• Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login
Netgate Discussion Forum
  • Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login

Mail server with DANE - adding TLSA record with acme pkg

ACME
1
1
530
Loading More Posts
  • Oldest to Newest
  • Newest to Oldest
  • Most Votes
Reply
  • Reply as topic
Log in to reply
This topic has been deleted. Only users with topic management privileges can see it.
  • R
    rainbowHash
    last edited by Nov 6, 2021, 7:32 AM

    Hello I have the following question:

    I have a mail Server with postfix and dovecot behind pfsense using the acme package in order to generate every 3 moths new letsencrypt. Current I am using an API from my DNS hosting provider which is build in into pfsense in order to update the TXT record over the DNS i.e. using the “HOSTINGDE_APIKEY” and “HOSTINGDE_APIKEY” and thus reissue a new wildcard letsencrypt certificate. This process is already stable and working quite well. By the process I mean adding a new TXT record which is being received from letsencrypt to the domain for 120 seconds and the immediately after the certificate is being downloaded removing that DNS record.

    Now I would like to use DANE to validate the DNS records. In order to do that I have to create a TLSA record which is basically a hash from the received certificate. To me it will makes sense to add this TLSA record in the same moment the certificate is being downloaded and install with the same process. My question is is there a standard way to do that with Pfsense . i.e. currenly all the settings required to update the TXT DNS record are under ,
    Services → Acme Certificates → Certificates → Domain SAN list →
    Example below:

    login-to-view
    I would not like to rediscover the wheel here, instead I would like to reuse something if such exists.

    The current process goes like

    /usr/local/pkg/acme/acme.sh  --issue  --domain '*.mydomain.org' --dns 'dns_hostingde'  --home '/tmp/acme/ProductionMydomainOrgWildCard2021/' --accountconf '/tmp/acme/ProductionMydomainOrgWildCard2021/accountconf.conf' --force --reloadCmd '/tmp/acme/ProductionMydomainOrgWildCard2021/reloadcmd.sh' --log-level 3 --log '/tmp/acme/ProductionMydomainOrgWildCard2021/acme_issuecert.log'
Array
(
    [path] => /etc:/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/bin/
    [PATH] => /etc:/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/bin/
    [HOSTINGDE_APIKEY] => XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
    [HOSTINGDE_ENDPOINT] => https://secure.hosting.de
)
[Thu Nov  4 12:04:15 CET 2021] Using CA: https://acme-v02.api.letsencrypt.org/directory
[Thu Nov  4 12:04:16 CET 2021] Registering account: https://acme-v02.api.letsencrypt.org/directory
[Thu Nov  4 12:04:17 CET 2021] Already registered
[Thu Nov  4 12:04:17 CET 2021] ACCOUNT_THUMBPRINT='XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX'
[Thu Nov  4 12:04:17 CET 2021] Single domain='*.mydomain.org'
[Thu Nov  4 12:04:17 CET 2021] Getting domain auth token for each domain
[Thu Nov  4 12:04:19 CET 2021] Getting webroot for domain='*.mydomain.org'
[Thu Nov  4 12:04:19 CET 2021] Adding txt value: ksu57hfm39X19Qcffdcx4-vMdRMn8NXqDJcORGs4Bz4 for domain:  _acme-challenge.mydomain.org
[Thu Nov  4 12:04:19 CET 2021] Getting ZoneConfig
[Thu Nov  4 12:04:19 CET 2021] Retrieved zone data.
[Thu Nov  4 12:04:19 CET 2021] Adding record to zone
[Thu Nov  4 12:04:19 CET 2021] The txt record is added: Success.
[Thu Nov  4 12:04:19 CET 2021] Let's check each DNS record now. Sleep 20 seconds first.
[Thu Nov  4 12:04:39 CET 2021] Checking mydomain.org for _acme-challenge.mydomain.org
[Thu Nov  4 12:04:40 CET 2021] Domain mydomain.org '_acme-challenge.mydomain.org' success.
[Thu Nov  4 12:04:40 CET 2021] All success, let's return
[Thu Nov  4 12:04:40 CET 2021] Verifying: *.mydomain.org
[Thu Nov  4 12:04:43 CET 2021] Success
[Thu Nov  4 12:04:43 CET 2021] Removing DNS records.
[Thu Nov  4 12:04:43 CET 2021] Removing txt: ksu57hfm39X19Qcffdcx4-vMdRMn8NXqDJcORGs4Bz4 for domain: _acme-challenge.mydomain.org
[Thu Nov  4 12:04:43 CET 2021] Getting ZoneConfig
[Thu Nov  4 12:04:43 CET 2021] Retrieved zone data.
[Thu Nov  4 12:04:43 CET 2021] Removing record from zone
[Thu Nov  4 12:04:43 CET 2021] Removed: Success
[Thu Nov  4 12:04:43 CET 2021] Verify finished, start to sign.
[Thu Nov  4 12:04:43 CET 2021] Lets finalize the order.
[Thu Nov  4 12:04:43 CET 2021] Le_OrderFinalize='https://acme-v02.api.letsencrypt.org/acme/finalize/267546560/37051479500'
[Thu Nov  4 12:04:45 CET 2021] Downloading cert.
[Thu Nov  4 12:04:45 CET 2021] Le_LinkCert='https://acme-v02.api.letsencrypt.org/acme/cert/0440597cf674dacc109a26f38745b937cfbb'
[Thu Nov  4 12:04:46 CET 2021] Cert success.

    What will be the right way to to add the TLSA record here. I am trying to avoid manually editing the /usr/local/pkg/acme/dnsapi/ folder here.

    1 Reply Last reply Reply Quote 0
    1 out of 1
    • First post
      1/1
      Last post
    Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.