acme + plesk DNS + wildcard pfsense 2.5.2
-
Hi guys and girls,
I have certificate renewal working using DNS-Manual but I'm attempting to get the DNS-plesk method working for the LetsEncrypt / Acme plugin and seem to be having a problem.
The error message returned by pfsense is;
(real domain name, username, password, etc replaced)domain.co.uk_wildcard_v4 Renewing certificate account: STAGING-pfSense.subdomain.domain.co.uk server: letsencrypt-staging-2 /usr/local/pkg/acme/acme.sh --issue --domain '*.domain.co.uk' --dns 'dns_pleskxml' --home '/tmp/acme/domain.co.uk_wildcard_v4/' --accountconf '/tmp/acme/domain.co.uk_wildcard_v4/accountconf.conf' --force --reloadCmd '/tmp/acme/domain.co.uk_wildcard_v4/reloadcmd.sh' --log-level 3 --log '/tmp/acme/domain.co.uk_wildcard_v4/acme_issuecert.log' Array ( [path] => /etc:/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/bin/ [PATH] => /etc:/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/bin/ [pleskxml_user] => <USERNAME> [pleskxml_pass] => <PASSWORD> [pleskxml_uri] => hostname.domain.co.uk ) [Sun Oct 31 09:42:45 GMT 2021] Using CA: https://acme-staging-v02.api.letsencrypt.org/directory [Sun Oct 31 09:42:45 GMT 2021] Single domain='*.domain.co.uk' [Sun Oct 31 09:42:45 GMT 2021] Getting domain auth token for each domain [Sun Oct 31 09:42:48 GMT 2021] Getting webroot for domain='*.domain.co.uk' [Sun Oct 31 09:42:48 GMT 2021] Adding txt value: Wrh5SDYa8bDnyBZcEpMJ74BrTwHEVNXcVGJNLzjJlk0 for domain: _acme-challenge.domain.co.uk [Sun Oct 31 09:42:48 GMT 2021] Entering dns_pleskxml_add() to add TXT record 'Wrh5SDYa8bDnyBZcEpMJ74BrTwHEVNXcVGJNLzjJlk0' to domain '_acme-challenge.domain.co.uk'... [Sun Oct 31 09:42:49 GMT 2021] Cannot find '_acme-challenge.domain.co.uk' or any parent domain of it, in Plesk. [Sun Oct 31 09:42:49 GMT 2021] Are you sure that this domain is managed by this Plesk server? [Sun Oct 31 09:42:49 GMT 2021] Error add txt for domain:_acme-challenge.domain.co.uk [Sun Oct 31 09:42:49 GMT 2021] Please check log file for more details: /tmp/acme/domain.co.uk_wildcard_v4/acme_issuecert.log
The bit of the log that I think is relevant is;
[Sun Oct 31 09:42:48 GMT 2021] Leaving _call_api(). Successful call. [Sun Oct 31 09:42:48 GMT 2021] Domains managed by Plesk server are (ignore the hacked output): [Sun Oct 31 09:42:48 GMT 2021] [Sun Oct 31 09:42:48 GMT 2021] Checking if '_acme-challenge.domain.co.uk' is managed by the Plesk server... [Sun Oct 31 09:42:48 GMT 2021] No match, trying next parent up... [Sun Oct 31 09:42:48 GMT 2021] Checking if 'domain.co.uk' is managed by the Plesk server... [Sun Oct 31 09:42:49 GMT 2021] No match, trying next parent up... [Sun Oct 31 09:42:49 GMT 2021] Checking if 'co.uk' is managed by the Plesk server... [Sun Oct 31 09:42:49 GMT 2021] No match, and next parent would be a TLD... [Sun Oct 31 09:42:49 GMT 2021] Cannot find '_acme-challenge.domain.co.uk' or any parent domain of it, in Plesk. [Sun Oct 31 09:42:49 GMT 2021] Are you sure that this domain is managed by this Plesk server? [Sun Oct 31 09:42:49 GMT 2021] Error add txt for domain:_acme-challenge.domain.co.uk [Sun Oct 31 09:42:49 GMT 2021] _on_issue_err [Sun Oct 31 09:42:49 GMT 2021] Please check log file for more details: /tmp/acme/domain.co.uk_wildcard_v4/acme_issuecert.log
Can anyone suggest where I might be going wrong?
-
IMHO, this is the relevant part - in the first block :
Sun Oct 31 09:42:49 GMT 2021] Cannot find '_acme-challenge.domain.co.uk' or any parent domain of it, in Plesk. [Sun Oct 31 09:42:49 GMT 2021] Are you sure that this domain is managed by this Plesk server? [Sun Oct 31 09:42:49 GMT 2021] Error add txt for domain:_acme-challenge.domain.co.uk
If acme.sh can't add the TXT record with the 'secret' value, the show stops.
See this file /usr/local/pkg/acme/dnsapi/dns_pleskxml.sh for all the details needed.
pfSense (acme) needs to be able to contact your plesk device so it can put a TXT file in place.
Check on the plesk side, it has logs, right ?, why it doesn't work. -
@gertjan thanks for your reply. I agree that the part you highlight is the problem.
The way I read this it looked like the third line of the log (the second bit), which apart from the timestamp is blank, should have enumerated all of the domains that the server manages. I don't have a working implementation to check that my assumption is valid though.
I have no idea which logs I should be looking at on the plesk side. I'll have a look through the script you indicated and see what I can see.
-
@qctech said in acme + plesk DNS + wildcard pfsense 2.5.2:
I have no idea which logs I should be looking at on the plesk side.
When I look at /usr/local/pkg/acme/dnsapi/dns_pleskxml.sh, I see a remote scripted access to plesk. Such an access has to be set up first correctly, and this is a "security thing". Pretty sure that these accesses are logged.
-
@gertjan, ah, ok. I was working on the assumption that entering the url, username and password for the plesk server when configuring in pfsense would be all that was required.
Do you happen to know if this is documented somewhere? My googleing didn't turn anything up but my google foo could be off.
-
@qctech said in acme + plesk DNS + wildcard pfsense 2.5.2:
Do you happen to know if this is documented somewhere?
Yep. The 'how-to' is one click away.
As said : look at this file /usr/local/pkg/acme/dnsapi/dns_pleskxml.sh (you have it) or this (the same) file FreeBSD-ports/security/pfSense-pkg-acme/files/usr/local/pkg/acme/dnsapi/dns_pleskxml.sh -
@gertjan again, thanks for your ongoing help. I think I have worked out the issue.
Further reading of the log file shows that the API call that is being made is;
[Mon Nov 1 15:20:35 GMT 2021] body='<packet><customer><get-domain-list><filter/></get-domain-list></customer></packet>'
And that this call returns;
[Mon Nov 1 15:05:39 GMT 2021] The responses from the Plesk XML server were: [Mon Nov 1 15:05:39 GMT 2021] retcode=0. Literal response: [Mon Nov 1 15:05:39 GMT 2021] '<?xml version="1.0" encoding="UTF-8"?> <packet version="1.6.9.1"> <customer> <get-domain-list> <result> <status>ok</status> </result> </get-domain-list> </customer> </packet>'
Again, I am making an assumption here that this should have returned a list of domains in the result section but it isn't and that's a problem.
I then spotted that the API that's being called is a Customer related API, asking for a list of domains that a customer owns... So, I tried creating a customer (I don't use customers on this server), moved the required subscription over, changed the username and password in pfsense to the "customer" ones and we are in business.
So, to summarise. When pfsense asks for a username and password it needs to be the details for a plesk customer and the customer needs to own the subscription containing the domain you want to work with. Using and Admin account or a reseller account does not work.