Error validating my domain ACME package on PfSense


#1

Hellothis is my first message in this forum and and I feel happy when I start using this wonderful product.
I am using pfsense and the acme package and I manage a DNS zone bicsa.cu on the same pfsense server with the bind package installed.
I am trying to validate my domain to generate a multi domain certificate for bicsa.cu
i generate the key:
dnssec-keygen -a HMAC-MD5 -b 512 -n HOST _acme-challenge.bicsa.cu
K_acme-challenge.bicsa.cu.+157+54710
cat _acme-challenge.bicsa.cu.+157+54710
bicsa.cu. IN KEY 512 3 157 blababla-key-string
put the “blababla-key-string” key in Global setting on Bind DNS server(on pfsense same box):
key _acme-challenge.bicsa.cu. {
algorithm hmac-md5;
secret “blababla-key-string”;
};
then i go to ACME config on Domain SAN list add two entries for multi domain and same method DNS-NSupdate / RFC 2136:
domain name: bicsa.cu.cu
key: blababla-key-string
and domain name *.bicsa.cu
key: blababla-key-string

but when I try to validate my domain I get the error:

[Thu Jan 10 15:37:26 CST 2019] Multi domain=‘DNS:bicsa.cu,DNS:.bicsa.cu’
[Thu Jan 10 15:37:26 CST 2019] Getting domain auth token for each domain
[Thu Jan 10 15:37:35 CST 2019] Getting webroot for domain=‘bicsa.cu’
[Thu Jan 10 15:37:35 CST 2019] Getting webroot for domain=’
.bicsa.cu’
[Thu Jan 10 15:37:35 CST 2019] Found domain api file: /usr/local/pkg/acme/dnsapi/dns_nsupdate.sh
[Thu Jan 10 15:37:35 CST 2019] adding _acme-challenge.bicsa.cu. 60 in txt “cabl0lJ3SbIHQbaMb1d3eDM99Hnas7IhiVoKiI4kRek”
[Thu Jan 10 15:37:35 CST 2019] Sleep 120 seconds for the txt records to take effect
[Thu Jan 10 15:39:35 CST 2019] bicsa.cu is already verified, skip dns-01.
[Thu Jan 10 15:39:35 CST 2019] Verifying:*.bicsa.cu
[Thu Jan 10 15:39:44 CST 2019] Found domain http api file: /usr/local/pkg/acme/dnsapi/dns_nsupdate.sh
[Thu Jan 10 15:39:44 CST 2019] Skipping nsupdate for TXT on base domain.
[Thu Jan 10 15:39:44 CST 2019] Removing DNS records.
[Thu Jan 10 15:39:44 CST 2019] removing _acme-challenge.bicsa.cu. txt
[Thu Jan 10 15:39:44 CST 2019] *.bicsa.cu:Verify error:DNS problem: NXDOMAIN looking up TXT for _acme-challenge.bicsa.cu
[Thu Jan 10 15:39:44 CST 2019] Please check log file for more details: /tmp/acme/asterisk.bicsa.cu/acme_issuecert.log

[Thu Jan 10 15:39:44 CST 2019] response=’{“type”:“dns-01”,“status”:“invalid”,“error”:{“type”:“urn:ietf:params:acme:error:dns”,“detail”:“DNS problem: NXDOMAIN looking up TXT for acme-challenge.bicsa.cu",“status”: 400},“url”:"https://acme-staging-v02.api.letsencrypt.org/acme/challenge/6hUz679QKYMCvhrF-YUEQd9tq-7TwTp28VkePvX6PI/220700194”,“token”:“Pe-Su2r7JvEkoCp3oOm6R92iSzskUF1lJewkkEv64no”}’
[Thu Jan 10 15:39:44 CST 2019] error=’“error”:{“type”:“urn:ietf:params:acme:error:dns”,“detail”:“DNS problem: NXDOMAIN looking up TXT for _acme-challenge.bicsa.cu”,“status”: 400’
[Thu Jan 10 15:39:44 CST 2019] errordetail=‘DNS problem: NXDOMAIN looking up TXT for _acme-challenge.bicsa.cu’
[Thu Jan 10 15:39:44 CST 2019] *.bicsa.cu:Verify error:DNS problem: NXDOMAIN looking up TXT for _acme-challenge.bicsa.cu

and the trace of the log on the server bind shows:
6 notify: info: zone bicsa.cu/IN/Internal-Trusted: sending notifies (serial 2018122609)
Jan 10 15:39:44 named 96796 update: info: client @0x802c73200 127.0.0.1#49608/key _acme-challenge.bicsa.cu: view Internal-Trusted: updating zone ‘bicsa.cu/IN’: deleting rrset at ‘_acme-challenge.bicsa.cu’ TXT
Jan 10 15:39:44 named 96796 update-security: info: client @0x802c73200 127.0.0.1#49608/key _acme-challenge.bicsa.cu: view Internal-Trusted: signer “_acme-challenge.bicsa.cu” approved
Jan 10 15:39:44 named 96796 queries: info: client @0x802c73200 127.0.0.1#49608/key _acme-challenge.bicsa.cu (_acme-challenge.bicsa.cu): view Internal-Trusted: query: _acme-challenge.bicsa.cu IN SOA -S (127.0.0.1)
Jan 10 15:39:39 named 96796 queries: info: client @0x802c73200 52.29.173.72#9932 (_ACme-cHalLeNge.BICSa.cu): view Global: query: _ACme-cHalLeNge.BICSa.cu IN TXT -E(0)DC (127.0.0.1)


#2

What do the BIND logs show from 15:37?

The part of the log you have included is excluding the time interval where the record was actually attempted to be added.


#3

after trying again:

an 10 16:39:58 named 27383 notify: info: zone bicsa.cu/IN/Internal-Trusted: sending notifies (serial 2018122616)
Jan 10 16:39:58 named 27383 update: info: client @0x802c74600 127.0.0.1#19178/key _acme-challenge.bicsa.cu: view Internal-Trusted: updating zone ‘bicsa.cu/IN’: adding an RR at ‘_acme-challenge.bicsa.cu’ TXT “UvCdSFAbDbn8Am0VinPjVGASGpzBdVFbBzTXD0ImcYk”
Jan 10 16:39:58 named 27383 update-security: info: client @0x802c74600 127.0.0.1#19178/key _acme-challenge.bicsa.cu: view Internal-Trusted: signer “_acme-challenge.bicsa.cu” approved
Jan 10 16:39:58 named 27383 queries: info: client @0x802c74600 127.0.0.1#19178/key _acme-challenge.bicsa.cu (_acme-challenge.bicsa.cu): view Internal-Trusted: query: _acme-challenge.bicsa.cu IN SOA -S (127.0.0.1)
Jan 10 16:39:28 named 27383 notify: info: zone bicsa.cu/IN/Internal-Trusted: sending notifies (serial 2018122615)
Jan 10 16:39:28 named 27383 notify: info: zone bicsa.co.cu/IN/Global: sending notifies (serial 20181226)
Jan 10 16:39:28 named 27383 notify: info: zone bicsa.cu/IN/Global: sending notifies (serial 2018122603)
Jan 10 16:39:28 named 27383 notify: info: zone bicsa.co.cu/IN/Internal-Trusted: sending notifies (serial 20181226)

[Thu Jan 10 16:39:58 CST 2019] 4:NSUPDATE_SERVER=‘127.0.0.1’
[Thu Jan 10 16:39:58 CST 2019] APP
[Thu Jan 10 16:39:58 CST 2019] 5:NSUPDATE_SERVER_PORT=‘53’
[Thu Jan 10 16:39:58 CST 2019] APP
[Thu Jan 10 16:39:58 CST 2019] 6:NSUPDATE_KEY=’/tmp/acme/asterisk.bicsa.cu/bicsa.cunsupdate_acme-challenge.bicsa.cu.key’
[Thu Jan 10 16:39:58 CST 2019] adding _acme-challenge.bicsa.cu. 60 in txt “UvCdSFAbDbn8Am0VinPjVGASGpzBdVFbBzTXD0ImcYk”
[Thu Jan 10 16:39:58 CST 2019] APP
[Thu Jan 10 16:39:58 CST 2019] 10:Le_DNSSleep=‘30’
[Thu Jan 10 16:39:58 CST 2019] Sleep 30 seconds for the txt records to take effect
[Thu Jan 10 16:40:28 CST 2019] ok, let’s start to verify
[Thu Jan 10 16:40:28 CST 2019] bicsa.cu is already verified, skip dns-01.
[Thu Jan 10 16:40:28 CST 2019] Verifying:.bicsa.cu
[Thu Jan 10 16:40:28 CST 2019] d=’
.bicsa.cu’

Maybe it is that I already validated previously correctly and then make changes … stumble with these errors since according to the trace it says that my domain has already been validated
it is right??
Is there a time limit to validate the domain and try again?
sorry abaut my eglish thanks google translator lol


closed #4

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.