Nsupdate.key is unreadable


#1

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is:bicsa.cu

I ran this command:

It produced this output:

My web server is (include version):

The operating system my web server runs on is (include version):pfsense latest version and acme package latest vertion

My hosting provider, if applicable, is:

I can login to a root shell on my machine (yes or no, or I don’t know):yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel): i’, using web config pfsense

bicsa
Renewing certificate
account: bicsa.cu
server: letsencrypt-staging-2

/usr/local/pkg/acme/acme.sh --issue -d ‘bicsa.cu’ --dns ‘dns_nsupdate’ -d ‘enlinea.bicsa.cu’ --dns ‘dns_nsupdate’ --home ‘/tmp/acme/bicsa/’ --accountconf ‘/tmp/acme/bicsa/accountconf.conf’ --force --reloadCmd ‘/tmp/acme/bicsa/reloadcmd.sh’ --ocsp-must-staple --log-level 3 --log ‘/tmp/acme/bicsa/acme_issuecert.log’

Array
(
[path] => /etc:/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/bin/
[PATH] => /etc:/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/bin/
[NSUPDATE_SERVER] => /tmp/acme/bicsa/bicsa.cunsupdate
[NSUPDATE_KEYNAME] => _acme-challenge.enlinea.bicsa.cu.
[NSUPDATE_KEYALGO] => 157
[NSUPDATE_KEY] => /tmp/acme/bicsa/bicsa.cunsupdate
)
[Tue Jan 15 10:00:56 CST 2019] Registering account
[Tue Jan 15 10:00:57 CST 2019] Already registered
[Tue Jan 15 10:00:57 CST 2019] ACCOUNT_THUMBPRINT=‘AESyrvfputt7O_lv0G_zZdlmpgSIey1gvQPZHA7Q-TA’
[Tue Jan 15 10:00:57 CST 2019] Multi domain=‘DNS:bicsa.cu,DNS:enlinea.bicsa.cu’
[Tue Jan 15 10:00:57 CST 2019] Getting domain auth token for each domain
[Tue Jan 15 10:00:59 CST 2019] Getting webroot for domain=‘bicsa.cu’
[Tue Jan 15 10:01:00 CST 2019] Getting webroot for domain=‘enlinea.bicsa.cu’
[Tue Jan 15 10:01:00 CST 2019] Found domain api file: /usr/local/pkg/acme/dnsapi/dns_nsupdate.sh
[Tue Jan 15 10:01:00 CST 2019] adding _acme-challenge.bicsa.cu. 60 in txt “sZms3kSk51yfbgbozF7IH0sDjlZtqIa1lgXaK1yo1eg”
[Tue Jan 15 10:01:00 CST 2019] Found domain api file: /usr/local/pkg/acme/dnsapi/dns_nsupdate.sh
[Tue Jan 15 10:01:00 CST 2019] adding _acme-challenge.enlinea.bicsa.cu. 60 in txt “Kf3DE1oCpTOdyoMjW9Y_76vfgLzqfsfhpLBf758UCsU”
[Tue Jan 15 10:01:00 CST 2019] Sleep 120 seconds for the txt records to take effect
[Tue Jan 15 10:03:00 CST 2019] Verifying:bicsa.cu
[Tue Jan 15 10:03:05 CST 2019] Found domain http api file: /usr/local/pkg/acme/dnsapi/dns_nsupdate.sh
[Tue Jan 15 10:03:05 CST 2019] Removing DNS records.
[Tue Jan 15 10:03:05 CST 2019] bicsa.cu:Verify error:DNS problem: NXDOMAIN looking up TXT for _acme-challenge.bicsa.cu
[Tue Jan 15 10:03:05 CST 2019] key /tmp/acme/bicsa/bicsa.cunsupdate.key is unreadable
[Tue Jan 15 10:03:05 CST 2019] Error rm webroot api for domain:dns_nsupdate
[Tue Jan 15 10:03:05 CST 2019] key /tmp/acme/bicsa/bicsa.cunsupdate.key is unreadable
[Tue Jan 15 10:03:05 CST 2019] Error removing txt for domain:_acme-challenge.bicsa.cu
[Tue Jan 15 10:03:05 CST 2019] key /tmp/acme/bicsa/bicsa.cunsupdate.key is unreadable
[Tue Jan 15 10:03:05 CST 2019] Error removing txt for domain:_acme-challenge.enlinea.bicsa.cu
[Tue Jan 15 10:03:05 CST 2019] Please check log file for more details: /tmp/acme/bicsa/acme_issuecert.log

i had made a post on pfsense communiti forums here: https://forum.netgate.com/topic/139484/acme-and-bind-dns-server-on-pfsense-in-the-same-server/10
with some captures of my config…


#2

Hi @enriluis

the “nsupdate.key is unreadable” isn’t the main problem.

This

may be the problem. Checking your server ( https://check-your-website.server-daten.de/?q=bicsa.cu ) your second nameserver is critical:

X Fatal error: Nameserver doesn’t support TCP connection: ns2.bicsa.cu
X Nameserver Timeout checking Echo Capitalization: ns2.bicsa.cu
X Nameserver Timeout checking EDNS512: ns2.bicsa.cu

PS: Another user had problems with pfsense:


#3

interesting… so is not sufficient one ns server respond? now some stupid cuestion… i need certificate for some website under bicsa.cu domain ex enlinea.bicsa.cu servicios.bicsa.cu or .bicsa.cu the key refer to subdomain or host?? or are the same think
why in the test are show:

_acme-challenge.bicsa.cu.bicsa.cu Name Error - The domain name does not exist 1 0
_acme-challenge.www.bicsa.cu.www.bicsa.cu Name Error - The domain name does not exist 1 0

exist
both ns server are runnig now… so why are show _acme-challenge.bicsa.cu.bicsa.cu rigth thats do not exist… i go to take a look to my config…

sorry about my english and thanks


#4

These entries are green

so it’s good they aren’t exist.

These entries are typical wrong entries, so the tool checks if such a wrong entry exists.

Your error says:

No entry _acme-challenge.bicsa.cu exists, this is the same as “Name error - The domain name does not exist”.

So your addin dns_nsupdate didn’t create the required txt entry.

Perhaps there is an option to use acme.sh manual, so you can create the required txt entries manual.


#5

Maybe because it couldn’t find the API credential to update the records on the nameserver?


#6

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.