I have a pfsense configured with a static public IP.
Acme Certificates is installed, the account keys (letsencrypt-production-2) are set.
My current DNS provider (world4you) does not support dns challenge.
Array
(
[path] => /etc:/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/bin/
[PATH] => /etc:/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/bin/
)
[Mon Oct 28 14:06:12 CET 2019] Multi domain=‘DNS:12bfree.com,DNS:.12bfree.com’
[Mon Oct 28 14:06:12 CET 2019] Getting domain auth token for each domain
[Mon Oct 28 14:06:15 CET 2019] Getting webroot for domain=‘12bfree.com’
[Mon Oct 28 14:06:16 CET 2019] Getting webroot for domain=’.12bfree.com’
[Mon Oct 28 14:06:16 CET 2019] Add the following TXT record:
[Mon Oct 28 14:06:16 CET 2019] Domain: ‘_acme-challenge.12bfree.com’
[Mon Oct 28 14:06:16 CET 2019] TXT value: ‘xmxmxmxmxmxmxmxmxmxmxmxmxmxmxmxmxmxmxmxmx’
[Mon Oct 28 14:06:16 CET 2019] Please be aware that you prepend _acme-challenge. before your domain
[Mon Oct 28 14:06:16 CET 2019] so the resulting subdomain will be: _acme-challenge.12bfree.com
[Mon Oct 28 14:06:16 CET 2019] Add the following TXT record:
[Mon Oct 28 14:06:16 CET 2019] Domain: ‘_acme-challenge.12bfree.com’
[Mon Oct 28 14:06:16 CET 2019] TXT value: ‘xmxmxmxmxmxmxmxmxmxmxmxmxmxmxmxmxmxmxmxmx’
[Mon Oct 28 14:06:16 CET 2019] Please be aware that you prepend _acme-challenge. before your domain
[Mon Oct 28 14:06:16 CET 2019] so the resulting subdomain will be: _acme-challenge.12bfree.com
[Mon Oct 28 14:06:16 CET 2019] Please add the TXT records to the domains, and re-run with --renew.
[Mon Oct 28 14:06:16 CET 2019] Please check log file for more details: /tmp/acme/12bfree.com/acme_issuecert.log
My web server is (include version):
apache2
The operating system my web server runs on is (include version):
ubuntu 18.04
My hosting provider, if applicable, is:
self-hosted
I can login to a root shell on my machine (yes or no, or I don’t know):
yes
I’m using a control panel to manage my site (no, or provide the name and version of the control panel):
pfsense
The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot):
Sorry for the delay and thank you for your response. I appreciate it.
I’ve been in contact with my registrar about DNS challenge.
They won’t allow it.
Therefore I’m thinking of transfering the domain to another provider.
I’m sitting in Austria. Can you possibly recommend a decent one?
BTW: I’ll be revisiting your website. It’s definitley helpful.
I created a Cloudflare account and set their nameservers as default at my registrar’s page. (the only thing they’ll allow as far as DNS is concerned). The transfer took some five days (‘status pending)’, then I was able to retrieve the necessary API keys for DNS challenge. I’ll be creating the certificate this weekend and let you know if all went well.
Domain Transfer is complete but Cloudflare says "DNSSEC is pending while we wait for the DS to be added to your registrar. This usually takes ten minutes, but can take up to an hour."
I did request a DS entry on Nov. 18th. Here's the original text:
Blockquote
Hallo *
Ich brauche die Möglichkeit, einen DS Eintrag (delegation of signing) zu machen.
Ich habe DNS-Sec für 12bfree.com zwar aktiviert, aber sonst sehe ich keine Möglichkeit, DNS-Sec zu bearbeiten, um auf einen anderen DNS Provider zu verweisen.
Ziel ist es, mit dem seit Jahren v.d. ICANN propagierten Algorythmus 13 eine DNS-Sec Verbindung zu realisieren, um ein Zertifikat einzubinden.
Kann World4you dies zur Verfügung stellen?
Mit freundlichen Grüßen
Blockquote
Is there something I missed or is the ball in their court?
If you have activated DNSSEC, your provider World4you must create the DNSKEY RR, must create minimal one DS (the DS has some informations about the first DNSKEY) and must send the DS RR to the parent zone (the com zone).
So this (creating a DS and deploying it) isn't an additional step, it's a fundamental part (the last and critical step) activating DNSSEC.
@If you have activated DNSSEC, your provider World4you must create the DNSKEY RR, must create minimal one DS (the DS has some informations about the first DNSKEY) and must send the DS RR to the parent zone (the com zone).
–> The DS entry is displayed as still pending 6 days after opening a support ticket for this. I’ve urged World4you today to get this done asap.
@But I don’t understand your configuration.
My current DNS config is here. (I added the subdomains)
Type Name Content TTL Proxy Status
A * 213.182.235.153 Auto Proxied
A 12bfree.com 213.182.235.153 Auto Proxied
CNAME lime 12bfree.com Auto Proxied
CNAME moodle 12bfree.com Auto Proxied
CNAME nc 12bfree.com Auto Proxied
CNAME www 12bfree.com Auto Proxied
MX 12bfree.com12bfree.com 1hr DNS only
See anything wrong with it?
BTW: I’m determined to switch to another registrar. All in good time.
I don't understand your buggy DNSSEC configuration. A hoster should never create such a situation with a wrong DS, that kills the domain. But it's not your action, it's the action of your provider.
PS: My ISP (Telekom) checks DNSSEC. So your domain is not existent.
@I don’t understand your buggy DNSSEC configuration
All I know is that DNSSEC is set to ‘ON’ at World4You’s GUI. All they do is offer an on/off switch.
@nslookup fails Yeah, pending nameserver update (the CNAME entries I guess)
As for the rest of my config:
I host myself.
I run a pfsense firewall with the following add-ons:
Acme_Certificates
HaProxy
There are serveral VMs in a DMZ mapped to the HaProxy frontend.
expected, there are not more options required. But it should work -> it doesn't work.
That's not an update problem. Inconsistent DNSSEC -> a client that validates the result can't use the result, that's the idea of DNSSEC. The client doesn't know if it is a bug of your provider or if the ip address is faked / bogus.
So a provider with such a configuration -> the provider is terrible.
@Inconsistent DNSSEC
got word from World4you 1st level support today. They’ve escalated my request internally and apologize for the delay. Long story short: Nothing’s happened since Nov. 18th.
Meanwhile I’m looking for another registrar that doesn’t want to own me…
World4you is done with the DS record. My Cloudflare account now displays the site as active. -
I created API keys + tokens and used them to launch a certificate request, but I still get an error “invalid domain” check-your-website.server-daten.de says no chain of trust created because no confirming DS RR in the parent zone found
I assume I need to manually add another record to the DNS data set at Cloudflare but I’m not sure. I’d need a pointer, plz.
Still getting the error saying “no confirming DS RR in the parent zone”, although the registrar says they’ve added the DS record I requested. The data from Cloudflare I sent to them goes something like this: “example.com. IN DS 62910 7 1 1D6AC75083F3CEC31861993E325E0EEC7E97D1DD” Since then the domain has been dead in the water (error 404). So in whose court is the ball now? Is there any way to tell?
