Today I faced the first implications of deciding to tightly restrict the use of nsupdate keys for modifying TXT records for dns-01 challenges with Let’s Encrypt.
This section should be on news.freshports.org and you can skip it to get to the real stuff.
Today I’m working on a mostly automated FreshPorts node deployment. A FreshPorts node consists of:
- host server – A FreeBSD host which contains the other nodes
- database – holds the commits
- mx ingress – mostly deprecated now as FreeBSD moves to git
- ingress – processes the commits into the database
- web – displays the commits to the user
Each of those components is independent but they usually reside on one host, each within a separate jail on the host.
For my proof-of-concept deployment to AWS, I’ve put the database in Amazon RDS.
Also for the AWS POC, I’ll only be doing the host server, and two jails: ingress and web.
Cert creation failure
I went to create a new cert today, as part of my AWS-FreshPorts work. It failed. Names have been changed.
The following shows my cert creation for foo.example.org:
$ acme.sh --issue --dns dns_nsupdate -d foo.example.org [Thu Dec 24 12:48:15 UTC 2020] Using CA: https://acme-v02.api.letsencrypt.org/directory [Thu Dec 24 12:48:15 UTC 2020] Creating domain key [Thu Dec 24 12:48:16 UTC 2020] The domain key is here: /var/db/acme/certs/foo.example.org/foo.example.org.key [Thu Dec 24 12:48:16 UTC 2020] Single domain='foo.example.org' [Thu Dec 24 12:48:16 UTC 2020] Getting domain auth token for each domain [Thu Dec 24 12:48:17 UTC 2020] Getting webroot for domain='foo.example.org' [Thu Dec 24 12:48:17 UTC 2020] Adding txt value: iBVvRKd8mYvEUEA_QjISfl845RHS1wjmtgy5i2xgK8Y for domain: _acme-challenge.foo.example.org [Thu Dec 24 12:48:17 UTC 2020] adding _acme-challenge.foo.example.org. 60 in txt "iBVvRKd8mYvEUEA_QjISfl845RHS1wjmtgy5i2xgK8Y" update failed: REFUSED [Thu Dec 24 12:48:17 UTC 2020] error updating domain [Thu Dec 24 12:48:17 UTC 2020] Error add txt for domain:_acme-challenge.foo.example.org [Thu Dec 24 12:48:17 UTC 2020] Please check log file for more details: /var/log/acme.sh.log
Quite clearly, the TXT record was not added.
Looking at my DNS servers, I find:
24-Dec-2020 12:48:17.931 client @0x830f62f68 10.55.0.112#63757/key certs.example.org: updating zone 'example.org/IN': update failed: rejected by secure update (REFUSED)
Before issuing a new certificate, I need to first add a grant for the TXT record for all hostnames which will be present in that certificate. That is one grant per hostname.
This is what I added to my zone files:
+ grant certs.example.org. name _acme-challenge.foo.example.org TXT; + grant certs.example.org. name _acme-challenge.bar.example.org TXT;
I might as well add the grant for the other cert I’ll create later today.
That fixed it.
Change in routine
Here is what I should be doing:
- Create A record, perhaps PTR record too
- add grant
- repeat for any other hostnames in the new cert
- issue new cert