Thank you,
To document how I did it for others:
Create your key using dnssec-keygen (use a keysize of 256 to prevent
wrapping/spacing issues)
Note, you most define you key with the exact name that pfSense will use. If
the firewall is named fw.sample.com, the named.conf must look like
something below. Note that one of leads for BIND's named was also a lead
for sendmail. so this has many of the same issues (I think they were doing
lots of dope in Berkeley when they designed it and have not changed for
compatibility reasons). The names of the keys must match the names of the
zones for this to work. After creating the you will need to create NS
records in the fw.sample.com zone so that _acme-challenge.fw.sample.com can
be found. Use rndc freeze fw.sample.com or nsupdate to add these records.
key _acme-challenge.fw.sample.com. {
algorithm HMAC-MD5;
secret "<<found in the .private file>>";
};
zone "_acme-challenge.fw.sample.com" {
type master;
file "dynamic/_acme-challenge.fw.sample.com";
allow-update { key _acme-challenge.fw.sample.com.; };
notify yes;
};
key fw.sample.com. {
algorithm HMAC-MD5;
secret "<<found in the .private file>>";
};
zone "fw.sample.com" {
type master;
file "dynamic/fw.sample.com";
allow_update { key fw.sample.com; };
notify yes;
};
key sample.com. {
algorithm HMAC-MD5;
secret "<<found in the .private file>>";
};
zone "sample.com" {
type master;
file "dynamic/sample.com";
allow_update { key sample.com; };
notify yes;
};
On Sun, Aug 6, 2017 at 7:05 PM, Jim Pingle <li...@pingle.org> wrote:
>
> On 8/6/2017 9:47 PM, Walter Parker wrote:
> > How do I get the Acme package to let me update the sample.com
> > <http://sample.com> zone, to add the host for
> > _acme-challenge.fw.sample.com <http://acme-challenge.fw.sample.com>? I
> > think I missed a step. This is for a firewall that I don't want to setup
> > external web access on.
>
> At the moment it only supports host keys, not zone keys. It will need to
> have a key made for that host specifically.
>
> Also, make sure the update-policy for the dynamic zone grants the
> ability to update TXT records specifically, or ANY.
>
> Jim P.
>
--
The greatest dangers to liberty lurk in insidious encroachment by men of
zeal, well-meaning but without understanding. -- Justice Louis D. Brandeis
_______________________________________________
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold
