I think I'm missing something simple with my Acme Client setup in pfsense. I followed the following steps and I'm get a TSIG error (note NSUPDATE worked when run by hand).
- dnssec-keygen -a HMAC-MD5 -b 512 -n HOST fw.sample.com - Copy secret from Kfw.sample.com.*.key (note this secret has a space in the middle) - Added the following to named.conf and then restarted name - key "fw.sample.com." { - algorithm HMAC-MD5; - secret "<<secret string from .key file>>"; - }; - zone "sample.com" { - type master; - file "dynamic/sample.com"; - allow-update key fw.sample.com; }; - }; - I then setup a Acme account - I configured the Domain SAN List like this: - Domainname = fw.landsraad.org - Method = DNS-NSUpdate - Server = DNSServer hostname - Key Type = HOST - Key Algorith = HMAC-MS5 - Key = "<<secret string from .key file>>" - I click on issue/renew - I get the follow error in the DNS server logs: - client x.y.z.t#11498: request has invalid signature: TSIG _ acme-challenge.fw.sample.com: tsig verify failure (BADKEY) What piece did I miss, do wrong? If I copy both of the Kfw.sample.com records to a different server, I can run nsupdate by hand and it works. Walter -- The greatest dangers to liberty lurk in insidious encroachment by men of zeal, well-meaning but without understanding. -- Justice Louis D. Brandeis _______________________________________________ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold