ACME issuing cert with a local BIND server not succeeding in writing txt rcrd

Started by scottsdaleaz, April 05, 2025, 06:21:49 PM

Previous topic - Next topic
Print
Go Down Pages1
User actions
April 05, 2025, 06:21:49 PM Last Edit: April 05, 2025, 06:30:17 PM by scottsdaleaz
I am new to OPNSENSE and have spent a few hrs using Grock and Chatgpt.  I have a Bind DNS on my lan. ACME is working fine with azure and the azure challenge. For a new domain hosted in my bind the a records are resolving to the world just fine.  From OPNSENSE root command line i can write txt records into Bind on that other Bind server. but the ACME issue a certificate persists in exiting and not writing the txt file.

Is the correct path of least resistance to add a BIND plugin directly in opnsense and abandon the use of a dedicated server on my lan with bind on ubuntu?

The shell command returned exit code '1'

Code Select
AcmeClient: AcmeClient: The shell command returned exit code '1': '/usr/local/sbin/acme.sh --issue --syslog 9 --debug 3 --server 'letsencrypt' --dns 'dns_nsupdate' --dnssleep '50' --home '/var/etc/acme-client/home' --cert-home '/var/etc/acme-client/cert-home/67dde95bc59958.46853282' --certpath '/var/etc/acme-client/certs/67dde95bc59958.46853282/cert.pem' --keypath '/var/etc/acme-client/keys/67dde95bc59958.46853282/private.key' --capath '/var/etc/acme-client/certs/67dde95bc59958.46853282/chain.pem' --fullchainpath '/var/etc/acme-client/certs/67dde95bc59958.46853282/fullchain.pem' --domain '*.enviroxxxxx.com' --domain 'enviroxxxxx.com' --days '1' --force --keylength '2048' --accountconf '/var/etc/acme-client/accounts/67af8006eb6ec0.25792757_prod/account.conf''
April 05, 2025, 10:02:05 PM #1
Solved by...  hand editing:    /var/etc/acme-client/home/dnsapi/dns_nsupdate.sh 

The system var:  NSUPDATE_KEY  was retrieving  /var/etc/acme-client/configs/67dde95bc59958.46853282//secret.key  but in Secret Key i had placed a file on the server and used "/usr/local/etc/acme/acme-update.key"   unsure what the right way to do it was but   

  # Comment out the dynamic NSUPDATE_KEY lookup
  # NSUPDATE_KEY="${NSUPDATE_KEY:-$(_readaccountconf_mutable NSUPDATE_KEY)}"
  # Hardcode the NSUPDATE_KEY path
  NSUPDATE_KEY="/usr/local/etc/acme/acme-update.key"

Worked.

Print
Go Up Pages1
User actions