On 16/11/2017 10:30, Brian Candler wrote:
Unfortunately in the pfSense (2.4.1) GUI, I can't see a way to
configure this.
I would like either:
- an extra setting for "dynamic update zone", which is appended to the
nsupdate name
- an override for the whole name (i.e. can replace
_acme-challenge.www.foo.com with an arbitrary nsupdate target)
Does this sound reasonable?
FYI, I was able to make it work by manually hacking
/usr/local/pkg/acme/dnsapi/dns_nsupdate.sh
+NSUPDATE_SUFFIX=acme.example.net.
- _info "adding ${fulldomain}. 60 in txt \"${txtvalue}\""
+ _info "adding ${fulldomain}.*${NSUPDATE_SUFFIX}* 60 in txt
\"${txtvalue}\""
-update add ${fulldomain}. 60 in txt "${txtvalue}"
+update add ${fulldomain}.*${NSUPDATE_SUFFIX}* 60 in txt "${txtvalue}"
- _info "removing ${fulldomain}. txt"
+ _info "removing ${fulldomain}.*${NSUPDATE_SUFFIX}* txt"
-update delete ${fulldomain}. txt
+update delete ${fulldomain}.*${NSUPDATE_SUFFIX}* txt
Of course, this will probably be overwritten by some future update :-(
In addition, I had to change the generation of the key name in
acme_inc.sh, to match the key name on the DNS server, otherwise I got
TSIG error "NOTAUTH(BADKEY)".
In my case, the key name on the server is "acme-update", so I changed
this line:
file_put_contents("{$nsupdatefileprefix}_acme-challenge.{$nsupdatedomain}.key",
"*acme-update* IN KEY {$flags} {$proto} {$key_algo} {$nsupdatekey}\n");
Being able to override the key name via the GUI would also be helpful.
Cheers,
Brian.
_______________________________________________
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold