Trouble with DNS NSUPDATE (Enable DNS alias mode )

maverick_slo

Hi.
Since package update I have error:

HA_sub.domain.com
Renewing certificate 
account: ACME_V2_STAGING 
server: letsencrypt-staging-2 

/usr/local/pkg/acme/acme.sh  --issue  --domain 'sub.domain.com' --challenge-alias 'myotherdomain.com' --dns 'dns_nsupdate'  --home '/tmp/acme/HA_sub.domain.com/' --accountconf '/tmp/acme/HA_sub.domain.com/accountconf.conf' --force --always-force-new-domain-key --reloadCmd '/tmp/acme/HA_sub.domain.com/reloadcmd.sh' --dnssleep '60' --log-level 3 --log '/tmp/acme/HA_sub.domain.com/acme_issuecert.log'
Array
(
    [path] => /etc:/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/bin/
    [PATH] => /etc:/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/bin/
    [SSL_CERT_DIR] => /etc/ssl/certs/
    [NSUPDATE_SERVER] => /tmp/acme/HA_sub.domain.com/sub.domain.comnsupdate
    [NSUPDATE_KEYNAME] => le-key
    [NSUPDATE_KEYALGO] => 165
    [NSUPDATE_KEY] => /tmp/acme/HA_sub.domain.com/sub.domain.comnsupdate
    [NSUPDATE_ZONE] => 
)
[Mon May 13 10:40:02 CEST 2024] Using CA: https://acme-staging-v02.api.letsencrypt.org/directory
[Mon May 13 10:40:02 CEST 2024] Using pre generated key: /tmp/acme/HA_sub.domain.com/sub.domain.com/sub.domain.com.key.next
[Mon May 13 10:40:02 CEST 2024] Generate next pre-generate key.
[Mon May 13 10:40:02 CEST 2024] Single domain='sub.domain.com'
[Mon May 13 10:40:05 CEST 2024] Getting webroot for domain='sub.domain.com'
[Mon May 13 10:40:05 CEST 2024] Adding txt value: kYIRLUuPWkUqoUmMaBi-ZM5bANqzPvrv4kpeKzd-RFM for domain:  _acme-challenge.myotherdomain.com
[Mon May 13 10:40:05 CEST 2024] key /tmp/acme/HA_sub.domain.com/sub.domain.comnsupdate_acme-challenge.myotherdomain.com.key is unreadable
[Mon May 13 10:40:05 CEST 2024] Error add txt for domain:_acme-challenge.myotherdomain.com
[Mon May 13 10:40:05 CEST 2024] Please check log file for more details: /tmp/acme/HA_sub.domain.com/acme_issuecert.log

Is there a bug in package?

maverick_slo

[Mon May 13 10:40:05 CEST 2024] key /tmp/acme/HA_sub.domain.com/sub.domain.comnsupdate_acme-challenge.myotherdomain.com.key is unreadable

is the error.

maverick_slo

Actual filename: sub.domain.comnsupdatemyotherdomain.com.key
Script is looking for: sub.domain.comnsupdate_acme-challenge.myotherdomain.com.key

Soooo.... I will have my 300 certificates nicely expired if this doesn`t get fixed really quick.

And BTW, this was working for years!!!

maverick_slo

And I saw this:
https://redmine.pfsense.org/issues/15061

This as you see on screenshot, this was working for 5 years.

Gertjan

@maverick_slo

I have a file :
brit-hotel-fumel.netnsupdate_acme-challenge.MY-DOMAIN.TLD.key
and also a
brit-hotel-fumel.netnsupdate_acme-challenge.MY-DOMAIN.TLD.server

Not sure why your "_acme-challenge." part is missing.

I just hit 'Renewal' a couple of minutes ago for my certificate set up with acme.sh
The /tmp/acme/ folder didn't even exist before I update (the /tmp/ folder gets cleaned out during a pfSense reboot) and it renewed just fine.
That is : as my cert was only a week old, I giot the fast way out method :

....
[Mon May 13 11:10:01 CEST 2024] Using pre generated key: /tmp/acme/V2_MY-DOMAIN.TLD/MY-DOMAIN.TLD/MY-DOMAIN.TLD.key.next
[Mon May 13 11:10:01 CEST 2024] Generate next pre-generate key.
[Mon May 13 11:10:01 CEST 2024] Multi domain='DNS:MY-DOMAIN.TLD,DNS:*.MY-DOMAIN.TLD'
[Mon May 13 11:10:04 CEST 2024] Getting webroot for domain='MY-DOMAIN.TLD'
[Mon May 13 11:10:04 CEST 2024] Getting webroot for domain='*.MY-DOMAIN.TLD'
[Mon May 13 11:10:04 CEST 2024] MY-DOMAIN.TLD is already verified, skip dns-01.
[Mon May 13 11:10:04 CEST 2024] *.MY-DOMAIN.TLD is already verified, skip dns-01.
[Mon May 13 11:10:04 CEST 2024] Verify finished, start to sign.
[Mon May 13 11:10:04 CEST 2024] Lets finalize the order.
....

which means no DNS checking, so this test is no conclusive.

I use

and this version is about 2 weeks. Id did renew my cert last week.

on pfSense 24.03.

And I use the "nsupdate" method against my own domain name server.

@maverick_slo said in Trouble with DNS NSUPDATE (Enable DNS alias mode ):

Soooo.... I will have my 300 certificates nicely expired if this doesn`t get fixed really quick.

Not useful foryou right now, but set the auto renewal to "60" days or even less.
If something fails, that gives you "30" day to sort things out.

maverick_slo

@Gertjan

I tried renew, some of my certs are renewing OK, some not (because of above error).

But then I tried to add BRAND NEW subdomain cert and it failed.

If I revert commit made by some 3rd party guy all starts to work again just fine.
https://github.com/pfsense/FreeBSD-ports/pull/1330/commits/bdd9ddf709119c51cd67719213d9ab15dafaa3ab

Tried on ACME PKG 0.8 on:
2.7.2
24.03

This is such a mess....

maverick_slo

And people will start to complain when they try to issue new cert with this method.

See below for renewal and why it is working:

When I renewed just now it added 2 wrongly named files but it did work, because in that folder there were still old files WHICH HAVE SAME CONTENT as new files.

So this explain why renew could work, and new cert will not work at all.

maverick_slo

I just got of the phone, my fellow sysadmin from other company has exactly the same issue on his pfsense install, he is trying to create new cert and he spent like 3 hours trying :)

Gertjan

@maverick_slo

Do you use any of these two :

maverick_slo

@Gertjan I use ENABLE DNS ALIAS MODE, see my above screenshot...

maverick_slo

Reverted this:

And voila, all is fine again.

jimp

I reverted that particular change, new version is building now and should be available in a while.

maverick_slo

@jimp Thanks, will try tomorrow!

maverick_slo

Yeah now its working just fine again.
Thanks!

HeMaN

I think I had the same issue with ACME - LE and DA dns check. See this topic
This one was also solved with the update/reverted code.
Thank you for the quick fix release @jimp