Error adding txt (Solved)

NollipfSense · Jun 19, 2023, 8:22 PM

Why am I getting this on a FQDN?
[Mon Jun 19 00:52:41 CDT 2023] invalid domain
[Mon Jun 19 00:52:41 CDT 2023] Error add txt for domain:_acme-challenge.

pfSense 23.05 and using Cloudflare DNS to validate.

NollipfSense · Jun 19, 2023, 1:08 PM

The exact setup with the subdomain worked under pfSense 2.5.2 with Acme 0.73 or whatever Acme was...not sure I had it under v2.6...it's possible. I am trying not to expose the subdomain to the public...it seems that it's inevitable...so, here is it and if the log is needed, let me know...

[Mon Jun 19 01:24:21 CDT 2023] Adding txt value: uQMhURuTG_A9DQYGqzAKHSr0CaxbeIyo1eJmYP28MSs for domain: _acme-challenge.nollivoipserver.nollicomm.net
[Mon Jun 19 01:24:22 CDT 2023] invalid domain
[Mon Jun 19 01:24:22 CDT 2023] Error add txt for domain:_acme-challenge.nollivoipserver.nollicomm.net
[Mon Jun 19 01:24:22 CDT 2023] Please check log file for more details: /tmp/acme/certvoip/acme_issuecert.log

NollipfSense · Jun 19, 2023, 2:01 PM

IT seems that Acme is not waiting to add txt...set to 180sec...still same error...
🔒 Log in to view

Gertjan · Jun 19, 2023, 2:03 PM

@NollipfSense

/usr/local/pkg/acme/dnsapi/dns_cf.sh line 67 fails.
So function _get_root fails. That is a private function in the same file.

The file https://github.com/acmesh-official/acme.sh/blob/master/dnsapi/dns_cf.sh (that's the source) is identical in pfSense. It didn't change since at least one year.
So, as you are not the only one who using cloudflaire, it must ;) be 'something' on your side.

Inspect the file : /tmp/acme/[domain]/accountconf.conf
And also inspect the file acme_issuecert.log (same folder)

If you want to see more debug info : edit /usr/local/pkg/acme/acme.sh - goto line 107 and 112 and set max debug mode.
Note : this is also possible on the command line, but 'I dono how to run acme.sh on the command line in pfSense'

NollipfSense · Jun 19, 2023, 2:44 PM

@Gertjan Thanks for responding...this is the only apparent issue I see: the time out of api zone...

[Mon Jun 19 00:38:51 CDT 2023] GET
[Mon Jun 19 00:38:51 CDT 2023] url='https://api.cloudflare.com/client/v4/zones/0ef698e7522287541eab2d915f9f1766'
[Mon Jun 19 00:38:51 CDT 2023] timeout=
[Mon Jun 19 00:38:51 CDT 2023] Http already initialized.
[Mon Jun 19 00:38:51 CDT 2023] _CURL='curl --silent --dump-header /tmp/acme/certvoip/http.header -L -g '
[Mon Jun 19 00:38:51 CDT 2023] ret='0'
[Mon Jun 19 00:38:51 CDT 2023] response='{"success":false,"errors":[{"code":6003,"message":"Invalid request headers","error_chain":[{"code":6111,"message":"Invalid format for Authorization header"}]}],"messages":[],"result":null}'
[Mon Jun 19 00:38:51 CDT 2023] invalid domain
[Mon Jun 19 00:38:51 CDT 2023] Error add txt for domain:_acme-challenge.nollivoipserver.nollicomm.net
[Mon Jun 19 00:38:51 CDT 2023] _on_issue_err
[Mon Jun 19 00:38:51 CDT 2023] Please check log file for more details: /tmp/acme/certvoip/acme_issuecert.log
[Mon Jun 19 00:38:51 CDT 2023] _chk_vlist='nollivoipserver.nollicomm.net#gW86u3cQHgrmuv6bBNn8jKdad2Cxhxu9ztYO9c8gFgg.OHWn5BShhwEb-jmcRPmqcWETmxUHnAvE7nrmm7cd3Hc#https://acme-staging-v02.api.letsencrypt.org/acme/chall-v3/6955516564/i7lunw#dns-01#dns_cf,'
[Mon Jun 19 00:38:51 CDT 2023] start to deactivate authz
[Mon Jun 19 00:38:51 CDT 2023] Trigger domain validation.
[Mon Jun 19 00:38:51 CDT 2023] _t_url='https://acme-staging-v02.api.letsencrypt.org/acme/chall-v3/6955516564/i7lunw'
[Mon Jun 19 00:38:51 CDT 2023] _t_key_authz='gW86u3cQHgrmuv6bBNn8jKdad2Cxhxu9ztYO9c8gFgg.OHWn5BShhwEb-jmcRPmqcWETmxUHnAvE7nrmm7cd3Hc'
[Mon Jun 19 00:38:51 CDT 2023] _t_vtype
[Mon Jun 19 00:38:51 CDT 2023] url='https://acme-staging-v02.api.letsencrypt.org/acme/chall-v3/6955516564/i7lunw'
[Mon Jun 19 00:38:51 CDT 2023] payload='{}'
[Mon Jun 19 00:38:51 CDT 2023] Use cached jwk for file: /tmp/acme/certvoip/ca/acme-staging-v02.api.letsencrypt.org/directory/account.key
[Mon Jun 19 00:38:51 CDT 2023] base64 single line.
[Mon Jun 19 00:38:51 CDT 2023] payload64='e30'
[Mon Jun 19 00:38:51 CDT 2023] _request_retry_times='1'
[Mon Jun 19 00:38:51 CDT 2023] Use _CACHED_NONCE='riQvc_enIcfipcNE7o3E9CF5faFmhv-TFJPKUC

@Gertjan said in Error adding txt:

/usr/local/pkg/acme/dnsapi/dns_cf.sh line 67 fails.

fi
#save the api key and email to the account conf file.
_saveaccountconf_mutable CF_Key "$CF_Key"
_saveaccountconf_mutable CF_Email "$CF_Email"

_clearaccountconf_mutable CF_Token
_clearaccountconf_mutable CF_Account_ID
_clearaccountconf_mutable CF_Zone_ID
_clearaccountconf CF_Token
_clearaccountconf CF_Account_ID
_clearaccountconf CF_Zone_ID

fi

_debug "First detect the root zone"
if ! _get_root "$fulldomain"; then
_err "invalid domain"
return 1
fi
_debug _domain_id "$_domain_id"
_debug _sub_domain "$_sub_domain"
_debug _domain "$_domain"

NollipfSense · Jun 19, 2023, 4:38 PM

Set DNS-sleep to 5 mins/300sec has no effect, and took ONE SECOND see below...

Mon Jun 19 11:28:48 CDT 2023] Using CA: https://acme-staging-v02.api.letsencrypt.org/directory
[Mon Jun 19 11:28:48 CDT 2023] Registering account: https://acme-staging-v02.api.letsencrypt.org/directory
[Mon Jun 19 11:28:49 CDT 2023] Already registered
[Mon Jun 19 11:28:49 CDT 2023] ACCOUNT_THUMBPRINT='OHWn5BShhwEb-jmcRPmqcWETmxUHnAvE7nrmm7cd3Hc'
[Mon Jun 19 11:28:49 CDT 2023] Single domain='nollivoipserver.nollicomm.net'
[Mon Jun 19 11:28:49 CDT 2023] Getting domain auth token for each domain
[Mon Jun 19 11:28:50 CDT 2023] Getting webroot for domain='nollivoipserver.nollicomm.net'
[Mon Jun 19 11:28:50 CDT 2023] Adding txt value: y-ZDUdtCFF4j1KnfuJVqcTOibYCpbCkJJCO6aW1WQH8 for domain: _acme-challenge.nollivoipserver.nollicomm.net
[Mon Jun 19 11:28:50 CDT 2023] invalid domain
[Mon Jun 19 11:28:50 CDT 2023] Error add txt for domain:_acme-challenge.nollivoipserver.nollicomm.net
[Mon Jun 19 11:28:50 CDT 2023] Please check log file for more details: /tmp/acme/certvoip/acme_issuecert.log

NollipfSense · Jun 19, 2023, 5:17 PM

@Gertjan said in Error adding txt:

If you want to see more debug info : edit /usr/local/pkg/acme/acme.sh - goto line 107 and 112 and set max debug mode.

This is what I see...should I change the default to 3?

ECC_SEP="_"

No need for ECC suffix on pfSense, dual key certs are not supported.

ECC_SUFFIX=""

LOG_LEVEL_1=1
LOG_LEVEL_2=2
LOG_LEVEL_3=3
DEFAULT_LOG_LEVEL="$LOG_LEVEL_1"

DEBUG_LEVEL_1=1
DEBUG_LEVEL_2=2
DEBUG_LEVEL_3=3
DEBUG_LEVEL_DEFAULT=$DEBUG_LEVEL_1
DEBUG_LEVEL_NONE=0

DOH_CLOUDFLARE=1
DOH_GOOGLE=2
DOH_ALI=3
DOH_DP=4

HIDDEN_VALUE="[hidden](please add '--output-insecure' to see this value)"

SYSLOG_ERROR="user.error"
SYSLOG_INFO="user.info"
SYSLOG_DEBUG="user.debug"

NollipfSense · Jun 19, 2023, 6:35 PM

So, I saw this in my search: https://www.reddit.com/r/PFSENSE/comments/p1qqk0/cannot_get_acme_certs_working_with_cloudflare_dns/
suggesting to use only global key and email; however, I got the same result...the subdomain resolves just fine as intended...this is just capital BS, indeed and I am not alone on this issue.

[Mon Jun 19 13:17:19 CDT 2023] Using CA: https://acme-staging-v02.api.letsencrypt.org/directory
[Mon Jun 19 13:17:19 CDT 2023] Single domain='nollivoipserver.nollicomm.net'
[Mon Jun 19 13:17:19 CDT 2023] Getting domain auth token for each domain
[Mon Jun 19 13:17:21 CDT 2023] Getting webroot for domain='nollivoipserver.nollicomm.net'
[Mon Jun 19 13:17:21 CDT 2023] Adding txt value: mQCK-LCBCVocDzqqelWFGQhYWmGy53Ydj5qhJhS-Rqs for domain: _acme-challenge.nollivoipserver.nollicomm.net
[Mon Jun 19 13:17:22 CDT 2023] invalid domain
[Mon Jun 19 13:17:22 CDT 2023] Error add txt for domain:_acme-challenge.nollivoipserver.nollicomm.net
[Mon Jun 19 13:17:22 CDT 2023] Please check log file for more details: /tmp/acme/certvoip/acme_issuecert.log

NollipfSense · Jun 19, 2023, 8:25 PM

@Gertjan said in Error adding txt:

it must ;) be 'something' on your side.

You were correct...it's the dang admin frustrating self and this helped: https://forum.netgate.com/topic/147733/acme-dns-challenge-cloudflare/4
all zones instead of specific zone (token).

Gertjan · Jun 20, 2023, 6:45 AM

@NollipfSense said in Error adding txt (Solved):

Set DNS-sleep to 5 mins/300sec has no effect, and took ONE SECOND see below...

Setting up the zone just before verification doesn't need any delays.

When the account has been verified and all 'add TXT' records have been successfully to the zone added (no errors)
then a "DNS Sleep" is introduced, because you've update the DNS master, and this one has to signal all the DNS slaves, so they can get back to the master to sync up the zone.
This important DNS mechanism is important, and completely out of our control.
A safety delay is needed.

Glad you worked it out.