• Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login
Netgate Discussion Forum
  • Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login

DoH Verification Method

Scheduled Pinned Locked Moved ACME
7 Posts 4 Posters 1.2k Views
Loading More Posts
  • Oldest to Newest
  • Newest to Oldest
  • Most Votes
Reply
  • Reply as topic
Log in to reply
This topic has been deleted. Only users with topic management privileges can see it.
  • J
    jb09
    last edited by jb09 Mar 2, 2020, 2:42 PM Mar 2, 2020, 2:19 PM

    Hi, my firewall was attempting to auto renew my certificate but produced this error? Running 0.6.5 with Cloudflare, any ideas?

    System Logs:
    Mar 2 03:36:56 ACME [Mon Mar 2 03:36:32 EST 2020] Please refer to https://curl.haxx.se/libcurl/c/libcurl-errors.html for error code: 60
    Mar 2 03:36:56 ACME [Mon Mar 2 03:36:53 EST 2020] check dns error.
    Mar 2 03:36:56 ACME [Mon Mar 2 03:36:53 EST 2020] Please check log file for more details: /tmp/acme/xxxxxxx.com/acme_issuecert.log
    Mar 2 03:36:56 php ACME, Failed to renew certificate for xxxxxxxxx

    ACME Log:

    [Mon Mar  2 03:16:18 EST 2020] Let's check each dns records now. Sleep 20 seconds first.
[Mon Mar  2 03:16:38 EST 2020] _is_idn_d='_acme-challenge.xxxxx.com'
[Mon Mar  2 03:16:38 EST 2020] _idn_temp
[Mon Mar  2 03:16:38 EST 2020] _is_idn_d='_acme-challenge.xxxxx.com'
[Mon Mar  2 03:16:38 EST 2020] _idn_temp
[Mon Mar  2 03:16:38 EST 2020] d='xxxxxx.com'
[Mon Mar  2 03:16:38 EST 2020] txtdomain='_acme-challenge.xxxxxx.com'
[Mon Mar  2 03:16:38 EST 2020] aliasDomain='_acme-challenge.xxxxxx.com'
[Mon Mar  2 03:16:38 EST 2020] txt=‘xxxx'
[Mon Mar  2 03:16:38 EST 2020] d_api='/usr/local/pkg/acme/dnsapi/dns_cf.sh'
[Mon Mar  2 03:16:38 EST 2020] Checking Xxxxx.com for _acme-challenge.xxxxxx.com
[Mon Mar  2 03:16:38 EST 2020] _c_txtdomain='_acme-challenge.xxxxxx.com'
[Mon Mar  2 03:16:38 EST 2020] _c_aliasdomain='_acme-challenge.Xxxxx.com'
[Mon Mar  2 03:16:38 EST 2020] _c_txt='Xxxxxx'
[Mon Mar  2 03:16:38 EST 2020] Detect dns server first.
[Mon Mar  2 03:16:38 EST 2020] GET
[Mon Mar  2 03:16:38 EST 2020] url='https://cloudflare-dns.com'
[Mon Mar  2 03:16:38 EST 2020] timeout=
[Mon Mar  2 03:16:38 EST 2020] Http already initialized.
[Mon Mar  2 03:16:38 EST 2020] _CURL='curl -L --silent --dump-header /tmp/acme/xxxxxx.com//http.header  -g '
[Mon Mar  2 03:16:39 EST 2020] Please refer to https://curl.haxx.se/libcurl/c/libcurl-errors.html for error code: 60
    J 1 Reply Last reply Mar 2, 2020, 2:40 PM Reply Quote 0
    • J
      jb09 @jb09
      last edited by Mar 2, 2020, 2:40 PM

      Resolved, pfBlockerNG was blocking DNS over HTTPS requests (DoH). I don’t recall this being an issue before though, was there a change made in the last 2 months to verify using this method?

      1 Reply Last reply Reply Quote 0
      • G
        Gertjan
        last edited by Mar 2, 2020, 3:01 PM

        cloudflare-dns.com was on a list that you selected as being used "pfBlockerNG" ?

        No "help me" PM's please. Use the forum, the community will thank you.
        Edit : and where are the logs ??

        J 1 Reply Last reply Mar 2, 2020, 3:04 PM Reply Quote 0
        • J
          jb09 @Gertjan
          last edited by jb09 Mar 2, 2020, 3:07 PM Mar 2, 2020, 3:04 PM

          @Gertjan I have a custom list of known DoH servers in an attempt to prevent DoH requests bypassing my other rules.

          Feed found here: https://heuristicsecurity.com/dohservers.txt

          1 Reply Last reply Reply Quote 0
          • J
            jimp Rebel Alliance Developer Netgate
            last edited by Mar 2, 2020, 4:20 PM

            It can't block DoH so it blocks either the hostname from being resolved, or the IP address that it resolves to (depending on how you set it up)

            So you basically told it to block Cloudflare DNS while you also need to use Cloudflare DNS. You can't have it both ways through the same resolver.

            You could tell pfSense not to use localhost for DNS (Under System > General) but you'd lose some of the benefits of allowing the firewall to use the resolver.

            Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

            Need help fast? Netgate Global Support!

            Do not Chat/PM for help!

            1 Reply Last reply Reply Quote 0
            • R
              Risfold
              last edited by Mar 31, 2020, 2:19 PM

              I have just started having the same issue, and came across this thread in researching it. I hope to revive the discussion. I also use the above referenced DoT/DoH blocking list. I block the the domains and IPs via pfblocker for LAN clients to stop any circumvention of DNS or hard coded DNS in clients. I alternatively use DoT from unbound in pfsense.

              The acme.sh discussion of this addition appears to be here, added mid-February 2020. It is discussed as "support" for DoH, but it appears to be implemented more as a change rather than an option.

              I fully support the addition of DoH in acme.sh, even as a default, but is there a way to turn off the use of acme.sh's use of DoH, and return to using the firewall for DNS? I could temporarily disable my blocking of DoH but that would defeat the purpose of automated certificates.

              R 1 Reply Last reply Apr 2, 2020, 5:43 PM Reply Quote 0
              • R
                Risfold @Risfold
                last edited by Apr 2, 2020, 5:43 PM

                @Risfold said in DoH Verification Method:

                I have just started having the same issue, and came across this thread in researching it. I hope to revive the discussion. I also use the above referenced DoT/DoH blocking list. I block the the domains and IPs via pfblocker for LAN clients to stop any circumvention of DNS or hard coded DNS in clients. I alternatively use DoT from unbound in pfsense.

                The acme.sh discussion of this addition appears to be here, added mid-February 2020. It is discussed as "support" for DoH, but it appears to be implemented more as a change rather than an option.

                I fully support the addition of DoH in acme.sh, even as a default, but is there a way to turn off the use of acme.sh's use of DoH, and return to using the firewall for DNS? I could temporarily disable my blocking of DoH but that would defeat the purpose of automated certificates.

                Work around noted here.

                add dnssleep time of 180

                1 Reply Last reply Reply Quote 0
                • First post
                  Last post
                Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.
                  [[user:consent.lead]]
                  [[user:consent.not_received]]