Show Posts
1
General Discussion / ACME Client - Dyn and Dynu no luck, deSEC worked.
« on: September 09, 2023, 01:14:44 am »
Hi folks,
I'm posting just to let others know my experience with ACME Client and some of the dynamic DNS providers out there. I couldn't find a similar post so I figured it might be of use to someone else.
I just followed this excellent tutorial to set up HAProxy with SSL support, and only had trouble when using the ACMEClient plugin to set up the wildcard HTTPS certificate. My long time dynamic DNS provider has been Dyn, but it failed when trying to create a test certificate. Even with the ACMEClient log level set to debug, the log generated no output after calling acme.sh, until a couple of minutes later timing out and reporting the failure to create the cert. Obviously I've made appropriate redactions :
I then created a Dynu account and tried with that service. Exactly the same log result (except for the --dns option value in the acme.sh path of course). The obvious assumption is that something was wrong with the login credentials I was trying for each account, however I repeatedly reconfirmed both. Dynu uses API credentials that one can create via their GUI - those would be hard to copy/paste wrongly. For Dyn it wasn't 100% clear which credentials were desired, given the fieldnames Customer, User and Password, but I tried a variety of logical combinations.
I finally followed the tutorial's suggestion of using deSEC as the DNS provider, and it worked right away. Serves me right for deviating from the guide I guess
If anyone is successfully using one of the providers I couldn't get working, I'd be curious to know how you got the credentials to work; perhaps we could contribute help text for the ACME Client plugin credential entry fields
Cheers,
Ian
I'm posting just to let others know my experience with ACME Client and some of the dynamic DNS providers out there. I couldn't find a similar post so I figured it might be of use to someone else.
I just followed this excellent tutorial to set up HAProxy with SSL support, and only had trouble when using the ACMEClient plugin to set up the wildcard HTTPS certificate. My long time dynamic DNS provider has been Dyn, but it failed when trying to create a test certificate. Even with the ACMEClient log level set to debug, the log generated no output after calling acme.sh, until a couple of minutes later timing out and reporting the failure to create the cert. Obviously I've made appropriate redactions :
Code: [Select]
2023-09-04T16:48:21-04:00 opnsense AcmeClient: validation for certificate failed: *.xxx.yyy.zzz
2023-09-04T16:48:21-04:00 opnsense AcmeClient: domain validation failed (dns01)
2023-09-04T16:48:16-04:00 opnsense AcmeClient: running acme.sh command: /usr/local/sbin/acme.sh --issue --syslog 7 --debug 3 --server 'letsencrypt_test' --dns 'dns_dyn' --dnssleep '120' --home '/var/etc/acme-client/home' --certpath '/var/etc/acme-client/certs/number/cert.pem' --keypath '/var/etc/acme-client/keys/number/private.key' --capath '/var/etc/acme-client/certs/number/chain.pem' --fullchainpath '/var/etc/acme-client/certs/number/fullchain.pem' --domain '*.xxx.yyy.zzz' --days '1' --force --ocsp --keylength 'ec-384' --accountconf '/var/etc/acme-client/accounts/number/account.conf'
2023-09-04T16:48:16-04:00 opnsense AcmeClient: using challenge type: DynDNS
2023-09-04T16:48:16-04:00 opnsense AcmeClient: account is registered: account_name
2023-09-04T16:48:16-04:00 opnsense AcmeClient: using CA: letsencrypt_test
2023-09-04T16:48:16-04:00 opnsense AcmeClient: issue certificate: *.xxx.yyy.zzz
2023-09-04T16:48:16-04:00 opnsense AcmeClient: certificate must be issued/renewed: *.xxx.yyy.zzzI then created a Dynu account and tried with that service. Exactly the same log result (except for the --dns option value in the acme.sh path of course). The obvious assumption is that something was wrong with the login credentials I was trying for each account, however I repeatedly reconfirmed both. Dynu uses API credentials that one can create via their GUI - those would be hard to copy/paste wrongly. For Dyn it wasn't 100% clear which credentials were desired, given the fieldnames Customer, User and Password, but I tried a variety of logical combinations.
I finally followed the tutorial's suggestion of using deSEC as the DNS provider, and it worked right away. Serves me right for deviating from the guide I guess
If anyone is successfully using one of the providers I couldn't get working, I'd be curious to know how you got the credentials to work; perhaps we could contribute help text for the ACME Client plugin credential entry fields
Cheers,
Ian