• Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login
Netgate Discussion Forum
  • Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login

nsupdate: key ? is unreadable

ACME
1
2
355
Loading More Posts
  • Oldest to Newest
  • Newest to Oldest
  • Most Votes
Reply
  • Reply as topic
Log in to reply
This topic has been deleted. Only users with topic management privileges can see it.
  • S
    Sprinterfreak
    last edited by Jun 10, 2023, 4:06 PM

    Hi there,

    i wanted to use my existing dns challenge infrastructure, which is running fine using acertmgr.

    Basically there is a dedicated bind instance running at challenge.domain.net, serving acme.challenge.domain.net.
    On every domain I like to validate, I add (in this case)

    _acme-challenge.owa IN CNAME acme.challenge.domain.net.

    I have TSIG keys configured at challenge.domain.net, which allow update txt on acme.challenge.domain.net. Tested, working in production with acertmgr on lot of debian mashines. So until here there is no fault.

    Now pfsense's Acme comes in.

    • I created new Acme account "LE Testing" using le-staging-2 CA
    • I created a certificate config for owa.domain.net as follows:

    Name: owa.domain.net
    Acme Account: LE Testing
    Domain SAN list DNS-Nsupdate /RFC2136

    • Server challenge.domain.net
    • Key Name: pfsense.
    • Key Algorithm: HMAC-SHA512
    • Key: VLvHm4IeTM8gzIx3SteM7ISjz+oReIklXYciB0P6GFMPFBnw1pTu/BS4adDStWvP1gRAzhCBv1MFFb5xja05uA==
    • Enable DNS alias mode: acme.challenge.domain.net
    • Enable DNS domain alias mode: [x]

    When I save and hit renew, following is presented in a green box: (Why green? It failed...)

    owa.domain.net
Renewing certificate 
account: LE Testing 
server: letsencrypt-staging-2 

 getCertificatePSK updating key
/usr/local/pkg/acme/acme.sh  --home '/tmp/acme/owa.domain.net/' --accountconf '/tmp/acme/owa.domain.net/accountconf.conf' --create-domain-key --domain 'owa.domain.net' --keylength '4096' --log-level 3 --log '/tmp/acme/owa.domain.net/acme_createdomainkey.log'
Array
(
    [path] => /etc:/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/bin/
    [PATH] => /etc:/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/bin/
)
[Sat Jun 10 16:22:16 CEST 2023] Creating domain key
[Sat Jun 10 16:22:17 CEST 2023] The domain key is here: /tmp/acme/owa.domain.net//owa.domain.net/owa.domain.net.key

/usr/local/pkg/acme/acme.sh  --issue  --domain 'owa.domain.net' --domain-alias 'acme.challenge.domain.net' --dns 'dns_nsupdate'  --home '/tmp/acme/owa.domain.net/' --accountconf '/tmp/acme/owa.domain.net/accountconf.conf' --force --reloadCmd '/tmp/acme/owa.domain.net/reloadcmd.sh' --log-level 3 --log '/tmp/acme/owa.domain.net/acme_issuecert.log'
Array
(
    [path] => /etc:/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/bin/
    [PATH] => /etc:/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/bin/
    [NSUPDATE_SERVER] => /tmp/acme/owa.domain.net/owa.domain.netnsupdate
    [NSUPDATE_KEYNAME] => pfsense.
    [NSUPDATE_KEYALGO] => 165
    [NSUPDATE_KEY] => /tmp/acme/owa.domain.net/owa.domain.netnsupdate
    [NSUPDATE_ZONE] => challenge.domain.net
)
[Sat Jun 10 16:22:18 CEST 2023] Using CA: https://acme-staging-v02.api.letsencrypt.org/directory
[Sat Jun 10 16:22:18 CEST 2023] Creating domain key
[Sat Jun 10 16:22:18 CEST 2023] The domain key is here: /tmp/acme/owa.domain.net//owa.domain.net/owa.domain.net.key
[Sat Jun 10 16:22:18 CEST 2023] Single domain='owa.domain.net'
[Sat Jun 10 16:22:18 CEST 2023] Getting domain auth token for each domain
[Sat Jun 10 16:22:20 CEST 2023] Getting webroot for domain='owa.domain.net'
[Sat Jun 10 16:22:20 CEST 2023] Adding txt value: iNxhsmIl2uBmS88ekq9xrRHq5OzL2gNyStpu9yFGVcU for domain:  acme.challenge.domain.net
[Sat Jun 10 16:22:20 CEST 2023] key /tmp/acme/owa.domain.net/owa.domain.netnsupdateacme.challenge.domain.net.key is unreadable
[Sat Jun 10 16:22:20 CEST 2023] Error add txt for domain:acme.challenge.domain.net
[Sat Jun 10 16:22:20 CEST 2023] Please check log file for more details: /tmp/acme/owa.domain.net/acme_issuecert.log

    So the line in question is this:

    [Sat Jun 10 16:22:20 CEST 2023] key /tmp/acme/owa.domain.net/owa.domain.netnsupdateacme.challenge.domain.net.key is unreadable

    By the looks of it, the path looks allready broken. The file does not exist, pfsense has failed to create it, i guess.

    So now i fiddled around alot.
    I managed to fix the missing files by

    cd /tmp/acme/owa.domain.net
ln -s owa.domain.netnsupdate_acme-challenge.acme.challenge.domain.net.server owa.domain.netnsupdateacme.challenge.domain.net.server
ln -s owa.domain.netnsupdate_acme-challenge.acme.challenge.domain.net.key owa.domain.netnsupdateacme.challenge.domain.net.key

    Sorry for finding a hack before posting, but there is definitely something wrong with filenames created by the UI.

    Hopefully this is useful enough for our dev's to find a permament solution to this.

    Best regards,
    Jan

    S 1 Reply Last reply Jun 10, 2023, 4:13 PM Reply Quote 0
    • S
      Sprinterfreak @Sprinterfreak
      last edited by Jun 10, 2023, 4:13 PM

      The issue maybe just pfsense prepending _acme-challenge. to the challenge fqdn in the filename when "Enable DNS domain alias mode" is ticked

      1 Reply Last reply Reply Quote 0
      2 out of 2
      • First post
        2/2
        Last post
      Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.