I replaced the secret with the one that didn't have a space in it. It continues to fail.
[Sun Aug 6 18:13:10 PDT 2017] adding _acme-challenge.fw.sample.com. 60 in txt "Ovv8F-OwpeprtA2ZhICx9ct3pWlcGViHvPpTtgFkR8A" ; TSIG error with server: tsig indicates error update failed: NOTAUTH(BADKEY) I have found another issue. When I ran nsupdate by hand, I was using 'zone sample.com' and then 'update add _acme-challenge.fw.sample.com <<rest of RR>>' as the new RR. That works fine. If I run nsupdate and set the zone to fw.sample.com, it fails with an auth error. This is because named is configured to allow updates for the zone sample.com, and not a zone named fw.sample.com (but will save RRs in the fw.sample.com domain). So I tried to change the Domainname in pfSense to sample.com (that is the domain that I want to update) and it would not take sample.com (I don't have an A record for sample.com, just for hosts in sample.com). How do I get the Acme package to let me update the sample.com zone, to add the host for _acme-challenge.fw.sample.com? I think I missed a step. This is for a firewall that I don't want to setup external web access on. Walter On Sun, Aug 6, 2017 at 5:48 PM, Jim Pingle <[email protected]> wrote: > On 8/6/2017 8:03 PM, Walter Parker wrote: > > I think I'm missing something simple with my Acme Client setup in > pfsense. > > I followed the following steps and I'm get a TSIG error (note NSUPDATE > > worked when run by hand). > > > > > > - dnssec-keygen -a HMAC-MD5 -b 512 -n HOST fw.sample.com > > - Copy secret from Kfw.sample.com.*.key (note this secret has a space > in > > the middle) > > Use the copy of the key from the .private file. It shouldn't have a > space in it. > > Jim P. > > -- The greatest dangers to liberty lurk in insidious encroachment by men of zeal, well-meaning but without understanding. -- Justice Louis D. Brandeis _______________________________________________ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold
