Re: [pfSense] Acme client - DNS server setup/dns client secret issue.

2017-08-06 Thread Walter Parker 
Thank you,

To document how I did it for others:

Create your key using dnssec-keygen (use a keysize of 256 to prevent
wrapping/spacing issues)
Note, you most define you key with the exact name that pfSense will use. If
the firewall is named fw.sample.com, the named.conf must look like
something below. Note that one of leads for BIND's named was also a lead
for sendmail. so this has many of the same issues (I think they were doing
lots of dope in Berkeley when they designed it and have not changed for
compatibility reasons). The names of the keys must match the names of the
zones for this to work. After creating the you will need to create NS
records in the fw.sample.com zone so that _acme-challenge.fw.sample.com can
be found. Use rndc freeze fw.sample.com or nsupdate to add these records.



key _acme-challenge.fw.sample.com. {

algorithm HMAC-MD5;

secret "<>";

};
zone "_acme-challenge.fw.sample.com" {

type master;

file "dynamic/_acme-challenge.fw.sample.com";

allow-update { key _acme-challenge.fw.sample.com.; };

notify yes;

};

key fw.sample.com. {

algorithm HMAC-MD5;

secret "<>";

};

zone "fw.sample.com" {

type master;

file "dynamic/fw.sample.com";

allow_update { key fw.sample.com; };

notify yes;

};

key sample.com. {

algorithm HMAC-MD5;

secret "<>";

};

zone "sample.com" {


type master;
file "dynamic/sample.com";
allow_update { key sample.com; };
notify yes;

};











On Sun, Aug 6, 2017 at 7:05 PM, Jim Pingle  wrote:

>
> On 8/6/2017 9:47 PM, Walter Parker wrote:
> > How do I  get the Acme package to let me update the sample.com
> >  zone, to add the host for
> > _acme-challenge.fw.sample.com ? I
> > think I missed a step. This is for a firewall that I don't want to setup
> > external web access on.
>
> At the moment it only supports host keys, not zone keys. It will need to
> have a key made for that host specifically.
>
> Also, make sure the update-policy for the dynamic zone grants the
> ability to update TXT records specifically, or ANY.
>
> Jim P.
>



-- 
The greatest dangers to liberty lurk in insidious encroachment by men of
zeal, well-meaning but without understanding.   -- Justice Louis D. Brandeis
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] Acme client - DNS server setup/dns client secret issue.

2017-08-06 Thread Jim Pingle 

On 8/6/2017 9:47 PM, Walter Parker wrote:
> How do I  get the Acme package to let me update the sample.com
>  zone, to add the host for
> _acme-challenge.fw.sample.com ? I
> think I missed a step. This is for a firewall that I don't want to setup
> external web access on.

At the moment it only supports host keys, not zone keys. It will need to
have a key made for that host specifically.

Also, make sure the update-policy for the dynamic zone grants the
ability to update TXT records specifically, or ANY.

Jim P.
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] Acme client - DNS server setup/dns client secret issue.

2017-08-06 Thread Walter Parker 
I replaced the secret with the one that didn't have a space in it. It
continues to fail.

[Sun Aug 6 18:13:10 PDT 2017] adding _acme-challenge.fw.sample.com. 60 in
txt "Ovv8F-OwpeprtA2ZhICx9ct3pWlcGViHvPpTtgFkR8A"
; TSIG error with server: tsig indicates error
update failed: NOTAUTH(BADKEY)

I have found another issue. When I ran nsupdate by hand, I was using  'zone
sample.com' and then  'update add _acme-challenge.fw.sample.com <>' as the new RR. That works fine. If I run nsupdate and set the zone to
fw.sample.com, it fails with an auth error. This is because named is
configured to allow updates for the zone sample.com, and not a zone named
fw.sample.com (but will save RRs in the fw.sample.com domain).

So I tried to change the Domainname in pfSense to sample.com (that is the
domain that I want to update) and it would not take sample.com (I don't
have an A record for sample.com, just for hosts in sample.com).

How do I  get the Acme package to let me update the sample.com zone, to add
the host for _acme-challenge.fw.sample.com? I think I missed a step. This
is for a firewall that I don't want to setup external web access on.


Walter

On Sun, Aug 6, 2017 at 5:48 PM, Jim Pingle  wrote:

> On 8/6/2017 8:03 PM, Walter Parker wrote:
> > I think I'm missing something simple with my Acme Client setup in
> pfsense.
> > I followed the following steps and I'm get a TSIG error (note NSUPDATE
> > worked when run by hand).
> >
> >
> >- dnssec-keygen -a HMAC-MD5 -b 512 -n HOST fw.sample.com
> >- Copy secret from Kfw.sample.com.*.key (note this secret has a space
> in
> >the middle)
>
> Use the copy of the key from the .private file. It shouldn't have a
> space in it.
>
> Jim P.
>
>


-- 
The greatest dangers to liberty lurk in insidious encroachment by men of
zeal, well-meaning but without understanding.   -- Justice Louis D. Brandeis
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] Acme client - DNS server setup/dns client secret issue.

2017-08-06 Thread Jim Pingle 
On 8/6/2017 8:03 PM, Walter Parker wrote:
> I think I'm missing something simple with my Acme Client setup in pfsense.
> I followed the following steps and I'm get a TSIG error (note NSUPDATE
> worked when run by hand).
> 
> 
>- dnssec-keygen -a HMAC-MD5 -b 512 -n HOST fw.sample.com
>- Copy secret from Kfw.sample.com.*.key (note this secret has a space in
>the middle)

Use the copy of the key from the .private file. It shouldn't have a
space in it.

Jim P.

___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

[pfSense] Acme client - DNS server setup/dns client secret issue.

2017-08-06 Thread Walter Parker 
I think I'm missing something simple with my Acme Client setup in pfsense.
I followed the following steps and I'm get a TSIG error (note NSUPDATE
worked when run by hand).


   - dnssec-keygen -a HMAC-MD5 -b 512 -n HOST fw.sample.com
   - Copy secret from Kfw.sample.com.*.key (note this secret has a space in
   the middle)
   - Added the following to named.conf and then restarted name
  - key "fw.sample.com." {
 - algorithm HMAC-MD5;
 - secret "<>";
  - };
  - zone "sample.com" {
 - type master;
 - file "dynamic/sample.com";
 - allow-update key fw.sample.com; };
  - };
   - I then setup a Acme account
   - I configured the Domain SAN List like this:
  - Domainname = fw.landsraad.org
  - Method = DNS-NSUpdate
  - Server = DNSServer hostname
  - Key Type = HOST
  - Key Algorith = HMAC-MS5
  - Key = "<>"
   - I click on issue/renew
   - I get the follow error in the DNS server logs:
  - client x.y.z.t#11498: request has invalid signature: TSIG _
  acme-challenge.fw.sample.com: tsig verify failure (BADKEY)

What piece did I miss, do wrong? If I copy both of the Kfw.sample.com
records to a different server, I can run nsupdate by hand and it works.


Walter


-- 
The greatest dangers to liberty lurk in insidious encroachment by men of
zeal, well-meaning but without understanding.   -- Justice Louis D. Brandeis
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold