Can't get DNS challenge to match as a new one is always being created :)

Hello,

I am quite desperate as I can’t seem to be able to validate my CA with DNS-01 (nsupdate). when I create the certificate I don’t see the TXT key to be configured in my DNS therefore anytime I try to issue the CA a new TXT is trying to be verified and never matches the only ongoing.

At what moment should I be aware of the TXT key so I can set it before it gets verified.

[Sat Mar 14 14:35:51 CET 2020] dvlist=‘xdealmeida.com#ozcWx-gL8CP10Czww6vzXw7up9rxoWwd7pLodg2F4lc.3Twnv7QVFzO1iOy0Oh0bJgFqrqIZjcQw5SMtt9ujjbg#https://acme-v02.api.letsencrypt.org/acme/chall-v3/3354849728/3Hi7cg#dns-01#dns_nsupdate
[Sat Mar 14 14:35:51 CET 2020] d
[Sat Mar 14 14:35:51 CET 2020] vlist=‘xdealmeida.com#ozcWx-gL8CP10Czww6vzXw7up9rxoWwd7pLodg2F4lc.3Twnv7QVFzO1iOy0Oh0bJgFqrqIZjcQw5SMtt9ujjbg#https://acme-v02.api.letsencrypt.org/acme/chall-v3/3354849728/3Hi7cg#dns-01#dns_nsupdate,’
[Sat Mar 14 14:35:51 CET 2020] d=‘xdealmeida.com
[Sat Mar 14 14:35:51 CET 2020] _d_alias
[Sat Mar 14 14:35:51 CET 2020] txtdomain=’_acme-challenge.xdealmeida.com’
[Sat Mar 14 14:35:51 CET 2020] txt=‘kW5xurqNEMILo5PAFbFxpEkBRQPRlTXBGYM5_3xezbI’

when I am creating the certificate I would have assume that I should get the TXT value to be configured before pressing Issue/Renew

Plugin: os-acme-client (installed) 1.29
https://github.com/Neilpang/acme.sh v2.8.5

MERCI
XabiX

1 Like

I tried pressing each button either at the bottom or on the certificate line
image
but can’t seem to just re challenge without re creating a key.

I don’t seem to find the Renew option like well described in https://www.reddit.com/r/PFSENSE/comments/5v6b0a/how_to_acme_lets_encrypt_dns_manual/

well… your verification token is there:

% dig +short _acme-challenge.xdealmeida.com txt
"kW5xurqNEMILo5PAFbFxpEkBRQPRlTXBGYM5_3xezbI"

you should probably add a --debug 2 option to your acme.sh invocation.

1 Like

Yes so I have the right challenge setup. Is there a way to manually (command line) launch a Renew .

I have setup Debug 2

Merci

1 Like

acme.sh --cron --debug 2 should do it.

1 Like

I have done it but not sure what to do now to initiate a Renew and not an Issue command.

acme.sh --cron --debug 2

[Sat Mar 14 16:02:57 CET 2020] Lets find script dir.
[Sat Mar 14 16:02:57 CET 2020] SCRIPT=’/usr/local/sbin/acme.sh’
[Sat Mar 14 16:02:57 CET 2020] _script=’/usr/local/sbin/acme.sh’
[Sat Mar 14 16:02:57 CET 2020] _script_home=’/usr/local/sbin’
[Sat Mar 14 16:02:57 CET 2020] Using default home:/home/xabix/.acme.sh
[Sat Mar 14 16:02:57 CET 2020] Using config home:/home/xabix/.acme.sh
[Sat Mar 14 16:02:57 CET 2020] LE_WORKING_DIR=’/home/xabix/.acme.sh’
https://github.com/Neilpang/acme.sh
v2.8.5
[Sat Mar 14 16:02:57 CET 2020] Running cmd: cron
[Sat Mar 14 16:02:57 CET 2020] Using config home:/home/xabix/.acme.sh
[Sat Mar 14 16:02:57 CET 2020] ACME_DIRECTORY=‘https://acme-v02.api.letsencrypt.org/directory
[Sat Mar 14 16:02:57 CET 2020] _ACME_SERVER_HOST=‘acme-v02.api.letsencrypt.org
[Sat Mar 14 16:02:57 CET 2020] ===Starting cron===
[Sat Mar 14 16:02:57 CET 2020] Using config home:/home/xabix/.acme.sh
[Sat Mar 14 16:02:57 CET 2020] ACME_DIRECTORY=‘https://acme-v02.api.letsencrypt.org/directory
[Sat Mar 14 16:02:57 CET 2020] _ACME_SERVER_HOST=‘acme-v02.api.letsencrypt.org
[Sat Mar 14 16:02:57 CET 2020] _stopRenewOnError
[Sat Mar 14 16:02:57 CET 2020] _set_level=‘2’
[Sat Mar 14 16:02:57 CET 2020] di=’/home/xabix/.acme.sh/./’
[Sat Mar 14 16:02:57 CET 2020] Not directory, skip: /home/xabix/.acme.sh/./
[Sat Mar 14 16:02:57 CET 2020] _error_level=‘3’
[Sat Mar 14 16:02:57 CET 2020] _set_level=‘2’
[Sat Mar 14 16:02:57 CET 2020] ===End cron===

1 Like

you need to tell acme.sh where its config is, I am not familiar with the way opnsense integrates it.

Ok will do, is there any special command to be run (outside of pointing the right config directory which I can find) ? merci

I don’t know.

I think the problem is somewhere in the plugin you’re using, it believes to have failed (to add txt record) when it hasn’t.

1 Like

Thank you so much 9peppe. I will uninstall and reinstall while looking at the logs to be able to get the challenge before it gets challenged towards my DNS entry.

MERCI

1 Like

FYI Got it working changing the DNS challenge with CloudFlare

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.