Error validating my domain ACME package on PfSense

Hellothis is my first message in this forum and and I feel happy when I start using this wonderful product.
I am using pfsense and the acme package and I manage a DNS zone bicsa.cu on the same pfsense server with the bind package installed.
I am trying to validate my domain to generate a multi domain certificate for bicsa.cu
i generate the key:
dnssec-keygen -a HMAC-MD5 -b 512 -n HOST _acme-challenge.bicsa.cu
K_acme-challenge.bicsa.cu.+157+54710
cat _acme-challenge.bicsa.cu.+157+54710
bicsa.cu. IN KEY 512 3 157 blababla-key-string
put the “blababla-key-string” key in Global setting on Bind DNS server(on pfsense same box):
key _acme-challenge.bicsa.cu. {
algorithm hmac-md5;
secret “blababla-key-string”;
};
then i go to ACME config on Domain SAN list add two entries for multi domain and same method DNS-NSupdate / RFC 2136:
domain name: bicsa.cu.cu
key: blababla-key-string
and domain name *.bicsa.cu
key: blababla-key-string

but when I try to validate my domain I get the error:

[Thu Jan 10 15:37:26 CST 2019] Multi domain=‘DNS:bicsa.cu,DNS:.bicsa.cu’
[Thu Jan 10 15:37:26 CST 2019] Getting domain auth token for each domain
[Thu Jan 10 15:37:35 CST 2019] Getting webroot for domain=‘bicsa.cu’
[Thu Jan 10 15:37:35 CST 2019] Getting webroot for domain=’.bicsa.cu’
[Thu Jan 10 15:37:35 CST 2019] Found domain api file: /usr/local/pkg/acme/dnsapi/dns_nsupdate.sh
[Thu Jan 10 15:37:35 CST 2019] adding _acme-challenge.bicsa.cu. 60 in txt “cabl0lJ3SbIHQbaMb1d3eDM99Hnas7IhiVoKiI4kRek”
[Thu Jan 10 15:37:35 CST 2019] Sleep 120 seconds for the txt records to take effect
[Thu Jan 10 15:39:35 CST 2019] bicsa.cu is already verified, skip dns-01.
[Thu Jan 10 15:39:35 CST 2019] Verifying:*.bicsa.cu
[Thu Jan 10 15:39:44 CST 2019] Found domain http api file: /usr/local/pkg/acme/dnsapi/dns_nsupdate.sh
[Thu Jan 10 15:39:44 CST 2019] Skipping nsupdate for TXT on base domain.
[Thu Jan 10 15:39:44 CST 2019] Removing DNS records.
[Thu Jan 10 15:39:44 CST 2019] removing _acme-challenge.bicsa.cu. txt
[Thu Jan 10 15:39:44 CST 2019] *.bicsa.cu:Verify error:DNS problem: NXDOMAIN looking up TXT for _acme-challenge.bicsa.cu
[Thu Jan 10 15:39:44 CST 2019] Please check log file for more details: /tmp/acme/asterisk.bicsa.cu/acme_issuecert.log

[Thu Jan 10 15:39:44 CST 2019] response=’{“type”:“dns-01”,“status”:“invalid”,“error”:{“type”:“urn:ietf:params:acme:error:dns”,“detail”:“DNS problem: NXDOMAIN looking up TXT for acme-challenge.bicsa.cu",“status”: 400},“url”:"https://acme-staging-v02.api.letsencrypt.org/acme/challenge/6hUz679QKYMCvhrF-YUEQd9tq-7TwTp28VkePvX6PI/220700194”,“token”:“Pe-Su2r7JvEkoCp3oOm6R92iSzskUF1lJewkkEv64no”}’
[Thu Jan 10 15:39:44 CST 2019] error=’“error”:{“type”:“urn:ietf:params:acme:error:dns”,“detail”:“DNS problem: NXDOMAIN looking up TXT for _acme-challenge.bicsa.cu”,“status”: 400’
[Thu Jan 10 15:39:44 CST 2019] errordetail=‘DNS problem: NXDOMAIN looking up TXT for _acme-challenge.bicsa.cu’
[Thu Jan 10 15:39:44 CST 2019] *.bicsa.cu:Verify error:DNS problem: NXDOMAIN looking up TXT for _acme-challenge.bicsa.cu

and the trace of the log on the server bind shows:
6 notify: info: zone bicsa.cu/IN/Internal-Trusted: sending notifies (serial 2018122609)
Jan 10 15:39:44 named 96796 update: info: client @0x802c73200 127.0.0.1#49608/key _acme-challenge.bicsa.cu: view Internal-Trusted: updating zone ‘bicsa.cu/IN’: deleting rrset at ‘_acme-challenge.bicsa.cu’ TXT
Jan 10 15:39:44 named 96796 update-security: info: client @0x802c73200 127.0.0.1#49608/key _acme-challenge.bicsa.cu: view Internal-Trusted: signer “_acme-challenge.bicsa.cu” approved
Jan 10 15:39:44 named 96796 queries: info: client @0x802c73200 127.0.0.1#49608/key _acme-challenge.bicsa.cu (_acme-challenge.bicsa.cu): view Internal-Trusted: query: _acme-challenge.bicsa.cu IN SOA -S (127.0.0.1)
Jan 10 15:39:39 named 96796 queries: info: client @0x802c73200 52.29.173.72#9932 (_ACme-cHalLeNge.BICSa.cu): view Global: query: _ACme-cHalLeNge.BICSa.cu IN TXT -E(0)DC (127.0.0.1)

What do the BIND logs show from 15:37?

The part of the log you have included is excluding the time interval where the record was actually attempted to be added.

after trying again:

[Thu Jan 10 16:39:58 CST 2019] 4:NSUPDATE_SERVER=‘127.0.0.1’
[Thu Jan 10 16:39:58 CST 2019] APP
[Thu Jan 10 16:39:58 CST 2019] 5:NSUPDATE_SERVER_PORT=‘53’
[Thu Jan 10 16:39:58 CST 2019] APP
[Thu Jan 10 16:39:58 CST 2019] 6:NSUPDATE_KEY=’/tmp/acme/asterisk.bicsa.cu/bicsa.cunsupdate_acme-challenge.bicsa.cu.key’
[Thu Jan 10 16:39:58 CST 2019] adding _acme-challenge.bicsa.cu. 60 in txt “UvCdSFAbDbn8Am0VinPjVGASGpzBdVFbBzTXD0ImcYk”
[Thu Jan 10 16:39:58 CST 2019] APP
[Thu Jan 10 16:39:58 CST 2019] 10:Le_DNSSleep=‘30’
[Thu Jan 10 16:39:58 CST 2019] Sleep 30 seconds for the txt records to take effect
[Thu Jan 10 16:40:28 CST 2019] ok, let’s start to verify
[Thu Jan 10 16:40:28 CST 2019] bicsa.cu is already verified, skip dns-01.
[Thu Jan 10 16:40:28 CST 2019] Verifying:.bicsa.cu
[Thu Jan 10 16:40:28 CST 2019] d=’.bicsa.cu’

Maybe it is that I already validated previously correctly and then make changes … stumble with these errors since according to the trace it says that my domain has already been validated
it is right??
Is there a time limit to validate the domain and try again?
sorry abaut my eglish thanks google translator lol

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.