OPNsense Forum
Archive => 21.1 Legacy Series => Topic started by: oliver.greg@gmail.com on April 30, 2021, 01:03:16 pm
-
Hi,
I have Let's Encrypt working with the HTTP_01 plugin for my firewall certs, but I am using OpnSense to run BIND as well, so I figured since it has a nice GUI for LE, I would use it for all of my certbot certs as well. Using the BIND plugin, I always get invalid domain :
[Fri Apr 30 05:41:59 CDT 2021] _CURL='curl --silent --dump-header /var/etc/acme-client/home/http.header -L --insecure '
[Fri Apr 30 05:41:59 CDT 2021] ret='0'
[Fri Apr 30 05:41:59 CDT 2021] h='expe-mra.mydomain.net'
[Fri Apr 30 05:41:59 CDT 2021] h='mydomain.net'
[Fri Apr 30 05:41:59 CDT 2021] h='net'
[Fri Apr 30 05:41:59 CDT 2021] invalid domain
[Fri Apr 30 05:42:00 CDT 2021] Error add txt for domain:_acme-challenge.expe-mra.mydomain.net
(domain scrubbed)
I've grep'ed through all acme files on the system and cannot find the logs prints for this "invalid domain", so it must be coming from LE..?
[root@fw /]# find . -name '*acme*' -exec grep "invalid domain" {} \;
I have also used the URL from the logs with the api key in them and it returns me successful json output with my BIND configuration printed. BIND is also running just fine - OpnSense is acting as my only set of DNS servers currently. The logs are printed quickly, so I know there is no timeout occuring between LE and OpnSense getting to the API port.
*edit*
I have run a packet capture and can see LE querying the DNS name and TXT record, but the TXT record is not found, so the plugin is not working for some reason, and on further inspection, the zone in question's serial nu,ber is not incrementing at all when the cert issue attempt is being ran.
OpnSense 21.1.5 - Acme Client 2.4
TiA for any insight.
-Greg Oliver
-
You need to create that record on the authoritative DNS server for your domain.
-
If I create the TXT record and put bogus info in it, the plugin is not updating it with the challenge from LE, so I am unsure where to go.
I added the TXT record (and the A record already existed) and both are queryable and return results, but it is never being updated to the proper TXT value.
Not sure where to go from here
-Greg
-
Well, I guess I'm a dumb ass :)
I deleted the user who had the API keys created and once I updated the keys, it works a treat.