Netgate SG-1000 microFirewall

Author Topic: ACME Provider Update - 0.1.22  (Read 1636 times)

0 Members and 1 Guest are viewing this topic.

Offline jimp

  • Administrator
  • Hero Member
  • *****
  • Posts: 21739
  • Karma: +1503/-26
    • View Profile
ACME Provider Update - 0.1.22
« on: October 30, 2017, 01:01:06 pm »
After the recent update to acme.sh, backend support for a number of new providers was there, but there was no GUI code to configure them.

I've gone through and added the missing providers, 18 new providers in total.

Given that I don't have accounts with any of them, I can't give them a proper test, but the code is consistent with the others that do work, so I do not expect much trouble. If you try one and it doesn't work, there may not be much to do but disable it for the moment and see if it gets fixed upstream.

The new providers are:
  • Alwaysdata
  • ClouDNS
  • cyon.ch
  • DigitalOcean
  • DNSimple
  • Domain-Offensive / Resellerinterface / Domainrobot
  • DuckDNS
  • Dyn.com
  • Dynu
  • FreeDNS
  • Gandi LiveDNS
  • Infoblox
  • Knot
  • Linode
  • name.com
  • NS1 (nsone.net)
  • vscale.io
  • Yandex

I also alphabetized the list, some had been added out of order, and I moved NSupdate/RFC2136 near the top because it isn't technically a DNS Provider like the others. That is only a cosmetic change, existing settings require no changes.

Reply here with reports of success or failure for the new providers, thanks!
« Last Edit: October 30, 2017, 01:54:42 pm by jimp »
Need help fast? Commercial Support!

Co-Author of pfSense: The Definitive Guide. - Check the Doc Wiki for FAQs.

Do not PM for help!

Offline pahrohfit

  • Newbie
  • *
  • Posts: 5
  • Karma: +0/-0
    • View Profile
Re: ACME Provider Update - 0.1.22
« Reply #1 on: November 01, 2017, 05:29:38 pm »
Not sure when it broken (within the last 3-4 months based upon my expiration) ... but for nsupdate/rfc2136 based, you are creating an invalidly formatted key file:

Code: [Select]
[Wed Nov 1 18:22:29 EDT 2017] Found domain api file: /usr/local/pkg/acme/dnsapi/dns_nsupdate.sh
[Wed Nov 1 18:22:29 EDT 2017] adding _acme-challenge.mydomain.com. 60 in txt "some-acme-nonce"
01-Nov-2017 18:22:29.933 /tmp/acme/mydomain.com/mydomain.com/nsupdate_acme-challenge.mydomain.com.key:1: unknown option '_acme-challenge.mydomain.com...'
01-Nov-2017 18:22:29.934 /tmp/acme/mydomain.com/mydomain.com/nsupdate_acme-challenge.mydomain.com.key:2: unexpected token near end of file
could not read key from /tmp/acme/mydomain.com/mydomain.com/nsupdate_acme-challenge.mydomain.com.{private,key}: unexpected token
update failed: REFUSED
[Wed Nov 1 18:22:30 EDT 2017] error updating domain

The malformed file looks like:

Code: [Select]
_acme-challenge.mydomain.com IN KEY 257 3 165 secret-key-data
The file should look like:

Code: [Select]
key _acme-challenge.mydomain.com. {
        algorithm HMAC-SHA512;
        secret "secret-key-data";
};

Offline jimp

  • Administrator
  • Hero Member
  • *****
  • Posts: 21739
  • Karma: +1503/-26
    • View Profile
Re: ACME Provider Update - 0.1.22
« Reply #2 on: November 02, 2017, 08:19:53 am »
Hmm, it worked last time I tried it but I also get that error now. I'll look into it.
Need help fast? Commercial Support!

Co-Author of pfSense: The Definitive Guide. - Check the Doc Wiki for FAQs.

Do not PM for help!

Offline kejianshi

  • Hero Member
  • *****
  • Posts: 4971
  • Karma: +199/-43
  • Debugging...
    • View Profile
Re: ACME Provider Update - 0.1.22
« Reply #3 on: November 02, 2017, 08:45:14 am »
This looks like something that can save a lot of people a lot of money.  I'll be glad when its a bit more firmed up.  I bet the certificate mafias out there are crying big alligator tears right now.  Surprised they haven't tried to kill it.

Offline jimp

  • Administrator
  • Hero Member
  • *****
  • Posts: 21739
  • Karma: +1503/-26
    • View Profile
Re: ACME Provider Update - 0.1.22
« Reply #4 on: November 02, 2017, 09:22:29 am »
Not sure when it broken (within the last 3-4 months based upon my expiration) ... but for nsupdate/rfc2136 based, you are creating an invalidly formatted key file:

Actually the key format is correct, both ways should work. And indeed it does still work on most of my systems here. I tried a 2.3.5 box, a 2.4.1 box, and other 2.4.2 snapshots all on the newest ACME code and only one of them failed in this way. It's still not clear exactly what that one failed either. It worked fine with one other cert on the same exact box also using RFC2136. All of the files appear to be correctly formatted so far.

I'm still looking into it, but it does not appear to be a widespread issue (only one failure out of about 15 configurations here thus far)
Need help fast? Commercial Support!

Co-Author of pfSense: The Definitive Guide. - Check the Doc Wiki for FAQs.

Do not PM for help!

Offline jimp

  • Administrator
  • Hero Member
  • *****
  • Posts: 21739
  • Karma: +1503/-26
    • View Profile
Re: ACME Provider Update - 0.1.22
« Reply #5 on: November 02, 2017, 09:26:23 am »
Not sure when it broken (within the last 3-4 months based upon my expiration) ... but for nsupdate/rfc2136 based, you are creating an invalidly formatted key file:

Actually the key format is correct, both ways should work. And indeed it does still work on most of my systems here. I tried a 2.3.5 box, a 2.4.1 box, and other 2.4.2 snapshots all on the newest ACME code and only one of them failed in this way. It's still not clear exactly what that one failed either. It worked fine with one other cert on the same exact box also using RFC2136. All of the files appear to be correctly formatted so far.

I'm still looking into it, but it does not appear to be a widespread issue (only one failure out of about 15 configurations here thus far)

OK, I found the problem. It's a configuration issue. That was a test entry which did not have a proper key type or key algorithm set, I forgot I broke that one deliberately before when checking the formats.

So it's not a package problem that I can see. Make sure it's set correctly (e.g. set to Host Key, and set to the correct matching algo as the source key)

Unless there is something special about HMAC-SHA512 that requires the different key file format, that I could work around. I don't have any using that algo here.
Need help fast? Commercial Support!

Co-Author of pfSense: The Definitive Guide. - Check the Doc Wiki for FAQs.

Do not PM for help!

Offline sbreit

  • Newbie
  • *
  • Posts: 13
  • Karma: +2/-0
    • View Profile
Re: ACME Provider Update - 0.1.22
« Reply #6 on: December 11, 2017, 03:33:26 pm »
Not sure when it broken (within the last 3-4 months based upon my expiration) ... but for nsupdate/rfc2136 based, you are creating an invalidly formatted key file:

Code: [Select]
[Wed Nov 1 18:22:29 EDT 2017] Found domain api file: /usr/local/pkg/acme/dnsapi/dns_nsupdate.sh
[Wed Nov 1 18:22:29 EDT 2017] adding _acme-challenge.mydomain.com. 60 in txt "some-acme-nonce"
01-Nov-2017 18:22:29.933 /tmp/acme/mydomain.com/mydomain.com/nsupdate_acme-challenge.mydomain.com.key:1: unknown option '_acme-challenge.mydomain.com...'
01-Nov-2017 18:22:29.934 /tmp/acme/mydomain.com/mydomain.com/nsupdate_acme-challenge.mydomain.com.key:2: unexpected token near end of file
could not read key from /tmp/acme/mydomain.com/mydomain.com/nsupdate_acme-challenge.mydomain.com.{private,key}: unexpected token
update failed: REFUSED
[Wed Nov 1 18:22:30 EDT 2017] error updating domain

I have the same issue here, also with different key formats (HMAC-SHA256). I too think that the file is not formatted correctly.

Using the key file as -k parameter to nsupdate will always fail:

Code: [Select]
nsupdate -k /tmp/acme/pfsense.domainname/pfsense.domainname/nsupdate_acme-challenge.pfsense.domainname.key -v nsupdate.txt
11-Dec-2017 22:14:52.501 /tmp/acme/pfsense.domainname/pfsense.domainname/nsupdate_acme-challenge.pfsense.domainname.key:1: unknown option '_acme-challenge.pfsense.domain...'
11-Dec-2017 22:14:52.502 /tmp/acme/pfsense.domainname/pfsense.domainname/nsupdate_acme-challenge.pfsense.domainname.key:2: unexpected token near end of file
could not read key from /tmp/acme/pfsense.domainname/pfsense.domainname/nsupdate_acme-challenge.pfsense.domainname.{private,key}: unexpected token

However, passing the key differently to nsupdate works as expected:

Code: [Select]
nsupdate -y 'HMAC-SHA256:_acme-challenge.pfsense.domain:nQ02d88024393209140eIQo37QCM=' -v nsupdate.txt
Investigating further I found out that the .key file format seemed to be wrong. It was
Code: [Select]
_acme-challenge.pfsense.domain IN KEY 513 3 163 nQ02d88024393209140eIQo37QCM= when it should have been
Code: [Select]
_acme-challenge.pfsense.domain. IN KEY 513 3 163 nQ02d88024393209140eIQo37QCM= instead. Note the missing . after the domain name.

I reckon that's the issue here. @jimp could you look into this?
« Last Edit: December 12, 2017, 02:41:37 am by sbreit »

Offline jimp

  • Administrator
  • Hero Member
  • *****
  • Posts: 21739
  • Karma: +1503/-26
    • View Profile
Re: ACME Provider Update - 0.1.22
« Reply #7 on: December 12, 2017, 09:39:57 am »
It does appear as though the '.' should be there, but that doesn't cause any of mine to fail here. I have quite a few using nsupdate and it works perfectly. Though I think they are almost all HMAC_MD5.

Does adding the '.' to the file let it work? You can add it at line 195 of /usr/local/pkg/acme/acme_sh.inc

Change this:
Code: [Select]
file_put_contents("{$nsupdatefileprefix}_acme-challenge.{$nsupdatedomain}.key", "_acme-challenge.{$nsupdatedomain} IN KEY {$flags} {$proto} {$key_algo} {$nsupdatekey}\n");

to this:
Code: [Select]
file_put_contents("{$nsupdatefileprefix}_acme-challenge.{$nsupdatedomain}.key", "_acme-challenge.{$nsupdatedomain}. IN KEY {$flags} {$proto} {$key_algo} {$nsupdatekey}\n");

It seems to work either way for me, but if that lets it work for you then I'll go ahead and commit it.
Need help fast? Commercial Support!

Co-Author of pfSense: The Definitive Guide. - Check the Doc Wiki for FAQs.

Do not PM for help!

Offline sbreit

  • Newbie
  • *
  • Posts: 13
  • Karma: +2/-0
    • View Profile
Re: ACME Provider Update - 0.1.22
« Reply #8 on: December 12, 2017, 12:02:07 pm »
Does adding the '.' to the file let it work? You can add it at line 195 of /usr/local/pkg/acme/acme_sh.inc

Unfortunately not. The error messages from nsupdate complaining about the *.key file weren't exactly helpful either...

Anyhow, I've figured out what the issue was. Comparing the key pair generated on my DNS server and in pfSense I've noticed a few lines missing. Adding
Code: [Select]
Bits: AAA=in line 200 finally did the trick for me. Tadaaa:

Quote
[Tue Dec 12 18:48:06 CET 2017] Cert success.

I have no idea what the "Bits" line does unfortunately, but in the end it seems that this was what was missing.

I generated a HMAC-SHA512 key pair for comparison. It has the same "Bits" line; the request worked as well.

Cheers

Offline jimp

  • Administrator
  • Hero Member
  • *****
  • Posts: 21739
  • Karma: +1503/-26
    • View Profile
Re: ACME Provider Update - 0.1.22
« Reply #9 on: December 12, 2017, 01:26:03 pm »
Interesting. Every example I can find of the Bits: line is AAA= but I'd like to find some source for how that's calculated before I go hardcoding it or making a separate field.
Need help fast? Commercial Support!

Co-Author of pfSense: The Definitive Guide. - Check the Doc Wiki for FAQs.

Do not PM for help!

Offline kingchong

  • Newbie
  • *
  • Posts: 4
  • Karma: +0/-0
    • View Profile
Re: ACME Provider Update - 0.1.22
« Reply #10 on: December 29, 2017, 06:07:25 pm »
Are there any plans on adding Google Domains to the list?

Offline jimp

  • Administrator
  • Hero Member
  • *****
  • Posts: 21739
  • Karma: +1503/-26
    • View Profile
Re: ACME Provider Update - 0.1.22
« Reply #11 on: December 29, 2017, 07:36:45 pm »
Are there any plans on adding Google Domains to the list?

It must be supported by the acme.sh project first, but it doesn't look like they're into the idea: https://github.com/Neilpang/acme.sh/issues/180
Need help fast? Commercial Support!

Co-Author of pfSense: The Definitive Guide. - Check the Doc Wiki for FAQs.

Do not PM for help!

Offline kingchong

  • Newbie
  • *
  • Posts: 4
  • Karma: +0/-0
    • View Profile
Re: ACME Provider Update - 0.1.22
« Reply #12 on: December 29, 2017, 07:59:49 pm »
Ahh, bummer. Thanks!