Re: [pfSense] acme package: DNS-nsupdate configurable update zone

Thu, 16 Nov 2017 09:41:18 -0800 

On Thu, Nov 16, 2017 at 4:22 AM, Brian Candler <b.cand...@pobox.com> wrote:

> On 16/11/2017 10:30, Brian Candler wrote:
>
>> Unfortunately in the pfSense (2.4.1) GUI, I can't see a way to configure
>> this.
>>
>> I would like either:
>>
>> - an extra setting for "dynamic update zone", which is appended to the
>> nsupdate name
>> - an override for the whole name (i.e. can replace _
>> acme-challenge.www.foo.com with an arbitrary nsupdate target)
>>
>> Does this sound reasonable?
>>
>
> FYI, I was able to make it work by manually hacking
> /usr/local/pkg/acme/dnsapi/dns_nsupdate.sh
>
> +NSUPDATE_SUFFIX=acme.example.net.
>
> -  _info "adding ${fulldomain}. 60 in txt \"${txtvalue}\""
> +  _info "adding ${fulldomain}.*${NSUPDATE_SUFFIX}* 60 in txt
> \"${txtvalue}\""
>
> -update add ${fulldomain}. 60 in txt "${txtvalue}"
> +update add ${fulldomain}.*${NSUPDATE_SUFFIX}* 60 in txt "${txtvalue}"
>
> -  _info "removing ${fulldomain}. txt"
> +  _info "removing ${fulldomain}.*${NSUPDATE_SUFFIX}* txt"
>
> -update delete ${fulldomain}. txt
> +update delete ${fulldomain}.*${NSUPDATE_SUFFIX}* txt
>
> Of course, this will probably be overwritten by some future update :-(
>
> In addition, I had to change the generation of the key name in
> acme_inc.sh, to match the key name on the DNS server, otherwise I got TSIG
> error "NOTAUTH(BADKEY)".
>
> In my case, the key name on the server is "acme-update", so I changed this
> line:
>
> file_put_contents("{$nsupdatefileprefix}_acme-challenge.{$nsupdatedomain}.key",
> "*acme-update* IN KEY {$flags} {$proto} {$key_algo} {$nsupdatekey}\n");
>
> Being able to override the key name via the GUI would also be helpful.
>
> Cheers,
>
>
> Brian.
>
> _______________________________________________
> pfSense mailing list
> https://lists.pfsense.org/mailman/listinfo/list
> Support the project with Gold! https://pfsense.org/gold
>


IIRC, when I setup the dynamic DNS for the challenage, I setup just the
hostname itself for dynamic DNS.
You can configure just www.foo.com as zone for dynamic DNS, you don't need
the whole of foo.com to be dynamic DNS. This can make the logistics
simpler.


Walter
-- 
The greatest dangers to liberty lurk in insidious encroachment by men of
zeal, well-meaning but without understanding.   -- Justice Louis D. Brandeis
_______________________________________________
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Reply via email to