I replaced the secret with the one that didn't have a space in it. It
continues to fail.

[Sun Aug 6 18:13:10 PDT 2017] adding _acme-challenge.fw.sample.com. 60 in
txt "Ovv8F-OwpeprtA2ZhICx9ct3pWlcGViHvPpTtgFkR8A"
; TSIG error with server: tsig indicates error
update failed: NOTAUTH(BADKEY)

I have found another issue. When I ran nsupdate by hand, I was using  'zone
sample.com' and then  'update add _acme-challenge.fw.sample.com <<rest of
RR>>' as the new RR. That works fine. If I run nsupdate and set the zone to
fw.sample.com, it fails with an auth error. This is because named is
configured to allow updates for the zone sample.com, and not a zone named
fw.sample.com (but will save RRs in the fw.sample.com domain).

So I tried to change the Domainname in pfSense to sample.com (that is the
domain that I want to update) and it would not take sample.com (I don't
have an A record for sample.com, just for hosts in sample.com).

How do I  get the Acme package to let me update the sample.com zone, to add
the host for _acme-challenge.fw.sample.com? I think I missed a step. This
is for a firewall that I don't want to setup external web access on.


Walter

On Sun, Aug 6, 2017 at 5:48 PM, Jim Pingle <li...@pingle.org> wrote:

> On 8/6/2017 8:03 PM, Walter Parker wrote:
> > I think I'm missing something simple with my Acme Client setup in
> pfsense.
> > I followed the following steps and I'm get a TSIG error (note NSUPDATE
> > worked when run by hand).
> >
> >
> >    - dnssec-keygen -a HMAC-MD5 -b 512 -n HOST fw.sample.com
> >    - Copy secret from Kfw.sample.com.*.key (note this secret has a space
> in
> >    the middle)
>
> Use the copy of the key from the .private file. It shouldn't have a
> space in it.
>
> Jim P.
>
>


-- 
The greatest dangers to liberty lurk in insidious encroachment by men of
zeal, well-meaning but without understanding.   -- Justice Louis D. Brandeis
_______________________________________________
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Reply via email to