Solved: ACME RFC2136 with DNS alias mode not working
-
Re: Acme DNS-NSupdate / RFC 2136 issue
@jimpWhile trying to get a Lets Encrypt certificate for my Pfsense, pfsense.domain.tld, i need to use intern.domain.tld for validating with RFC 2136, which is on a my different bind server. After inserting the CNAME for _acme-challenge.intern.domain.tld at domain.tld, i used that DNS alias mode field of the Pfsense ACME Package in the Pfsense Gui and inserted there: intern.domain.tld.
Issueing the certificate shows in the Logs of the Bind server for the zone intern.domain.tld, that the TXT record _acme-challenge.intern.domain.tld is inserted correctly into the zone intern.domain.tld. According to the logs Lets encrypt tries then to verify the TXT record but instead of calling for _acme-challenge.intern.domain.tld it calls for _acme-challenge.domain.tld, but obviously there is no TXT record of that name, because it was inserted at intern.domain.tld.
So there is no query for _acme-challenge.intern.domain.tld in the bind Logs. Afterwards it removes the TXT record correctly and stops with the log: pfsense.domain.tld:Verify error:No TXT record found at _acme-challenge.domain.tld.
I tried to check this "Enable DNS domain alias mode:" but that one doesnt work at all.
Getting certificates for pfsense.intern.domain.tld with this setup works perfectly, without that DNS Alias mode.
I tested this on Pfsense 2.6 with ACME package 0.7.3.
Is this a problem within the ACME package or is this something inside the Pfsense scripting or do i misunderstand something?
-
Found the solution:
there must be 2 CNAME records according to
https://github.com/acmesh-official/acme.sh/issues/2789one for _acme-challenge.domain,tld to _acme-challenge.domain.tld
and a second one for _acme-challenge.pfense.domain.tld to _acme-challenge.domain.tld.