ACME and Google Cloud DNS (bug?)

billchurch · April 27, 2023, 10:25:46 PM

OPNsense 22.7.11_1 amd64/OpenSSL
os-acme-client 3.15
os-google-cloud-sdk 1.0_1

I've configured ACME Client with an account, a DNS-01 Google DNS challenge type (using a service account I've tested) and attempted to create a certificate but the TXT record never seems to get created in my zone.

I'm able to use that same service account to create a TXT record from my gcloud client on my laptop, but the same command that works there errors out on the gcloud on OPNsense from the CLI as:

Code Select


root@opnsense:~ # gcloud dns --project=supersecret-1234 record-sets create _acme-challenge.opnsense.something.place.somewhere. --zone="place" --type="TXT" --ttl="300" --rrdatas="we0fjwe0ewfiewjfewjfoiewfoiewjio"
ERROR: (gcloud.dns.record-sets) Invalid choice: 'create'.
Maybe you meant:
  gcloud dns dns-keys
  gcloud dns managed-zones
  gcloud dns policies
  gcloud dns record-sets

To search the help text of gcloud commands, run:
  gcloud help -- SEARCH_TERMS

s
I noticed that the gcloud cli version was older so I decided, why not update it, so went from 331.0.0 to 428.0.0 using `gcloud componets update`...

However now I've broken gcloud cli:

Code Select

root@opnsense:~ # /usr/local/bin/gcloud --quiet auth activate-service-account --key-file=/tmp/acme_dns_gcloud_wefewfewfe-23r32r2r3.json
ERROR: gcloud crashed (AttributeError): 'NoneType' object has no attribute 'clean_version'

If you would like to report this issue, please run the following command:
  gcloud feedback

To check gcloud for common problems, please run the following command:
  gcloud info --run-diagnostics
root@opnsense:~ #

I tried to revert but, same error:

Code Select

root@opnsense:~ # gcloud components update --version 331.0.0
Beginning update. This process may take several minutes.
ERROR: gcloud crashed (AttributeError): 'NoneType' object has no attribute 'clean_version'

If you would like to report this issue, please run the following command:
  gcloud feedback

To check gcloud for common problems, please run the following command:
  gcloud info --run-diagnostics

So removed the os-google-cloud-sdk and re-added it and I at least got gcloud cli working again...

Okay, digging in more it seems that in v331.0.0 (which is what is installed by os-google-cloud-sdk 1.0_1) the gcloud dns record-sets create command was alpha.

I saw this issue in githubhttps://github.com/opnsense/plugins/issues/2710 and noticed that "unquietwiki" mentioned installing 368.0.0 seemed to solve their issues.

So, I once again update the gcloud utilities, but this time to "368.0.0"

Code Select

# gcloud components update --version=368.0.0

After doing this I was able to run the "gcloud dns record-sets create..." command successfully. So that, at least, shows that this gcloud portion is working with my auth and my project from the opensense box.

Tried processing the certificate again, and it failed verification again. There doesn't appear to ever have been an attempt with creating the TXT record in Google Cloud DNS. The log also doesn't show any attempt as far as I can tell...

I tried re-runing the acme command which showed up in the log, nothing really points to anything for DNS errors that I can tell. Any thoughts here?

Code Select


<13>1 2023-04-27T16:07:49-04:00 opnsense.not_a_real_sub.not_a_real_domain.me opnsense 93328 - [meta sequenceId="3"] AcmeClient: certificate must be issued/renewed: opnsense.not_a_real_sub.not_a_real_domain.me
<13>1 2023-04-27T16:07:49-04:00 opnsense.not_a_real_sub.not_a_real_domain.me opnsense 93328 - [meta sequenceId="4"] AcmeClient: issue certificate: opnsense.not_a_real_sub.not_a_real_domain.me
<13>1 2023-04-27T16:07:49-04:00 opnsense.not_a_real_sub.not_a_real_domain.me opnsense 93328 - [meta sequenceId="5"] AcmeClient: using CA: letsencrypt
<13>1 2023-04-27T16:07:49-04:00 opnsense.not_a_real_sub.not_a_real_domain.me opnsense 93328 - [meta sequenceId="6"] AcmeClient: account is registered: letsencrypt
<13>1 2023-04-27T16:07:49-04:00 opnsense.not_a_real_sub.not_a_real_domain.me opnsense 93328 - [meta sequenceId="7"] AcmeClient: Google Cloud DNS project name: myproject-12345
<11>1 2023-04-27T16:07:52-04:00 opnsense.not_a_real_sub.not_a_real_domain.me opnsense 93328 - [meta sequenceId="8"] /usr/local/opnsense/scripts/OPNsense/AcmeClient/lecert.php: AcmeClient: The shell command '/usr/local/bin/gcloud --quiet config configurations create acme-644a990e620ad8-61947839' returned exit code '120'
<11>1 2023-04-27T16:07:54-04:00 opnsense.not_a_real_sub.not_a_real_domain.me opnsense 93328 - [meta sequenceId="9"] /usr/local/opnsense/scripts/OPNsense/AcmeClient/lecert.php: AcmeClient: The shell command '/usr/local/bin/gcloud --quiet config configurations activate acme-644a990e620ad8-61947839' returned exit code '120'
<11>1 2023-04-27T16:08:07-04:00 opnsense.not_a_real_sub.not_a_real_domain.me opnsense 93328 - [meta sequenceId="10"] /usr/local/opnsense/scripts/OPNsense/AcmeClient/lecert.php: AcmeClient: The shell command '/usr/local/bin/gcloud --quiet auth activate-service-account --key-file=/tmp/acme_dns_gcloud_644a990e620ad8-61947839.json' returned exit code '120'
<11>1 2023-04-27T16:08:10-04:00 opnsense.not_a_real_sub.not_a_real_domain.me opnsense 93328 - [meta sequenceId="11"] /usr/local/opnsense/scripts/OPNsense/AcmeClient/lecert.php: AcmeClient: The shell command '/usr/local/bin/gcloud --quiet config set account acme-25@myproject-12345.iam.gserviceaccount.com' returned exit code '120'
<11>1 2023-04-27T16:08:13-04:00 opnsense.not_a_real_sub.not_a_real_domain.me opnsense 93328 - [meta sequenceId="12"] /usr/local/opnsense/scripts/OPNsense/AcmeClient/lecert.php: AcmeClient: The shell command '/usr/local/bin/gcloud --quiet config set project myproject-12345' returned exit code '120'
<13>1 2023-04-27T16:08:13-04:00 opnsense.not_a_real_sub.not_a_real_domain.me opnsense 93328 - [meta sequenceId="13"] AcmeClient: using challenge type: google-dns
<13>1 2023-04-27T16:08:13-04:00 opnsense.not_a_real_sub.not_a_real_domain.me opnsense 93328 - [meta sequenceId="14"] AcmeClient: running acme.sh command: /usr/local/sbin/acme.sh --issue --syslog 7 --debug 3 --server 'letsencrypt' --dns 'dns_gcloud' --dnssleep '30' --home '/var/etc/acme-client/home' --certpath '/var/etc/acme-client/certs/23f23f3223f.87987789dgd/cert.pem' --keypath '/var/etc/acme-client/keys/23f23f3223f.87987789dgd/private.key' --capath '/var/etc/acme-client/certs/23f23f3223f.87987789dgd/chain.pem' --fullchainpath '/var/etc/acme-client/certs/23f23f3223f.87987789dgd/fullchain.pem' --domain 'opnsense.not_a_real_sub.not_a_real_domain.me' --days '1' --force  --keylength '2048' --accountconf '/var/etc/acme-client/accounts/644a97fb995265.78825753_prod/account.conf'
<11>1 2023-04-27T16:09:25-04:00 opnsense.not_a_real_sub.not_a_real_domain.me acme.sh 67690 - [meta sequenceId="1"] [Thu Apr 27 16:09:25 EDT 2023] _dns_gcloud_start_tr: failed to execute transaction
<11>1 2023-04-27T16:09:25-04:00 opnsense.not_a_real_sub.not_a_real_domain.me acme.sh 70510 - [meta sequenceId="2"] [Thu Apr 27 16:09:25 EDT 2023] Error add txt for domain:_acme-challenge.opnsense.not_a_real_sub.not_a_real_domain.me
<11>1 2023-04-27T16:09:25-04:00 opnsense.not_a_real_sub.not_a_real_domain.me acme.sh 76878 - [meta sequenceId="3"] [Thu Apr 27 16:09:25 EDT 2023] Please add '--debug' or '--log' to check more details.
<11>1 2023-04-27T16:09:25-04:00 opnsense.not_a_real_sub.not_a_real_domain.me acme.sh 80290 - [meta sequenceId="4"] [Thu Apr 27 16:09:25 EDT 2023] See: https://github.com/acmesh-official/acme.sh/wiki/How-to-debug-acme.sh
<11>1 2023-04-27T16:09:36-04:00 opnsense.not_a_real_sub.not_a_real_domain.me opnsense 93328 - [meta sequenceId="7"] AcmeClient: domain validation failed (dns01)
<11>1 2023-04-27T16:09:36-04:00 opnsense.not_a_real_sub.not_a_real_domain.me opnsense 93328 - [meta sequenceId="8"] AcmeClient: validation for certificate failed: opnsense.not_a_real_sub.not_a_real_domain.me

billchurch · April 27, 2023, 11:15:05 PM

Found this:

https://forum.opnsense.org/index.php?topic=18476.0

And noticed that yes, in fact those hooks don't exist on the filesystem.

However I had to change the file copy operation to:

Code Select

cp -a /root/.acme.sh/* /usr/local/share/examples/acme.sh/

because when i tried to copy before it wouldn't work (symbolic links). even after that with the same error...

Code Select


[Thu Apr 27 17:02:17 EDT 2023] Can not find dns api hook for: dns_gcloud
[Thu Apr 27 17:02:17 EDT 2023] You need to add the txt record manually.
[Thu Apr 27 17:02:17 EDT 2023] Add the following TXT record:

So I finally added the record manually to Google Cloud DNS, renewed certificate in the GUI and it worked. But this is definitely broken.

What's the best way to raise this?

ACME and Google Cloud DNS (bug?)

billchurch

April 27, 2023, 10:25:46 PM

billchurch

April 27, 2023, 11:15:05 PM #1