• Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login
Netgate Discussion Forum
  • Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login

Trouble with DNS NSUPDATE (Enable DNS alias mode )

Scheduled Pinned Locked Moved ACME
15 Posts 4 Posters 1.2k Views 4 Watching
Loading More Posts
  • Oldest to Newest
  • Newest to Oldest
  • Most Votes
Reply
  • Reply as topic
Log in to reply
This topic has been deleted. Only users with topic management privileges can see it.
  • M Offline
    maverick_slo
    last edited by May 13, 2024, 8:48 AM

    Hi.
    Since package update I have error:

    HA_sub.domain.com
    Renewing certificate 
    account: ACME_V2_STAGING 
    server: letsencrypt-staging-2 
    
    /usr/local/pkg/acme/acme.sh  --issue  --domain 'sub.domain.com' --challenge-alias 'myotherdomain.com' --dns 'dns_nsupdate'  --home '/tmp/acme/HA_sub.domain.com/' --accountconf '/tmp/acme/HA_sub.domain.com/accountconf.conf' --force --always-force-new-domain-key --reloadCmd '/tmp/acme/HA_sub.domain.com/reloadcmd.sh' --dnssleep '60' --log-level 3 --log '/tmp/acme/HA_sub.domain.com/acme_issuecert.log'
    Array
    (
        [path] => /etc:/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/bin/
        [PATH] => /etc:/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/bin/
        [SSL_CERT_DIR] => /etc/ssl/certs/
        [NSUPDATE_SERVER] => /tmp/acme/HA_sub.domain.com/sub.domain.comnsupdate
        [NSUPDATE_KEYNAME] => le-key
        [NSUPDATE_KEYALGO] => 165
        [NSUPDATE_KEY] => /tmp/acme/HA_sub.domain.com/sub.domain.comnsupdate
        [NSUPDATE_ZONE] => 
    )
    [Mon May 13 10:40:02 CEST 2024] Using CA: https://acme-staging-v02.api.letsencrypt.org/directory
    [Mon May 13 10:40:02 CEST 2024] Using pre generated key: /tmp/acme/HA_sub.domain.com/sub.domain.com/sub.domain.com.key.next
    [Mon May 13 10:40:02 CEST 2024] Generate next pre-generate key.
    [Mon May 13 10:40:02 CEST 2024] Single domain='sub.domain.com'
    [Mon May 13 10:40:05 CEST 2024] Getting webroot for domain='sub.domain.com'
    [Mon May 13 10:40:05 CEST 2024] Adding txt value: kYIRLUuPWkUqoUmMaBi-ZM5bANqzPvrv4kpeKzd-RFM for domain:  _acme-challenge.myotherdomain.com
    [Mon May 13 10:40:05 CEST 2024] key /tmp/acme/HA_sub.domain.com/sub.domain.comnsupdate_acme-challenge.myotherdomain.com.key is unreadable
    [Mon May 13 10:40:05 CEST 2024] Error add txt for domain:_acme-challenge.myotherdomain.com
    [Mon May 13 10:40:05 CEST 2024] Please check log file for more details: /tmp/acme/HA_sub.domain.com/acme_issuecert.log
    

    Is there a bug in package?

    1 Reply Last reply Reply Quote 0
    • M Offline
      maverick_slo
      last edited by May 13, 2024, 8:50 AM

      [Mon May 13 10:40:05 CEST 2024] key /tmp/acme/HA_sub.domain.com/sub.domain.comnsupdate_acme-challenge.myotherdomain.com.key is unreadable

      is the error.

      G 1 Reply Last reply May 13, 2024, 9:40 AM Reply Quote 0
      • M Offline
        maverick_slo
        last edited by May 13, 2024, 9:04 AM

        Actual filename: sub.domain.comnsupdatemyotherdomain.com.key
        Script is looking for: sub.domain.comnsupdate_acme-challenge.myotherdomain.com.key

        Soooo.... I will have my 300 certificates nicely expired if this doesn`t get fixed really quick.

        And BTW, this was working for years!!!

        M 1 Reply Last reply May 13, 2024, 9:26 AM Reply Quote 0
        • M Offline
          maverick_slo @maverick_slo
          last edited by maverick_slo May 13, 2024, 9:36 AM May 13, 2024, 9:26 AM

          And I saw this:
          https://redmine.pfsense.org/issues/15061

          f70aff0f-0499-4e1b-a946-c8dd5e20be74-image.png

          This as you see on screenshot, this was working for 5 years.

          1 Reply Last reply Reply Quote 0
          • G Online
            Gertjan @maverick_slo
            last edited by May 13, 2024, 9:40 AM

            @maverick_slo

            I have a file :
            brit-hotel-fumel.netnsupdate_acme-challenge.MY-DOMAIN.TLD.key
            and also a
            brit-hotel-fumel.netnsupdate_acme-challenge.MY-DOMAIN.TLD.server

            Not sure why your "_acme-challenge." part is missing.

            I just hit 'Renewal' a couple of minutes ago for my certificate set up with acme.sh
            The /tmp/acme/ folder didn't even exist before I update (the /tmp/ folder gets cleaned out during a pfSense reboot) and it renewed just fine.
            That is : as my cert was only a week old, I giot the fast way out method :

            ....
            [Mon May 13 11:10:01 CEST 2024] Using pre generated key: /tmp/acme/V2_MY-DOMAIN.TLD/MY-DOMAIN.TLD/MY-DOMAIN.TLD.key.next
            [Mon May 13 11:10:01 CEST 2024] Generate next pre-generate key.
            [Mon May 13 11:10:01 CEST 2024] Multi domain='DNS:MY-DOMAIN.TLD,DNS:*.MY-DOMAIN.TLD'
            [Mon May 13 11:10:04 CEST 2024] Getting webroot for domain='MY-DOMAIN.TLD'
            [Mon May 13 11:10:04 CEST 2024] Getting webroot for domain='*.MY-DOMAIN.TLD'
            [Mon May 13 11:10:04 CEST 2024] MY-DOMAIN.TLD is already verified, skip dns-01.
            [Mon May 13 11:10:04 CEST 2024] *.MY-DOMAIN.TLD is already verified, skip dns-01.
            [Mon May 13 11:10:04 CEST 2024] Verify finished, start to sign.
            [Mon May 13 11:10:04 CEST 2024] Lets finalize the order.
            ....
            

            which means no DNS checking, so this test is no conclusive.

            I use

            16da28fc-770b-4ce2-9bbc-0aae8b9b38a6-image.png

            and this version is about 2 weeks. Id did renew my cert last week.

            on pfSense 24.03.

            And I use the "nsupdate" method against my own domain name server.

            @maverick_slo said in Trouble with DNS NSUPDATE (Enable DNS alias mode ):

            Soooo.... I will have my 300 certificates nicely expired if this doesn`t get fixed really quick.

            Not useful foryou right now, but set the auto renewal to "60" days or even less.
            If something fails, that gives you "30" day to sort things out.

            No "help me" PM's please. Use the forum, the community will thank you.
            Edit : and where are the logs ??

            M 1 Reply Last reply May 13, 2024, 9:44 AM Reply Quote 0
            • M Offline
              maverick_slo @Gertjan
              last edited by May 13, 2024, 9:44 AM

              @Gertjan

              I tried renew, some of my certs are renewing OK, some not (because of above error).

              But then I tried to add BRAND NEW subdomain cert and it failed.

              If I revert commit made by some 3rd party guy all starts to work again just fine.
              https://github.com/pfsense/FreeBSD-ports/pull/1330/commits/bdd9ddf709119c51cd67719213d9ab15dafaa3ab

              Tried on ACME PKG 0.8 on:
              2.7.2
              24.03

              This is such a mess....

              M 1 Reply Last reply May 13, 2024, 9:59 AM Reply Quote 0
              • M Offline
                maverick_slo @maverick_slo
                last edited by May 13, 2024, 9:59 AM

                And people will start to complain when they try to issue new cert with this method.

                See below for renewal and why it is working:

                d59df2bd-f236-4629-9ed1-0c6ca9c23cf7-image.png

                When I renewed just now it added 2 wrongly named files but it did work, because in that folder there were still old files WHICH HAVE SAME CONTENT as new files.

                So this explain why renew could work, and new cert will not work at all.

                1 Reply Last reply Reply Quote 0
                • M Offline
                  maverick_slo
                  last edited by May 13, 2024, 10:01 AM

                  I just got of the phone, my fellow sysadmin from other company has exactly the same issue on his pfsense install, he is trying to create new cert and he spent like 3 hours trying :)

                  G 1 Reply Last reply May 13, 2024, 10:02 AM Reply Quote 0
                  • G Online
                    Gertjan @maverick_slo
                    last edited by May 13, 2024, 10:02 AM

                    @maverick_slo

                    Do you use any of these two :

                    9f340e8b-338b-4c23-94f1-a2be580cc739-image.png

                    No "help me" PM's please. Use the forum, the community will thank you.
                    Edit : and where are the logs ??

                    M 1 Reply Last reply May 13, 2024, 10:06 AM Reply Quote 0
                    • M Offline
                      maverick_slo @Gertjan
                      last edited by May 13, 2024, 10:06 AM

                      @Gertjan I use ENABLE DNS ALIAS MODE, see my above screenshot...

                      1 Reply Last reply Reply Quote 0
                      • M Offline
                        maverick_slo
                        last edited by May 13, 2024, 10:52 AM

                        Reverted this:
                        6c55d362-6bdd-45ef-93e8-eb7e344fe07c-image.png

                        And voila, all is fine again.

                        1 Reply Last reply Reply Quote 0
                        • jimpJ Offline
                          jimp Rebel Alliance Developer Netgate
                          last edited by May 13, 2024, 6:55 PM

                          I reverted that particular change, new version is building now and should be available in a while.

                          Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

                          Need help fast? Netgate Global Support!

                          Do not Chat/PM for help!

                          M 1 Reply Last reply May 13, 2024, 7:59 PM Reply Quote 1
                          • M Offline
                            maverick_slo @jimp
                            last edited by May 13, 2024, 7:59 PM

                            @jimp Thanks, will try tomorrow!

                            M 1 Reply Last reply May 14, 2024, 11:43 AM Reply Quote 0
                            • M Offline
                              maverick_slo @maverick_slo
                              last edited by May 14, 2024, 11:43 AM

                              Yeah now its working just fine again.
                              Thanks!

                              1 Reply Last reply Reply Quote 0
                              • H Offline
                                HeMaN
                                last edited by May 14, 2024, 6:00 PM

                                I think I had the same issue with ACME - LE and DA dns check. See this topic
                                This one was also solved with the update/reverted code.
                                Thank you for the quick fix release @jimp

                                1 Reply Last reply Reply Quote 0
                                1 out of 15
                                • First post
                                  15/15
                                  Last post
                                Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.
                                  This community forum collects and processes your personal information.
                                  consent.not_received