SOLVED: ACME script is broken for mail-in-a-box DNS and how to contribute to fix it?

lifeboy

I use the acme package to create a certificates for my pfSense instances, but recently switched the domain I use from namecheap to my own inhouse power-mail-in-a-box service, which I have been running for the last year or more.

There's an error in the way in which acme.sh tries to add a TXT verification record, which I reported here.

I have since taken it upon me to fix the error, but the process is new to me. I forked acmesh-official and made the changes and issued a pull request.

I then discovered that there is a FreeBSD version (fork?) of acme.sh here, or is that simply a contribution to the project from PiBa-NL?

What should I do to get this fix into the version that the acme.sh package uses?

lifeboy

I submitted the fix for dns_miab.sh to the acme project and it was merged successfully a few weeks ago. @jimp, or someone else, will you please update the package to pull in this change so that our certificates can be updated again?

lifeboy

Anyone?

mcury

@lifeboy you can fix it by yourself, just ssh into pfsense
go to

/usr/local/pkg/acme/dnsapi

cp dns_miab.sh dns_miab.sh.backup
vi dns_miab.sh

copy the new code there, remember to copy from the github RAW format.
save the file.

then:

chmod +555 dns_miab.sh

Gertjan

@lifeboy

Why wait ?
AFAIK, the pfSense acme.sh is synced with 'the source', so, in your case, get this file : https://github.com/acmesh-official/acme.sh/blob/master/dnsapi/dns_miab.sh and the replace the existing dns_maib.sh on your pfSense.

Btw : just to be sure ; rename the exiting "dns_miab.sh" to something like "dns_miab.sh.old", and then put the new file in place.

lifeboy

Thanks @Gertjan & @mcury for your input.

I have now done this, but I'm running into an error.

The change in the script is one line to fix dns_miab.sh. The code block is below.

The line:
txtvalue="value=$2&ttl=300"
used to be only
txtvalue=$2

The API to add a txt record using MIAB was changed a while ago and it now needs the value= and ttl= components in the call.

dns_miab_add() {
  fulldomain=$1
  # Added "value=" and "&ttl=300" to accomodate the new TXT record format used by the MIAB/PMIAB API
  txtvalue="value=$2&ttl=300"
  _info "Using miab challenge add"
  _debug fulldomain "$fulldomain"
  _debug txtvalue "$txtvalue"

[Wed Oct  2 15:05:43 SAST 2024] Using CA: https://acme-staging-v02.api.letsencrypt.org/directory
[Wed Oct  2 15:05:43 SAST 2024] Using pre generated key: /tmp/acme/Primary/fw.fast.za.net/fw.fast.za.net.key.next
[Wed Oct  2 15:05:43 SAST 2024] Generate next pre-generate key.
[Wed Oct  2 15:05:43 SAST 2024] Multi domain='DNS:fw.fast.za.net,DNS:fw-1a.fast.za.net'
[Wed Oct  2 15:05:47 SAST 2024] Getting webroot for domain='fw.fast.za.net'
[Wed Oct  2 15:05:47 SAST 2024] Getting webroot for domain='fw-1a.fast.za.net'
[Wed Oct  2 15:05:47 SAST 2024] Adding txt value: V_657EVZYLt_WrKcrVK2c9gGICph4_ZTuN3XVTugpUo for domain:  _acme-challenge.fw.fast.za.net
[Wed Oct  2 15:05:47 SAST 2024] Using miab challenge add
[Wed Oct  2 15:05:48 SAST 2024] Error encountered during record add
[Wed Oct  2 15:05:48 SAST 2024] <!doctype html>
<html lang=en>
<title>500 Internal Server Error</title>
<h1>Internal Server Error</h1>
<p>The server encountered an internal error and was unable to complete your request. Either the server is overloaded or there is an error in the application.</p>
[Wed Oct  2 15:05:48 SAST 2024] Error add txt for domain:_acme-challenge.fw.fast.za.net
[Wed Oct  2 15:05:48 SAST 2024] Please check log file for more details: /tmp/acme/Primary/acme_issuecert.log

In the tests the change works fine on Ubuntu, but on FreeBSD I get an HTTP error 500.

[Wed Oct  2 15:05:43 SAST 2024] Using CA: https://acme-staging-v02.api.letsencrypt.org/directory
[Wed Oct  2 15:05:43 SAST 2024] Using pre generated key: /tmp/acme/Primary/fw.fast.za.net/fw.fast.za.net.key.next
[Wed Oct  2 15:05:43 SAST 2024] Generate next pre-generate key.
[Wed Oct  2 15:05:43 SAST 2024] Multi domain='DNS:fw.fast.za.net,DNS:fw-1a.fast.za.net'
[Wed Oct  2 15:05:47 SAST 2024] Getting webroot for domain='fw.fast.za.net'
[Wed Oct  2 15:05:47 SAST 2024] Getting webroot for domain='fw-1a.fast.za.net'
[Wed Oct  2 15:05:47 SAST 2024] Adding txt value: V_657EVZYLt_WrKcrVK2c9gGICph4_ZTuN3XVTugpUo for domain:  _acme-challenge.fw.fast.za.net
[Wed Oct  2 15:05:47 SAST 2024] Using miab challenge add
[Wed Oct  2 15:05:48 SAST 2024] Error encountered during record add
[Wed Oct  2 15:05:48 SAST 2024] <!doctype html>
<html lang=en>
<title>500 Internal Server Error</title>
<h1>Internal Server Error</h1>
<p>The server encountered an internal error and was unable to complete your request. Either the server is overloaded or there is an error in the application.</p>
[Wed Oct  2 15:05:48 SAST 2024] Error add txt for domain:_acme-challenge.fw.fast.za.net
[Wed Oct  2 15:05:48 SAST 2024] Please check log file for more details: /tmp/acme/Primary/acme_issuecert.log

The snippet above is from acme_issuecert.log

Does that change line look like a problem in FreeBSD?

BTW, when I check the server, the DNS record has been added. So it seems it's the checking if it has been added that's causing the problem, not the adding itself.

mcury

@lifeboy said in ACME script is broken for mail-in-a-box DNS and how to contribute to fix it?:

BTW, when I check the server, the DNS record has been added. So it seems it's the checking if it has been added that's causing the problem, not the adding itself.

Give me a moment, I'll compare both dns_miab.sh versions, the one from github and the one in pfSense.

I thought it would be easier to understand that code, unfortunately the only part that is easy to understand for me at least, are the typo correction in block 3 and 4.

Checked https://letsencrypt.status.io/pages/55957a99e800baa4470002da and everything shows up as operational.

So, at this time, I don't know what the problem is..
Check if you can find something about dns_miab.sh, acme and error 500 in Google, did a quick search and didn't find anything but I'm stuck here with something else to do..

lifeboy

@mcury Thank you for that. I tested with the old code, but it never gets past the point where the TXT record is added, so I assume that if it actually did, it would run into the same error.

Gertjan

@lifeboy said in ACME script is broken for mail-in-a-box DNS and how to contribute to fix it?:

so I assume that if it actually did

Why assuming ?

This : _acme-challenge.fw.fast.za.net ... I dion't know if this is a DNS record, some web root file or something (dono what miab is).
But, if Letsencrypt can check it - and it will check it == it will access this file (?),
So can you.
The 'secret' content should be : also shown in the logs.

lifeboy

@Gertjan If I run the old (current official pfSense acme.sh code), then the DNS TXT record is not added to the MIAB (mail-in-a-box) DNS via the MIAB DNS API because the TXT record is constructed incorrectly. I can see the secret and check the DNS for the TXT record, so I can see that it doesn't happen with the official pfSense acme code.

With my changed code (the current official acme.sh code), the record is created in the DNS, but the returned response is this:

response='<!doctype html>
<html lang=en>
<title>500 Internal Server Error</title>
<h1>Internal Server Error</h1>
<p>The server encountered an internal error and was unable to complete your request. Either the server is overloaded or there is an error in the application.</p>'

I have traced this to the _post function in acme.sh which I will share in my next response

lifeboy

I have opened a ticket with the acme.sh project #5314 to see what they know about this.

lifeboy

It turns out that when I did manual API calls to the MIAB DNS server I also got error 500's. So I reran the MIAB setup and let it update and viola! the problem was solved.

I have learned a lot about how to debug a shell script in the process though!