Re: [pfSense] acme package: DNS-nsupdate configurable update zone

Thu, 23 Nov 2017 07:02:01 -0800

I found another way to use DNS01 challenges without which doesn't require modifying the pfSense acme package, and doesn't use CNAME records.
Simply, for each <domain> you create a separate zone _acme-challenge.<domain>, with its own TSIG key.  This is a better solution than CNAME into a shared dynamic update zone, because a compromised server can't issue certificates for any domain other than its own. 

Step-by-step instructions are below, in case they are useful to anyone else.

Regards, Brian.

-=-=-=-=-

For each certificate that the firewall wants:


1. In the DNS, add an NS record for `_acme-challenge.<domain>` pointing 
at <your-nameserver>.


2. Create new TSIG host key named `_acme-challenge.<domain>`


dnssec-keygen -r /dev/urandom -a hmac-md5 -b 128 -n HOST 
_acme-challenge.<domain>



The only bit you need is the base64 key from 
K_acme-challenge.<domain>.+157+<random>.key.  Note this and you can 
delete the K*.key and K*.private files.


3. Create new zone `_acme-challenge.<domain>` on <your-nameserver>

key "_acme-challenge.<domain>" {
  algorithm hmac-md5;
  secret "<key>";
};
zone "_acme-challenge.<domain>" {
  type master;
  file "/var/cache/bind/_acme-challenge.<domain>";
  masterfile-format text;
  allow-update { key "_acme-challenge.<domain>"; };
};


Ensure that this config snippet is in a separate file only readable by 
nameserver (chown bind:bind, chmod 400) and included from the main config.



4. Create skeleton zone file `/var/cache/bind/_acme-challenge.<domain>` 
and ensure it is writable by server (chown bind:bind)


$TTL 60

@ SOA <your-nameserver>. hostmaster.<your-domain>. ( 2000000000 3600 
1800 604800 60 )

@ NS <your-nameserver>.

5. Validate and reload server

named-checkconf /etc/bind/named.conf
rndc reload
grep _acme-challenge /var/log/syslog

Then configure the pfSense acme client under Domain SAN List with:

Method: DNS-NSupdate / RFC 2136
Server: <your-nameserver>
Key Type: host key
Key Algorithm: HMAC-MD5
Key: <key>

DNS Sleep: 2


(The sleep assumes you are only pointing at a single nameserver, which 
is fine for this purpose. In fact you can have a separate nameserver 
just for ACME challenges, which is unrelated to your main DNS 
infrastructure)

_______________________________________________
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold





















					Reply via email to