OPNsense Forum

Archive => 21.1 Legacy Series => Topic started by: oliver.greg@gmail.com on April 30, 2021, 01:03:16 pm

Title: Let's Encrfypt - BIND Plugin - always failing domain name
Post by: oliver.greg@gmail.com on April 30, 2021, 01:03:16 pm

Hi,

I have Let's Encrypt working with the HTTP_01 plugin for my firewall certs, but I am using OpnSense to run BIND as well, so I figured since it has a nice GUI for LE, I would use it for all of my certbot certs as well.  Using the BIND plugin, I always get invalid domain :

Code: [Select]

[Fri Apr 30 05:41:59 CDT 2021] _CURL='curl --silent --dump-header /var/etc/acme-client/home/http.header  -L  --insecure  '
[Fri Apr 30 05:41:59 CDT 2021] ret='0'
[Fri Apr 30 05:41:59 CDT 2021] h='expe-mra.mydomain.net'
[Fri Apr 30 05:41:59 CDT 2021] h='mydomain.net'
[Fri Apr 30 05:41:59 CDT 2021] h='net'
[Fri Apr 30 05:41:59 CDT 2021] invalid domain
[Fri Apr 30 05:42:00 CDT 2021] Error add txt for domain:_acme-challenge.expe-mra.mydomain.net

(domain scrubbed)

I've grep'ed through all acme files on the system and cannot find the logs prints for this "invalid domain", so it must be coming from LE..?

Code: [Select]

[root@fw /]# find . -name '*acme*' -exec grep "invalid domain" {} \;

I have also used the URL from the logs with the api key in them and it returns me successful json output with my BIND configuration printed.  BIND is also running just fine - OpnSense is acting as my only set of DNS servers currently.  The logs are printed quickly, so I know there is no timeout occuring between LE and OpnSense getting to the API port.

*edit*
I have run a packet capture and can see LE querying the DNS name and TXT record, but the TXT record is not found, so the plugin is not working for some reason, and on further inspection, the zone in question's serial nu,ber is not incrementing at all when the cert issue attempt is being ran.

OpnSense 21.1.5 - Acme Client 2.4

TiA for any insight.

-Greg Oliver

Title: Re: Let's Encrfypt - BIND Plugin - always failing domain name
Post by: Patrick M. Hausen on April 30, 2021, 01:28:05 pm

You need to create that record on the authoritative DNS server for your domain.

Title: Re: Let's Encrfypt - BIND Plugin - always failing domain name
Post by: oliver.greg@gmail.com on April 30, 2021, 01:50:28 pm

If I create the TXT record and put bogus info in it, the plugin is not updating it with the challenge from LE, so I am unsure where to go.

I added the TXT record (and the A record already existed) and both are queryable and return results, but it is never being updated to the proper TXT value.

Not sure where to go from here

-Greg

Title: Re: Let's Encrfypt - BIND Plugin - always failing domain name *solved*
Post by: oliver.greg@gmail.com on May 01, 2021, 03:00:59 pm

Well, I guess I'm a dumb ass :)

I deleted the user who had the API keys created and once I updated the keys, it works a treat.