Hellothis is my first message in this forum and and I feel happy when I start using this wonderful product.
I am using pfsense and the acme package and I manage a DNS zone bicsa.cu on the same pfsense server with the bind package installed.
I am trying to validate my domain to generate a multi domain certificate for bicsa.cu
i generate the key:
dnssec-keygen -a HMAC-MD5 -b 512 -n HOST _acme-challenge.bicsa.cu
K_acme-challenge.bicsa.cu.+157+54710
cat _acme-challenge.bicsa.cu.+157+54710
bicsa.cu. IN KEY 512 3 157 blababla-key-string
put the “blababla-key-string” key in Global setting on Bind DNS server(on pfsense same box):
key _acme-challenge.bicsa.cu. {
algorithm hmac-md5;
secret “blababla-key-string”;
};
then i go to ACME config on Domain SAN list add two entries for multi domain and same method DNS-NSupdate / RFC 2136:
domain name: bicsa.cu.cu
key: blababla-key-string
and domain name *.bicsa.cu
key: blababla-key-string
but when I try to validate my domain I get the error:
[Thu Jan 10 15:37:26 CST 2019] Multi domain=‘DNS:bicsa.cu,DNS:.bicsa.cu’
[Thu Jan 10 15:37:26 CST 2019] Getting domain auth token for each domain
[Thu Jan 10 15:37:35 CST 2019] Getting webroot for domain=‘bicsa.cu’
[Thu Jan 10 15:37:35 CST 2019] Getting webroot for domain=’.bicsa.cu’
[Thu Jan 10 15:37:35 CST 2019] Found domain api file: /usr/local/pkg/acme/dnsapi/dns_nsupdate.sh
[Thu Jan 10 15:37:35 CST 2019] adding _acme-challenge.bicsa.cu. 60 in txt “cabl0lJ3SbIHQbaMb1d3eDM99Hnas7IhiVoKiI4kRek”
[Thu Jan 10 15:37:35 CST 2019] Sleep 120 seconds for the txt records to take effect
[Thu Jan 10 15:39:35 CST 2019] bicsa.cu is already verified, skip dns-01.
[Thu Jan 10 15:39:35 CST 2019] Verifying:*.bicsa.cu
[Thu Jan 10 15:39:44 CST 2019] Found domain http api file: /usr/local/pkg/acme/dnsapi/dns_nsupdate.sh
[Thu Jan 10 15:39:44 CST 2019] Skipping nsupdate for TXT on base domain.
[Thu Jan 10 15:39:44 CST 2019] Removing DNS records.
[Thu Jan 10 15:39:44 CST 2019] removing _acme-challenge.bicsa.cu. txt
[Thu Jan 10 15:39:44 CST 2019] *.bicsa.cu:Verify error:DNS problem: NXDOMAIN looking up TXT for _acme-challenge.bicsa.cu
[Thu Jan 10 15:39:44 CST 2019] Please check log file for more details: /tmp/acme/asterisk.bicsa.cu/acme_issuecert.log
[Thu Jan 10 15:39:44 CST 2019] response=’{“type”:“dns-01”,“status”:“invalid”,“error”:{“type”:“urn:ietf:params:acme:error:dns”,“detail”:“DNS problem: NXDOMAIN looking up TXT for acme-challenge.bicsa.cu",“status”: 400},“url”:"https://acme-staging-v02.api.letsencrypt.org/acme/challenge/6hUz679QKYMCvhrF-YUEQd9tq-7TwTp28VkePvX6PI/220700194”,“token”:“Pe-Su2r7JvEkoCp3oOm6R92iSzskUF1lJewkkEv64no”}’
[Thu Jan 10 15:39:44 CST 2019] error=’“error”:{“type”:“urn:ietf:params:acme:error:dns”,“detail”:“DNS problem: NXDOMAIN looking up TXT for _acme-challenge.bicsa.cu”,“status”: 400’
[Thu Jan 10 15:39:44 CST 2019] errordetail=‘DNS problem: NXDOMAIN looking up TXT for _acme-challenge.bicsa.cu’
[Thu Jan 10 15:39:44 CST 2019] *.bicsa.cu:Verify error:DNS problem: NXDOMAIN looking up TXT for _acme-challenge.bicsa.cu
and the trace of the log on the server bind shows:
6 notify: info: zone bicsa.cu/IN/Internal-Trusted: sending notifies (serial 2018122609)
Jan 10 15:39:44 named 96796 update: info: client @0x802c73200 127.0.0.1#49608/key _acme-challenge.bicsa.cu: view Internal-Trusted: updating zone ‘bicsa.cu/IN’: deleting rrset at ‘_acme-challenge.bicsa.cu’ TXT
Jan 10 15:39:44 named 96796 update-security: info: client @0x802c73200 127.0.0.1#49608/key _acme-challenge.bicsa.cu: view Internal-Trusted: signer “_acme-challenge.bicsa.cu” approved
Jan 10 15:39:44 named 96796 queries: info: client @0x802c73200 127.0.0.1#49608/key _acme-challenge.bicsa.cu (_acme-challenge.bicsa.cu): view Internal-Trusted: query: _acme-challenge.bicsa.cu IN SOA -S (127.0.0.1)
Jan 10 15:39:39 named 96796 queries: info: client @0x802c73200 52.29.173.72#9932 (_ACme-cHalLeNge.BICSa.cu): view Global: query: _ACme-cHalLeNge.BICSa.cu IN TXT -E(0)DC (127.0.0.1)