files/approved-with-specs-27jun13-en.pdf

Page 67

---

Registrar must allow its customers to use DNSSEC upon request by relaying orders to add, remove or change public key material (e.g., DNSKEY or DS resource records) on behalf of customers to the Registries that support DNSSEC. Such requests shall be accepted and processedin a secure manner and according to industry best practices. Registrars shall accept any public key algorithm and digest type that is supported by the TLD of interest and appears in the registries posted at: http://www.iana.org/assignments/dns-sec-alg-numbers/dns-sec-alg-numbers.xml and http://www.iana.org/assignments/ds-rr-types/ds-rr-types.xml. All such requests shall be transmitted to registries using the EPP extensions specified in RFC 5910 or its successors.

---

When I first fired up a dnssec back a few years with dyndot since they listed they supported it on xyz tld... It took a few emails to get them to correct their problems and get it working..

tn1rpi3

@johnpoz I'm glad it's become a matter of compliance by now. - I understand that unspoofable caller IDs add a great deal to the security on the net. According to this source one could even file a complaint with ICANN if a provider is unwilling/unable to provide DNSSEC. - Anyway, still waiting for something to happen..

johnpoz

Yeah the only thing is your tld has to support it.. Not the registrar's problem if the tld does not have it - and there are many out there that do not still.

It has gotten way better
http://stats.research.icann.org/dns/tld_report/
1517 TLDs in the root zone in total
1388 TLDs are signed;
1378 TLDs have trust anchors published as DS records in the root zone;

JeGr

@tn1rpi3 said in acme when dns provider does not allow dns challenge:

I don't see any of these in my Cloudflare account though. Could you provide some Cloudflare wisdom, plz?

Cloudflare doesn't create an API key with your account, you have to do that for yourself. Click on your profile symbol/pic in the upper right corner of your CF Dashboard. Got to "my profile". Then access the API Tokens Tab. There check for or create the Global API Key. That's the one you need for the acme package with dns_cf mode. Works like a charme.

tn1rpi3

@johnpoz valid point. We're talking about a .com address here.

tn1rpi3

@JeGr thanks for the pointer!

johnpoz

Well .com has been dnssec for a long time ;) And every accredited registrar is required to provide the support to do dnssec.. So yeah you should be able to use any registrar - yet that is not the case for sure.. And while some say they support it - you can not get it to work ;)

You shouldn't have any issues with cloudflare..

tn1rpi3

@johnpoz I've requested a DS record at my current registrar and sent them the data Cloudflare has provided me with: It goes like
"example.com. IN DS 62910 7 1 1D6AC75083F3CEC31861993E325E0EEC7E97D1DD"
While my provider says they've done what's necessary, a website check produces the following error: Fatal error: DNSKEY 2371 signs DNSKEY RRset, but no confirming DS RR in the parent zone found. No chain of trust created.
Did I overlook something here or is the ball back in the registar's court?

If the latter is the case, I'll initiate a domain transfer and do everything within Cloudflare. - The whole affair is taking way too long..

Gertjan

@tn1rpi3 said in acme when dns provider does not allow dns challenge:

Did I overlook something here or is the ball back in the registar's court?

Looks like that's the case.
Use https://dnsviz.net/d/12bfree.com/dnssec/ - it's far more 'visual'..

Most registrars these days use GUI's so "you can help yourself" - or better : APIed everything.

The registrar will then your domain settings - most often fully automated.

While your at it, check you IPV6 glue.

tn1rpi3

@Gertjan said in acme when dns provider does not allow dns challenge:

• Looks like that's the case.

I'm sorry, I don't understand.
There's no GUI at my registar's page. All I can do is send them the DS record data, which I did.

I'm trying to figure out if the registar made a mistake impementing the DS record, or if somethings missing on my side.

tn1rpi3

@tn1rpi3 To me it looks like the registar made a mistake implementing the DS record:
https://dnssec-analyzer.verisignlabs.com/12bfree.com
says something similar: "None of the 2 DNSKEY records could be validated by any of the 1 DS records"

Gertjan

@tn1rpi3 said in acme when dns provider does not allow dns challenge:

Did I overlook something here or is the ball back in the registar's court?

My answer :

@Gertjan said in acme when dns provider does not allow dns challenge:

Looks like that's the case.

Valid for both answers, because I don't know what you overlooked (to hand over to the registrar) - it it most probably boils down to : it's up to the registrar to put your DS in place ....

Btw : how you hand this over ? By mail ? Seems rather dangerous to me.
If some one impersonates you nu y mail, your domain will disappear from the net.

Btw : DS operation do take time.

tn1rpi3

@Gertjan Thanks. I got it. -
I handed it over while logged in to their website (created a ticket) two days ago.

johnpoz

Ok - I just enabled dnssec on one of my domains I have pointed to cloudflare from namecheap... It took less than 2 minutes to setup.. And is working now and showing valid

tn1rpi3

@johnpoz I realize I've been trying this the hard way, relying on my current registrar. - I think I'll finally transfer the domain to Cloudflare. This limbo situation must end..

johnpoz

I know it sucks - but not all registrars are created equal that is for sure...

Have no issues with dnssec with namecheap or dynadot.. Namecheap was late to the table to even support it, but currently it seems to work real easy with simple to use gui..

I don't have anything with cloudflare as a registrar - but do have some domains pointing there.. And as you can see works real easy.. Now the domain I use for my plex is dnssec signed ;) hehehe

Gertjan

@tn1rpi3 :

Where did this one came from :

root@ns311465:~# whois 12bfree.com | grep 'DNSSEC'
   DNSSEC: signedDelegation
   DNSSEC DS Data: 60191 13 2 307DC191192735F5DF76FE364F6F6C1F18B108C43835315A74E450D64E4106A1

Never ever delete - on your local domain name server - references to this '60191' DS.
Rotating KSK keys is a real sport.

tn1rpi3

@Gertjan My best guess is that this is old data from before I transferred to Cloudflare. When I rechecked today (yes, the registrar was sluggish once again) the grep on whois finall returned the correct DS entry. -- On the other hand the certificate renewal still fails when the process arrives at the subdomain *.12bfree.com returning "invalid domain". Under SERVICES/ACME Certificates I entered *.12bfree.com for 'Domainname' - anything wrong with that, perhaps? BTW: a dig on e.g. lime.12bfree.com is successful and returns an IP from the Cloudflare realm.

tn1rpi3

@johnpoz I was one small step away from transferring to Cloudflare as a registrar when World4You finally came up with a working config today (as usual taking their time to do so). - I fully agree on your impressions on Cloudflare. They've got a clean interface, their online documentation is flawless and their basic subscription is free of charge.

tn1rpi3

@johnpoz DNS SEC is working alright now. Interestingly, ACME Certificate renewal is not. The job finishes with an error saying 'domain not found'.
On a closer look parent-DS with algorithm 13 produces a valid chain of trust, but for 'TXT-entries' the check-up says 'perhaps wrong' for '_acme-challenge.12bfree.com.12bfree.com' and '_acme-challenge.www.12bfree.com.12bfree.com' (see screenshot)

ACME Certificates with Cloudflare does not allow for TXT entries to be used for ownership validation. It uses account ID, key + token.
I'm out of ideas..
BTW: For check-up I used https://check-your-website.server-daten.de/?q=12bfree.com this time.

johnpoz

well that sure doesn't look correct... the _acme-challenge fqdn would be _acme-challenge.domain.tld.. you seem to have _acme-challenge.domain.tld.domain.tld and www.domain.tld.www.domain.tld not sure why you think those would work?

tn1rpi3

@johnpoz I fully agree; My API entries for domainname are 12bfree.com and *.12bfree.com
I don't see how the doubling could take place, unless I can't see the wood for all the trees..

johnpoz

Why not just manually create the TXT records in cloudflare?

I believe I am using acme for a cert via cloudflare - let me check, I know I played with it some time ago when I was doing reverse proxy through them... But might have killed it when I stop doing that..

edit: Yeah still using one, it renewed all not that long ago on its own, I didn't have to do anything..

This offloads the https for my ombi setup in haproxy.

edit2: here is what I have set in the acme client on pfsense

edit3: here it just renewed when I clicked the issue/renew button

tn1rpi3

@johnpoz Curious.
I left Token + Account ID empty, reran the script and wham-bam, success!
Thanks a lot for the screenshot!