I think I'm missing something simple with my Acme Client setup in pfsense.
I followed the following steps and I'm get a TSIG error (note NSUPDATE
worked when run by hand).

   - dnssec-keygen -a HMAC-MD5 -b 512 -n HOST fw.sample.com
   - Copy secret from Kfw.sample.com.*.key (note this secret has a space in
   the middle)
   - Added the following to named.conf and then restarted name
      - key "fw.sample.com." {
         - algorithm HMAC-MD5;
         - secret "<<secret string from .key file>>";
      - };
      - zone "sample.com" {
         - type master;
         - file "dynamic/sample.com";
         - allow-update key fw.sample.com; };
      - };
   - I then setup a Acme account
   - I configured the Domain SAN List like this:
      - Domainname = fw.landsraad.org
      - Method = DNS-NSUpdate
      - Server = DNSServer hostname
      - Key Type = HOST
      - Key Algorith = HMAC-MS5
      - Key = "<<secret string from .key file>>"
   - I click on issue/renew
   - I get the follow error in the DNS server logs:
      - client x.y.z.t#11498: request has invalid signature: TSIG _
      acme-challenge.fw.sample.com: tsig verify failure (BADKEY)

What piece did I miss, do wrong? If I copy both of the Kfw.sample.com
records to a different server, I can run nsupdate by hand and it works.


The greatest dangers to liberty lurk in insidious encroachment by men of
zeal, well-meaning but without understanding.   -- Justice Louis D. Brandeis
pfSense mailing list
Support the project with Gold! https://pfsense.org/gold

Reply via email to