Ownership validation: Which Method for static IP@pfsense?

Hello *

I have a pfsense configured with a static public IP.
Acme Certificates is installed, the account keys (letsencrypt-production-2) are set.
My current DNS provider (world4you) does not support dns challenge.

The goal is to provide a certificate for

  1. I wonder if using ‘DNS-Manual’ is the correct way to issue/renew the certificate.
  2. There is no obvious error (see output below), but where do I add the TXT record @pfsense?

My domain is: 12bfree.com

I ran this command:
/usr/local/pkg/acme/acme.sh --issue -d ‘12bfree.com’ --yes-I-know-dns-manual-mode-enough-go-ahead-please --dns -d ‘*.12bfree.com’ --yes-I-know-dns-manual-mode-enough-go-ahead-please --dns --home ‘/tmp/acme/12bfree.com/’ --accountconf ‘/tmp/acme/12bfree.com/accountconf.conf’ --force --reloadCmd ‘/tmp/acme/12bfree.com/reloadcmd.sh’ --log-level 3 --log ‘/tmp/acme/12bfree.com/acme_issuecert.log’

It produced this output:
12bfree.com
Renewing certificate
account: 12bfree.com
server: letsencrypt-production-2

/usr/local/pkg/acme/acme.sh --issue -d ‘12bfree.com’ --yes-I-know-dns-manual-mode-enough-go-ahead-please --dns -d ‘*.12bfree.com’ --yes-I-know-dns-manual-mode-enough-go-ahead-please --dns --home ‘/tmp/acme/12bfree.com/’ --accountconf ‘/tmp/acme/12bfree.com/accountconf.conf’ --force --reloadCmd ‘/tmp/acme/12bfree.com/reloadcmd.sh’ --log-level 3 --log ‘/tmp/acme/12bfree.com/acme_issuecert.log’

Array
(
[path] => /etc:/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/bin/
[PATH] => /etc:/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/bin/
)
[Mon Oct 28 14:06:12 CET 2019] Multi domain=‘DNS:12bfree.com,DNS:.12bfree.com’
[Mon Oct 28 14:06:12 CET 2019] Getting domain auth token for each domain
[Mon Oct 28 14:06:15 CET 2019] Getting webroot for domain=‘12bfree.com
[Mon Oct 28 14:06:16 CET 2019] Getting webroot for domain=’
.12bfree.com’
[Mon Oct 28 14:06:16 CET 2019] Add the following TXT record:
[Mon Oct 28 14:06:16 CET 2019] Domain: ‘_acme-challenge.12bfree.com’
[Mon Oct 28 14:06:16 CET 2019] TXT value: ‘xmxmxmxmxmxmxmxmxmxmxmxmxmxmxmxmxmxmxmxmx’
[Mon Oct 28 14:06:16 CET 2019] Please be aware that you prepend _acme-challenge. before your domain
[Mon Oct 28 14:06:16 CET 2019] so the resulting subdomain will be: _acme-challenge.12bfree.com
[Mon Oct 28 14:06:16 CET 2019] Add the following TXT record:
[Mon Oct 28 14:06:16 CET 2019] Domain: ‘_acme-challenge.12bfree.com’
[Mon Oct 28 14:06:16 CET 2019] TXT value: ‘xmxmxmxmxmxmxmxmxmxmxmxmxmxmxmxmxmxmxmxmx’
[Mon Oct 28 14:06:16 CET 2019] Please be aware that you prepend _acme-challenge. before your domain
[Mon Oct 28 14:06:16 CET 2019] so the resulting subdomain will be: _acme-challenge.12bfree.com
[Mon Oct 28 14:06:16 CET 2019] Please add the TXT records to the domains, and re-run with --renew.
[Mon Oct 28 14:06:16 CET 2019] Please check log file for more details: /tmp/acme/12bfree.com/acme_issuecert.log

My web server is (include version):
apache2
The operating system my web server runs on is (include version):
ubuntu 18.04
My hosting provider, if applicable, is:
self-hosted
I can login to a root shell on my machine (yes or no, or I don’t know):
yes
I’m using a control panel to manage my site (no, or provide the name and version of the control panel):
pfsense
The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot):

Hi @karlre1

you must be able to create TXT entries. Then --manual is hard - but should always work.

Now, you don't have any TXT entry - https://check-your-website.server-daten.de/?q=12bfree.com#txt

You need two entries with the same domain name and different TXT Entries.

Compare it with my main domain - there are two rows required.

1 Like

Sorry for the delay and thank you for your response. I appreciate it.
I’ve been in contact with my registrar about DNS challenge.
They won’t allow it.
Therefore I’m thinking of transfering the domain to another provider.
I’m sitting in Austria. Can you possibly recommend a decent one?

BTW: I’ll be revisiting your website. It’s definitley helpful.

1 Like

These are basic requirements, so change your domain provider.

I use Inwx. They support a lot of TLDs (I don't use). More relevant: They have an API, TXT, CAA and DNSSEC is supported.

And clients like acme.sh have API support.

2 Likes

Thanks for the suggestion. I’ll be looking into this.

2 Likes

I created a Cloudflare account and set their nameservers as default at my registrar’s page. (the only thing they’ll allow as far as DNS is concerned). The transfer took some five days (‘status pending)’, then I was able to retrieve the necessary API keys for DNS challenge. I’ll be creating the certificate this weekend and let you know if all went well.

1 Like

Five days to transfer a domain? Oh, that's bad.

Domain Transfer is complete but Cloudflare says "DNSSEC is pending while we wait for the DS to be added to your registrar. This usually takes ten minutes, but can take up to an hour."

I did request a DS entry on Nov. 18th. Here's the original text:

Blockquote
Hallo *

Ich brauche die Möglichkeit, einen DS Eintrag (delegation of signing) zu machen.
Ich habe DNS-Sec für 12bfree.com zwar aktiviert, aber sonst sehe ich keine Möglichkeit, DNS-Sec zu bearbeiten, um auf einen anderen DNS Provider zu verweisen.

Ziel ist es, mit dem seit Jahren v.d. ICANN propagierten Algorythmus 13 eine DNS-Sec Verbindung zu realisieren, um ein Zertifikat einzubinden.

Kann World4you dies zur Verfügung stellen?

Mit freundlichen Grüßen

Blockquote

Is there something I missed or is the ball in their court?

If you have activated DNSSEC, your provider World4you must create the DNSKEY RR, must create minimal one DS (the DS has some informations about the first DNSKEY) and must send the DS RR to the parent zone (the com zone).

So this (creating a DS and deploying it) isn't an additional step, it's a fundamental part (the last and critical step) activating DNSSEC.

But I don't understand your configuration.

Rechecking your domain now your DNSSEC is broken - https://check-your-website.server-daten.de/?q=12bfree.com

com

But your older check - 2019-10-30 had a valid DNSSEC configuration:

old

Both have the same DS - KeyTag 40397, DigestType 2, Digest "xRUDH/3tAN/+INF2VlTJUmszJrkpOLtzk7UulszuAAg=".

But the local DNSKEY is new - not KeyTag 40397, instead a KeyTag 2371.

So now your DNSSEC is broken. And the system of your hoster is terrible -> switch to another hoster, that's bad.

Correct DNSSEC: New local DNSKEY created + new DS key created and sent to the parent zone (one step).

PS: That's

not possible. Why do you want to edit DNSSEC manual? DNSSEC has nothing to do with another DNS provider.

@If you have activated DNSSEC, your provider World4you must create the DNSKEY RR, must create minimal one DS (the DS has some informations about the first DNSKEY) and must send the DS RR to the parent zone (the com zone).
–> The DS entry is displayed as still pending 6 days after opening a support ticket for this. I’ve urged World4you today to get this done asap.

@But I don’t understand your configuration.
My current DNS config is here. (I added the subdomains)
Type Name Content TTL Proxy Status
A * 213.182.235.153 Auto Proxied
A 12bfree.com 213.182.235.153 Auto Proxied
CNAME lime 12bfree.com Auto Proxied
CNAME moodle 12bfree.com Auto Proxied
CNAME nc 12bfree.com Auto Proxied
CNAME www 12bfree.com Auto Proxied
MX 12bfree.com 12bfree.com 1hr DNS only

See anything wrong with it?
BTW: I’m determined to switch to another registrar. All in good time.

I don't understand your buggy DNSSEC configuration. A hoster should never create such a situation with a wrong DS, that kills the domain. But it's not your action, it's the action of your provider.

PS: My ISP (Telekom) checks DNSSEC. So your domain is not existent.

D:\temp>nslookup 12bfree.com.
...
Server failed.

PS: And the only thing you can do is to wait, if the hoster fixes that. Or change the hoster.

@I don’t understand your buggy DNSSEC configuration
All I know is that DNSSEC is set to ‘ON’ at World4You’s GUI. All they do is offer an on/off switch.

@nslookup fails Yeah, pending nameserver update (the CNAME entries I guess)

As for the rest of my config:
I host myself.
I run a pfsense firewall with the following add-ons:

  • Acme_Certificates
  • HaProxy

There are serveral VMs in a DMZ mapped to the HaProxy frontend.

That's

expected, there are not more options required. But it should work -> it doesn't work.

That's not an update problem. Inconsistent DNSSEC -> a client that validates the result can't use the result, that's the idea of DNSSEC. The client doesn't know if it is a bug of your provider or if the ip address is faked / bogus.

So a provider with such a configuration -> the provider is terrible.

Step 1. Switch off DNSSEC
Step 2. Switch off of World4You

@Inconsistent DNSSEC
got word from World4you 1st level support today. They’ve escalated my request internally and apologize for the delay. Long story short: Nothing’s happened since Nov. 18th.
Meanwhile I’m looking for another registrar that doesn’t want to own me…

1 Like

World4you is done with the DS record. My Cloudflare account now displays the site as active. -
I created API keys + tokens and used them to launch a certificate request, but I still get an error “invalid domain”
check-your-website.server-daten.de says no chain of trust created because
no confirming DS RR in the parent zone found
I assume I need to manually add another record to the DNS data set at Cloudflare but I’m not sure. I’d need a pointer, plz.

The last check - https://check-your-website.server-daten.de/?q=12bfree.com

Checked: 24.11.2019 10:30:24

So you see the old result.

Start a new check, if you have changed something.

Still getting the error saying “no confirming DS RR in the parent zone”, although the registrar says they’ve added the DS record I requested. The data from Cloudflare I sent to them goes something like this: “example.com. IN DS 62910 7 1 1D6AC75083F3CEC31861993E325E0EEC7E97D1DD” Since then the domain has been dead in the water (error 404). So in whose court is the ball now? Is there any way to tell?

Again: There is no new check. Last check - 01.12.2019 19:14:27.

You have to recheck your domain.

Did you add the necessary key of your domain at your registrar world4you.com?