pfSense Gold Subscription

Author Topic: Acme and Dyn  (Read 542 times)

0 Members and 1 Guest are viewing this topic.

Offline piperspace

  • Newbie
  • *
  • Posts: 6
  • Karma: +2/-0
    • View Profile
Acme and Dyn
« on: October 06, 2017, 07:13:54 pm »
I am unable to get ACME certificate renewal with DNS validation to work with Dyn.

There is no custom API for Dyn - so I configured it to use the nsupdate command and obtained a key from Dyn.

This always fails with a time-out.

If I run nsupdate from the command line in the same manner as the Acme script does...that also fails with time out.

However, if I add the Zone parameter as shown below it works.

nsupdate
> server update.dyndns.com
> key keyname keyvalue
> update add myfqdn 60 in txt "blah blah"
> zone myzone
> send

According to the nsupdate man page - if zone is not explicitly provided it attempts to figure it out from other input. That doesn't seem to be working in my situation for some reason.

Am I out of luck?       
« Last Edit: October 06, 2017, 09:06:47 pm by piperspace »

Offline piperspace

  • Newbie
  • *
  • Posts: 6
  • Karma: +2/-0
    • View Profile
Re: Acme and Dyn
« Reply #1 on: October 13, 2017, 01:31:07 pm »
FWIW - an update on this. The pfsense nsupdate renewal script is subtly incompatible with Dyn's implementation. Dyn requires an explicit zone parameter and uses an arbitrary TSIG key name that is not derived from the zone/host name. RFC 2845 strongly recommends that the Key Name reflect the name of the host(s). Dyn's TSIG account key does not. 

It is possible to hack the pfsense script at /usr/local/pkg/acme/dnsapi/dns_nsupdate.sh so that certificate renewal works.

Just add your zone and your TSIG keyname and keyvalue from Dyn as nsupdate parameters and certificate renewal will then work. In the short run this gets the job done.

In the long run I will probably choose another vendor (Cloudflare?) for DNS management since Netgate support expresses no enthusiasm for enhancing Acme to work properly with Dyn.


Offline jimp

  • Administrator
  • Hero Member
  • *****
  • Posts: 21493
  • Karma: +1458/-26
    • View Profile
Re: Acme and Dyn
« Reply #2 on: November 02, 2017, 03:21:49 pm »
The latest ACME package has support for Dyn.

It was added to acme.sh and we recently went through and added all the new providers supported by acme.sh now.

We don't have any Dyn accounts to test against, but the code is all there.
Need help fast? Commercial Support!

Co-Author of pfSense: The Definitive Guide. - Check the Doc Wiki for FAQs.

Do not PM for help!

Offline mcury

  • Newbie
  • *
  • Posts: 12
  • Karma: +0/-0
    • View Profile
Re: Acme and Dyn
« Reply #3 on: December 13, 2017, 05:19:02 pm »
Hi, I do have a domain and the DNS service, both from Dyndns.
But I can't make it to work.

Using the DNS dyn method.

I can see that through the Dyndns reports page, that an entry is added and deleted by _acme-challenge.mydomain.net during the certification generation.
But in the ends, it fails with this message:

mydomain.net:Verify error:Correct value not found for DNS challenge

I ran the dnssec-keygen, and ran bind using the key command in the global settings:

key Kmydomain.net {
   algorithm hmac-md5;
   secret "HcszMU0bDghj/Jx+8NIcNMHae13OlRE9gKnfghtywGwJ6X3e/Zw4A6DA4wWcJa13NgX5RSNRveXCdgh+2Lg==";
};

Any one got this to work?

« Last Edit: December 13, 2017, 06:18:06 pm by mcury »

Offline pilotboy72

  • Newbie
  • *
  • Posts: 15
  • Karma: +0/-0
    • View Profile
Re: Acme and Dyn
« Reply #4 on: December 18, 2017, 07:43:11 pm »
Hi,

I'm also having problems with this.  I can't even get the domain updated.  The error shown in the logs is (I have replaced my domain name with <mydomain> in this listing):

[Mon Dec 18 19:38:44 CST 2017] Start Dyn API Session
[Mon Dec 18 19:38:45 CST 2017] get token failed
[Mon Dec 18 19:38:45 CST 2017] Error add txt for domain:_acme-challenge.<mydomain>
[Mon Dec 18 19:38:45 CST 2017] Please check log file for more details: /tmp/acme/<mydomain>/acme_issuecert.log


Not sure what to do.  I'm using the correct username and password (verified several times).  @mcury, what type of DYN account do you have?

Brian

Offline mcury

  • Newbie
  • *
  • Posts: 12
  • Karma: +0/-0
    • View Profile
Re: Acme and Dyn
« Reply #5 on: December 21, 2017, 07:47:27 am »
I had the dns managed express with a domain there in Dyndns.
But gave up dyndns, not using it anymore.

As my objective was just to get a SSL certificate for my GUI, I created a duckdns.org account and it`s working just fine so far.

The example below is just valid for your FQDN duckdns account.
Itís useful if you donít have a domain in the Internet, and if you just want a certificate for a FQDN. (off course not valid for the domain)!!

By doing this way, you wonít need to disable any security feature, wonít need to buy a domain anywhere, and will need only one entry into your DNS server (which can be local).
Itís perfect for setting your Pfsense management to HTTPS without having certificate warnings.
You can also export those certificates and use in another server, but there are other methods that you can use that are better for this purpose.

How itís working here

My local domain: local.lan
My certificate is valid for myhost.duckdns.org

For that to work without disabling any security feature as DNS rebind check when you  connect to PFsense management using that new ACME duckdns certificate, you can do the following:

Configure it to be your GUI SSL certificate and set in that same page
System > advanced settings > admin access > Alternate Hostname:
Set the same FQDN configured into your certificate.

Go into your DNS resolver (or the DNS server you use), and point the FQDN of the ACME certificate pointing to your Pfsense LAN IP.

If you donít have a WAN static IP or just want that to be reachable from outside, you can also set Pfsense Dynamic DNS feature to update your IP to the same FQDN configured into the certificate.

EDIT: Use VPN to reach your PFsense from outside, don`t leave the managament port open on WAN!