Re: [pfSense] acme package: DNS-nsupdate configurable update zone
I found another way to use DNS01 challenges without which doesn't require modifying the pfSense acme package, and doesn't use CNAME records. Simply, for each you create a separate zone _acme-challenge., with its own TSIG key. This is a better solution than CNAME into a shared dynamic update zone, because a compromised server can't issue certificates for any domain other than its own. Step-by-step instructions are below, in case they are useful to anyone else. Regards, Brian. -=-=-=-=- For each certificate that the firewall wants: 1. In the DNS, add an NS record for `_acme-challenge.` pointing at . 2. Create new TSIG host key named `_acme-challenge.` dnssec-keygen -r /dev/urandom -a hmac-md5 -b 128 -n HOST _acme-challenge. The only bit you need is the base64 key from K_acme-challenge..+157+.key. Note this and you can delete the K*.key and K*.private files. 3. Create new zone `_acme-challenge.` on key "_acme-challenge." { algorithm hmac-md5; secret ""; }; zone "_acme-challenge." { type master; file "/var/cache/bind/_acme-challenge."; masterfile-format text; allow-update { key "_acme-challenge."; }; }; Ensure that this config snippet is in a separate file only readable by nameserver (chown bind:bind, chmod 400) and included from the main config. 4. Create skeleton zone file `/var/cache/bind/_acme-challenge.` and ensure it is writable by server (chown bind:bind) $TTL 60 @ SOA . hostmaster.. ( 20 3600 1800 604800 60 ) @ NS . 5. Validate and reload server named-checkconf /etc/bind/named.conf rndc reload grep _acme-challenge /var/log/syslog Then configure the pfSense acme client under Domain SAN List with: Method: DNS-NSupdate / RFC 2136 Server: Key Type: host key Key Algorithm: HMAC-MD5 Key: DNS Sleep: 2 (The sleep assumes you are only pointing at a single nameserver, which is fine for this purpose. In fact you can have a separate nameserver just for ACME challenges, which is unrelated to your main DNS infrastructure) ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold
Re: [pfSense] acme package: DNS-nsupdate configurable update zone
On Thu, Nov 16, 2017 at 4:22 AM, Brian Candler wrote: > On 16/11/2017 10:30, Brian Candler wrote: > >> Unfortunately in the pfSense (2.4.1) GUI, I can't see a way to configure >> this. >> >> I would like either: >> >> - an extra setting for "dynamic update zone", which is appended to the >> nsupdate name >> - an override for the whole name (i.e. can replace _ >> acme-challenge.www.foo.com with an arbitrary nsupdate target) >> >> Does this sound reasonable? >> > > FYI, I was able to make it work by manually hacking > /usr/local/pkg/acme/dnsapi/dns_nsupdate.sh > > +NSUPDATE_SUFFIX=acme.example.net. > > - _info "adding ${fulldomain}. 60 in txt \"${txtvalue}\"" > + _info "adding ${fulldomain}.*${NSUPDATE_SUFFIX}* 60 in txt > \"${txtvalue}\"" > > -update add ${fulldomain}. 60 in txt "${txtvalue}" > +update add ${fulldomain}.*${NSUPDATE_SUFFIX}* 60 in txt "${txtvalue}" > > - _info "removing ${fulldomain}. txt" > + _info "removing ${fulldomain}.*${NSUPDATE_SUFFIX}* txt" > > -update delete ${fulldomain}. txt > +update delete ${fulldomain}.*${NSUPDATE_SUFFIX}* txt > > Of course, this will probably be overwritten by some future update :-( > > In addition, I had to change the generation of the key name in > acme_inc.sh, to match the key name on the DNS server, otherwise I got TSIG > error "NOTAUTH(BADKEY)". > > In my case, the key name on the server is "acme-update", so I changed this > line: > > file_put_contents("{$nsupdatefileprefix}_acme-challenge.{$nsupdatedomain}.key", > "*acme-update* IN KEY {$flags} {$proto} {$key_algo} {$nsupdatekey}\n"); > > Being able to override the key name via the GUI would also be helpful. > > Cheers, > > > Brian. > > ___ > pfSense mailing list > https://lists.pfsense.org/mailman/listinfo/list > Support the project with Gold! https://pfsense.org/gold > IIRC, when I setup the dynamic DNS for the challenage, I setup just the hostname itself for dynamic DNS. You can configure just www.foo.com as zone for dynamic DNS, you don't need the whole of foo.com to be dynamic DNS. This can make the logistics simpler. Walter -- The greatest dangers to liberty lurk in insidious encroachment by men of zeal, well-meaning but without understanding. -- Justice Louis D. Brandeis ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold
Re: [pfSense] acme package: DNS-nsupdate configurable update zone
On 16/11/2017 10:30, Brian Candler wrote: Unfortunately in the pfSense (2.4.1) GUI, I can't see a way to configure this. I would like either: - an extra setting for "dynamic update zone", which is appended to the nsupdate name - an override for the whole name (i.e. can replace _acme-challenge.www.foo.com with an arbitrary nsupdate target) Does this sound reasonable? FYI, I was able to make it work by manually hacking /usr/local/pkg/acme/dnsapi/dns_nsupdate.sh +NSUPDATE_SUFFIX=acme.example.net. - _info "adding ${fulldomain}. 60 in txt \"${txtvalue}\"" + _info "adding ${fulldomain}.*${NSUPDATE_SUFFIX}* 60 in txt \"${txtvalue}\"" -update add ${fulldomain}. 60 in txt "${txtvalue}" +update add ${fulldomain}.*${NSUPDATE_SUFFIX}* 60 in txt "${txtvalue}" - _info "removing ${fulldomain}. txt" + _info "removing ${fulldomain}.*${NSUPDATE_SUFFIX}* txt" -update delete ${fulldomain}. txt +update delete ${fulldomain}.*${NSUPDATE_SUFFIX}* txt Of course, this will probably be overwritten by some future update :-( In addition, I had to change the generation of the key name in acme_inc.sh, to match the key name on the DNS server, otherwise I got TSIG error "NOTAUTH(BADKEY)". In my case, the key name on the server is "acme-update", so I changed this line: file_put_contents("{$nsupdatefileprefix}_acme-challenge.{$nsupdatedomain}.key", "*acme-update* IN KEY {$flags} {$proto} {$key_algo} {$nsupdatekey}\n"); Being able to override the key name via the GUI would also be helpful. Cheers, Brian. ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold
[pfSense] acme package: DNS-nsupdate configurable update zone
Hi, I have a feature request which I thought I'd discuss here before creating a ticket. I use Letsencrypt with the DNS01 challenge, so I can get certs for internal DNS names which are not reachable over the Internet. To avoid making all my zones subject to dynamic updates, I use CNAME records to point to a single dynamic domain. Say my dynamic update zone is "acme.example.com", but I want to issue a cert for "www.foo.com". I add a CNAME record like this: _acme-challenge.www.foo.com. CNAME _acme-challenge.www.foo.com.acme.example.com. Then I configure the nsupdate request to put the TXT record under _acme-challenge.www.foo.com.acme.example.com. instead of _acme-challenge.www.foo.com. When using dehydrated or acme.sh, that's just a question of configuring the challenge script properly. This all works nicely, and is pretty standard: e.g. https://www.crc.id.au/using-centralised-management-with-lets-encrypt/ Unfortunately in the pfSense (2.4.1) GUI, I can't see a way to configure this. I would like either: - an extra setting for "dynamic update zone", which is appended to the nsupdate name - an override for the whole name (i.e. can replace _acme-challenge.www.foo.com with an arbitrary nsupdate target) Does this sound reasonable? Thanks, Brian. ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold