nsupdate: key ? is unreadable
-
Hi there,
i wanted to use my existing dns challenge infrastructure, which is running fine using acertmgr.
Basically there is a dedicated bind instance running at challenge.domain.net, serving acme.challenge.domain.net.
On every domain I like to validate, I add (in this case)_acme-challenge.owa IN CNAME acme.challenge.domain.net.
I have TSIG keys configured at challenge.domain.net, which allow update txt on acme.challenge.domain.net. Tested, working in production with acertmgr on lot of debian mashines. So until here there is no fault.
Now pfsense's Acme comes in.
- I created new Acme account "LE Testing" using le-staging-2 CA
- I created a certificate config for owa.domain.net as follows:
Name: owa.domain.net
Acme Account: LE Testing
Domain SAN list DNS-Nsupdate /RFC2136- Server challenge.domain.net
- Key Name: pfsense.
- Key Algorithm: HMAC-SHA512
- Key: VLvHm4IeTM8gzIx3SteM7ISjz+oReIklXYciB0P6GFMPFBnw1pTu/BS4adDStWvP1gRAzhCBv1MFFb5xja05uA==
- Enable DNS alias mode: acme.challenge.domain.net
- Enable DNS domain alias mode: [x]
When I save and hit renew, following is presented in a green box: (Why green? It failed...)
owa.domain.net Renewing certificate account: LE Testing server: letsencrypt-staging-2 getCertificatePSK updating key /usr/local/pkg/acme/acme.sh --home '/tmp/acme/owa.domain.net/' --accountconf '/tmp/acme/owa.domain.net/accountconf.conf' --create-domain-key --domain 'owa.domain.net' --keylength '4096' --log-level 3 --log '/tmp/acme/owa.domain.net/acme_createdomainkey.log' Array ( [path] => /etc:/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/bin/ [PATH] => /etc:/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/bin/ ) [Sat Jun 10 16:22:16 CEST 2023] Creating domain key [Sat Jun 10 16:22:17 CEST 2023] The domain key is here: /tmp/acme/owa.domain.net//owa.domain.net/owa.domain.net.key /usr/local/pkg/acme/acme.sh --issue --domain 'owa.domain.net' --domain-alias 'acme.challenge.domain.net' --dns 'dns_nsupdate' --home '/tmp/acme/owa.domain.net/' --accountconf '/tmp/acme/owa.domain.net/accountconf.conf' --force --reloadCmd '/tmp/acme/owa.domain.net/reloadcmd.sh' --log-level 3 --log '/tmp/acme/owa.domain.net/acme_issuecert.log' Array ( [path] => /etc:/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/bin/ [PATH] => /etc:/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/bin/ [NSUPDATE_SERVER] => /tmp/acme/owa.domain.net/owa.domain.netnsupdate [NSUPDATE_KEYNAME] => pfsense. [NSUPDATE_KEYALGO] => 165 [NSUPDATE_KEY] => /tmp/acme/owa.domain.net/owa.domain.netnsupdate [NSUPDATE_ZONE] => challenge.domain.net ) [Sat Jun 10 16:22:18 CEST 2023] Using CA: https://acme-staging-v02.api.letsencrypt.org/directory [Sat Jun 10 16:22:18 CEST 2023] Creating domain key [Sat Jun 10 16:22:18 CEST 2023] The domain key is here: /tmp/acme/owa.domain.net//owa.domain.net/owa.domain.net.key [Sat Jun 10 16:22:18 CEST 2023] Single domain='owa.domain.net' [Sat Jun 10 16:22:18 CEST 2023] Getting domain auth token for each domain [Sat Jun 10 16:22:20 CEST 2023] Getting webroot for domain='owa.domain.net' [Sat Jun 10 16:22:20 CEST 2023] Adding txt value: iNxhsmIl2uBmS88ekq9xrRHq5OzL2gNyStpu9yFGVcU for domain: acme.challenge.domain.net [Sat Jun 10 16:22:20 CEST 2023] key /tmp/acme/owa.domain.net/owa.domain.netnsupdateacme.challenge.domain.net.key is unreadable [Sat Jun 10 16:22:20 CEST 2023] Error add txt for domain:acme.challenge.domain.net [Sat Jun 10 16:22:20 CEST 2023] Please check log file for more details: /tmp/acme/owa.domain.net/acme_issuecert.log
So the line in question is this:
[Sat Jun 10 16:22:20 CEST 2023] key /tmp/acme/owa.domain.net/owa.domain.netnsupdateacme.challenge.domain.net.key is unreadable
By the looks of it, the path looks allready broken. The file does not exist, pfsense has failed to create it, i guess.
So now i fiddled around alot.
I managed to fix the missing files bycd /tmp/acme/owa.domain.net ln -s owa.domain.netnsupdate_acme-challenge.acme.challenge.domain.net.server owa.domain.netnsupdateacme.challenge.domain.net.server ln -s owa.domain.netnsupdate_acme-challenge.acme.challenge.domain.net.key owa.domain.netnsupdateacme.challenge.domain.net.key
Sorry for finding a hack before posting, but there is definitely something wrong with filenames created by the UI.
Hopefully this is useful enough for our dev's to find a permament solution to this.
Best regards,
Jan -
The issue maybe just pfsense prepending _acme-challenge. to the challenge fqdn in the filename when "Enable DNS domain alias mode" is ticked