Pfsense ACME Cloudflare fails

scarecrow · April 26, 2020, 8:21pm

Hello! I am moving some stuff onto pfsense and I installed the ACME package. When I added a domain to get a cert for it throws the error below. I am using DNS-Cloudflare as part of the process.

My domain is:
vawun.rehlmhosting.com

I ran this command:
Issue/Renew Cert via Pfsense ACME Gui

It produced this output:
[Sun Apr 26 13:05:34 PDT 2020] Sign failed, finalize code is not 200.
[Sun Apr 26 13:05:34 PDT 2020] {
“type”: “urn:ietf:params:acme:error:caa”,
“detail”: “Error finalizing order :: Rechecking CAA for “vawun.rehlmhosting.com” and 1 more identifiers failed. Refer to sub-problems for more information”,
“status”: 403,
“subproblems”: [
{
“type”: “urn:ietf:params:acme:error:caa”,
“detail”: “Error finalizing order :: While processing CAA for vawun.rehlmhosting.com: DNS problem: SERVFAIL looking up CAA for vawun.rehlmhosting.com - the domain’s nameservers may be malfunctioning”,
“status”: 403,
“identifier”: {
“type”: “dns”,
“value”: “vawun.rehlmhosting.com”
}
},
{
“type”: “urn:ietf:params:acme:error:caa”,
“detail”: “Error finalizing order :: While processing CAA for www.vawun.rehlmhosting.com: DNS problem: SERVFAIL looking up CAA for www.vawun.rehlmhosting.com - the domain’s nameservers may be malfunctioning”,
“status”: 403,
“identifier”: {
“type”: “dns”,
“value”: “www.vawun.rehlmhosting.com”
}
}
]
}

My web server is (include version):

The operating system my web server runs on is (include version):
Pfsense 2.4.5-RELEASE (FreeBSD 11.3-STABLE)

I think I have my cloudflare settings correct:

Cloudflare API Key = Global Key
Cloudflare API Email Address = email addr
Cloudflare API Token = token with read on zone zone and edit on zone dns
Cloudflare API Account ID = found under cloudflare website settings
Cloudflare API Zone ID = found under cloudflare website settings

JuergenAuer · April 26, 2020, 8:49pm

Hi @scarecrow

your DNSSEC is buggy / insecure - https://check-your-website.server-daten.de/?q=vawun.rehlmhosting.com

The parent zone has a DS record, but your zone isn’t signed.

Same with Unboundtest - https://unboundtest.com/m/CAA/vawun.rehlmhosting.com/TX6GQC7G

Apr 26 20:20:49 unbound[8969:0] info: Did not match a DS to a DNSKEY, thus bogus.
Apr 26 20:20:49 unbound[8969:0] info: Could not establish a chain of trust to keys for rehlmhosting.com. DNSKEY IN
Apr 26 20:20:49 unbound[8969:0] info: 127.0.0.1 vawun.rehlmhosting.com. CAA IN SERVFAIL 0.175619 0 40

Update your zone so

you use a correct working DNSSEC (or)
the DS RR in the parent zone is removed, so you don’t use DNSSEC

scarecrow · April 26, 2020, 8:31pm

Hey @JuergenAuer,

When i moved my dns service to cloudflare from google I had to disable DNSSEC Could the issue be that the delete from google DNSSEC is not yet fully complete? (Also enabled it on Cloudflare)

Or it could be that I misconfigured DNSSEC between google domains and cloudflare

scarecrow · April 26, 2020, 8:49pm

It was a DNSSEC misconfig! thank you @JuergenAuer

system · May 26, 2020, 8:39pm

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.