DoH Verification Method



  • Hi, my firewall was attempting to auto renew my certificate but produced this error? Running 0.6.5 with Cloudflare, any ideas?

    System Logs:
    Mar 2 03:36:56 ACME [Mon Mar 2 03:36:32 EST 2020] Please refer to https://curl.haxx.se/libcurl/c/libcurl-errors.html for error code: 60
    Mar 2 03:36:56 ACME [Mon Mar 2 03:36:53 EST 2020] check dns error.
    Mar 2 03:36:56 ACME [Mon Mar 2 03:36:53 EST 2020] Please check log file for more details: /tmp/acme/xxxxxxx.com/acme_issuecert.log
    Mar 2 03:36:56 php ACME, Failed to renew certificate for xxxxxxxxx

    ACME Log:

    [Mon Mar  2 03:16:18 EST 2020] Let's check each dns records now. Sleep 20 seconds first.
    [Mon Mar  2 03:16:38 EST 2020] _is_idn_d='_acme-challenge.xxxxx.com'
    [Mon Mar  2 03:16:38 EST 2020] _idn_temp
    [Mon Mar  2 03:16:38 EST 2020] _is_idn_d='_acme-challenge.xxxxx.com'
    [Mon Mar  2 03:16:38 EST 2020] _idn_temp
    [Mon Mar  2 03:16:38 EST 2020] d='xxxxxx.com'
    [Mon Mar  2 03:16:38 EST 2020] txtdomain='_acme-challenge.xxxxxx.com'
    [Mon Mar  2 03:16:38 EST 2020] aliasDomain='_acme-challenge.xxxxxx.com'
    [Mon Mar  2 03:16:38 EST 2020] txt=‘xxxx'
    [Mon Mar  2 03:16:38 EST 2020] d_api='/usr/local/pkg/acme/dnsapi/dns_cf.sh'
    [Mon Mar  2 03:16:38 EST 2020] Checking Xxxxx.com for _acme-challenge.xxxxxx.com
    [Mon Mar  2 03:16:38 EST 2020] _c_txtdomain='_acme-challenge.xxxxxx.com'
    [Mon Mar  2 03:16:38 EST 2020] _c_aliasdomain='_acme-challenge.Xxxxx.com'
    [Mon Mar  2 03:16:38 EST 2020] _c_txt='Xxxxxx'
    [Mon Mar  2 03:16:38 EST 2020] Detect dns server first.
    [Mon Mar  2 03:16:38 EST 2020] GET
    [Mon Mar  2 03:16:38 EST 2020] url='https://cloudflare-dns.com'
    [Mon Mar  2 03:16:38 EST 2020] timeout=
    [Mon Mar  2 03:16:38 EST 2020] Http already initialized.
    [Mon Mar  2 03:16:38 EST 2020] _CURL='curl -L --silent --dump-header /tmp/acme/xxxxxx.com//http.header  -g '
    [Mon Mar  2 03:16:39 EST 2020] Please refer to https://curl.haxx.se/libcurl/c/libcurl-errors.html for error code: 60
    


  • Resolved, pfBlockerNG was blocking DNS over HTTPS requests (DoH). I don’t recall this being an issue before though, was there a change made in the last 2 months to verify using this method?



  • cloudflare-dns.com was on a list that you selected as being used "pfBlockerNG" ?



  • @Gertjan I have a custom list of known DoH servers in an attempt to prevent DoH requests bypassing my other rules.

    Feed found here: https://heuristicsecurity.com/dohservers.txt


  • Rebel Alliance Developer Netgate

    It can't block DoH so it blocks either the hostname from being resolved, or the IP address that it resolves to (depending on how you set it up)

    So you basically told it to block Cloudflare DNS while you also need to use Cloudflare DNS. You can't have it both ways through the same resolver.

    You could tell pfSense not to use localhost for DNS (Under System > General) but you'd lose some of the benefits of allowing the firewall to use the resolver.



  • I have just started having the same issue, and came across this thread in researching it. I hope to revive the discussion. I also use the above referenced DoT/DoH blocking list. I block the the domains and IPs via pfblocker for LAN clients to stop any circumvention of DNS or hard coded DNS in clients. I alternatively use DoT from unbound in pfsense.

    The acme.sh discussion of this addition appears to be here, added mid-February 2020. It is discussed as "support" for DoH, but it appears to be implemented more as a change rather than an option.

    I fully support the addition of DoH in acme.sh, even as a default, but is there a way to turn off the use of acme.sh's use of DoH, and return to using the firewall for DNS? I could temporarily disable my blocking of DoH but that would defeat the purpose of automated certificates.



  • @Risfold said in DoH Verification Method:

    I have just started having the same issue, and came across this thread in researching it. I hope to revive the discussion. I also use the above referenced DoT/DoH blocking list. I block the the domains and IPs via pfblocker for LAN clients to stop any circumvention of DNS or hard coded DNS in clients. I alternatively use DoT from unbound in pfsense.

    The acme.sh discussion of this addition appears to be here, added mid-February 2020. It is discussed as "support" for DoH, but it appears to be implemented more as a change rather than an option.

    I fully support the addition of DoH in acme.sh, even as a default, but is there a way to turn off the use of acme.sh's use of DoH, and return to using the firewall for DNS? I could temporarily disable my blocking of DoH but that would defeat the purpose of automated certificates.

    Work around noted here.

    add dnssleep time of 180


Log in to reply