Re: [pfSense] acme package: DNS-nsupdate configurable update zone
I found another way to use DNS01 challenges without which doesn't
require modifying the pfSense acme package, and doesn't use CNAME records.
Simply, for each you create a separate zone
_acme-challenge., with its own TSIG key. This is a better
solution than CNAME into a shared dynamic update zone, because a
compromised server can't issue certificates for any domain other than
its own.
Step-by-step instructions are below, in case they are useful to anyone else.
Regards, Brian.
-=-=-=-=-
For each certificate that the firewall wants:
1. In the DNS, add an NS record for `_acme-challenge.` pointing
at .
2. Create new TSIG host key named `_acme-challenge.`
dnssec-keygen -r /dev/urandom -a hmac-md5 -b 128 -n HOST
_acme-challenge.
The only bit you need is the base64 key from
K_acme-challenge..+157+.key. Note this and you can
delete the K*.key and K*.private files.
3. Create new zone `_acme-challenge.` on
key "_acme-challenge." {
algorithm hmac-md5;
secret "";
};
zone "_acme-challenge." {
type master;
file "/var/cache/bind/_acme-challenge.";
masterfile-format text;
allow-update { key "_acme-challenge."; };
};
Ensure that this config snippet is in a separate file only readable by
nameserver (chown bind:bind, chmod 400) and included from the main config.
4. Create skeleton zone file `/var/cache/bind/_acme-challenge.`
and ensure it is writable by server (chown bind:bind)
$TTL 60
@ SOA . hostmaster.. ( 20 3600
1800 604800 60 )
@ NS .
5. Validate and reload server
named-checkconf /etc/bind/named.conf
rndc reload
grep _acme-challenge /var/log/syslog
Then configure the pfSense acme client under Domain SAN List with:
Method: DNS-NSupdate / RFC 2136
Server:
Key Type: host key
Key Algorithm: HMAC-MD5
Key:
DNS Sleep: 2
(The sleep assumes you are only pointing at a single nameserver, which
is fine for this purpose. In fact you can have a separate nameserver
just for ACME challenges, which is unrelated to your main DNS
infrastructure)
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold
Re: [pfSense] acme package: DNS-nsupdate configurable update zone
On Thu, Nov 16, 2017 at 4:22 AM, Brian Candler wrote:
> On 16/11/2017 10:30, Brian Candler wrote:
>
>> Unfortunately in the pfSense (2.4.1) GUI, I can't see a way to configure
>> this.
>>
>> I would like either:
>>
>> - an extra setting for "dynamic update zone", which is appended to the
>> nsupdate name
>> - an override for the whole name (i.e. can replace _
>> acme-challenge.www.foo.com with an arbitrary nsupdate target)
>>
>> Does this sound reasonable?
>>
>
> FYI, I was able to make it work by manually hacking
> /usr/local/pkg/acme/dnsapi/dns_nsupdate.sh
>
> +NSUPDATE_SUFFIX=acme.example.net.
>
> - _info "adding ${fulldomain}. 60 in txt \"${txtvalue}\""
> + _info "adding ${fulldomain}.*${NSUPDATE_SUFFIX}* 60 in txt
> \"${txtvalue}\""
>
> -update add ${fulldomain}. 60 in txt "${txtvalue}"
> +update add ${fulldomain}.*${NSUPDATE_SUFFIX}* 60 in txt "${txtvalue}"
>
> - _info "removing ${fulldomain}. txt"
> + _info "removing ${fulldomain}.*${NSUPDATE_SUFFIX}* txt"
>
> -update delete ${fulldomain}. txt
> +update delete ${fulldomain}.*${NSUPDATE_SUFFIX}* txt
>
> Of course, this will probably be overwritten by some future update :-(
>
> In addition, I had to change the generation of the key name in
> acme_inc.sh, to match the key name on the DNS server, otherwise I got TSIG
> error "NOTAUTH(BADKEY)".
>
> In my case, the key name on the server is "acme-update", so I changed this
> line:
>
> file_put_contents("{$nsupdatefileprefix}_acme-challenge.{$nsupdatedomain}.key",
> "*acme-update* IN KEY {$flags} {$proto} {$key_algo} {$nsupdatekey}\n");
>
> Being able to override the key name via the GUI would also be helpful.
>
> Cheers,
>
>
> Brian.
>
> ___
> pfSense mailing list
> https://lists.pfsense.org/mailman/listinfo/list
> Support the project with Gold! https://pfsense.org/gold
>
IIRC, when I setup the dynamic DNS for the challenage, I setup just the
hostname itself for dynamic DNS.
You can configure just www.foo.com as zone for dynamic DNS, you don't need
the whole of foo.com to be dynamic DNS. This can make the logistics
simpler.
Walter
--
The greatest dangers to liberty lurk in insidious encroachment by men of
zeal, well-meaning but without understanding. -- Justice Louis D. Brandeis
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold
Re: [pfSense] acme package: DNS-nsupdate configurable update zone
On 16/11/2017 10:30, Brian Candler wrote:
Unfortunately in the pfSense (2.4.1) GUI, I can't see a way to
configure this.
I would like either:
- an extra setting for "dynamic update zone", which is appended to the
nsupdate name
- an override for the whole name (i.e. can replace
_acme-challenge.www.foo.com with an arbitrary nsupdate target)
Does this sound reasonable?
FYI, I was able to make it work by manually hacking
/usr/local/pkg/acme/dnsapi/dns_nsupdate.sh
+NSUPDATE_SUFFIX=acme.example.net.
- _info "adding ${fulldomain}. 60 in txt \"${txtvalue}\""
+ _info "adding ${fulldomain}.*${NSUPDATE_SUFFIX}* 60 in txt
\"${txtvalue}\""
-update add ${fulldomain}. 60 in txt "${txtvalue}"
+update add ${fulldomain}.*${NSUPDATE_SUFFIX}* 60 in txt "${txtvalue}"
- _info "removing ${fulldomain}. txt"
+ _info "removing ${fulldomain}.*${NSUPDATE_SUFFIX}* txt"
-update delete ${fulldomain}. txt
+update delete ${fulldomain}.*${NSUPDATE_SUFFIX}* txt
Of course, this will probably be overwritten by some future update :-(
In addition, I had to change the generation of the key name in
acme_inc.sh, to match the key name on the DNS server, otherwise I got
TSIG error "NOTAUTH(BADKEY)".
In my case, the key name on the server is "acme-update", so I changed
this line:
file_put_contents("{$nsupdatefileprefix}_acme-challenge.{$nsupdatedomain}.key",
"*acme-update* IN KEY {$flags} {$proto} {$key_algo} {$nsupdatekey}\n");
Being able to override the key name via the GUI would also be helpful.
Cheers,
Brian.
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold
[pfSense] acme package: DNS-nsupdate configurable update zone
Hi, I have a feature request which I thought I'd discuss here before creating a ticket. I use Letsencrypt with the DNS01 challenge, so I can get certs for internal DNS names which are not reachable over the Internet. To avoid making all my zones subject to dynamic updates, I use CNAME records to point to a single dynamic domain. Say my dynamic update zone is "acme.example.com", but I want to issue a cert for "www.foo.com". I add a CNAME record like this: _acme-challenge.www.foo.com. CNAME _acme-challenge.www.foo.com.acme.example.com. Then I configure the nsupdate request to put the TXT record under _acme-challenge.www.foo.com.acme.example.com. instead of _acme-challenge.www.foo.com. When using dehydrated or acme.sh, that's just a question of configuring the challenge script properly. This all works nicely, and is pretty standard: e.g. https://www.crc.id.au/using-centralised-management-with-lets-encrypt/ Unfortunately in the pfSense (2.4.1) GUI, I can't see a way to configure this. I would like either: - an extra setting for "dynamic update zone", which is appended to the nsupdate name - an override for the whole name (i.e. can replace _acme-challenge.www.foo.com with an arbitrary nsupdate target) Does this sound reasonable? Thanks, Brian. ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold
