Dec 242020
 

Today I faced the first implications of deciding to tightly restrict the use of nsupdate keys for modifying TXT records for dns-01 challenges with Let’s Encrypt.

Context

This section should be on news.freshports.org and you can skip it to get to the real stuff.

Today I’m working on a mostly automated FreshPorts node deployment. A FreshPorts node consists of:

  • host server – A FreeBSD host which contains the other nodes
  • database – holds the commits
  • mx ingress – mostly deprecated now as FreeBSD moves to git
  • ingress – processes the commits into the database
  • web – displays the commits to the user

Each of those components is independent but they usually reside on one host, each within a separate jail on the host.

For my proof-of-concept deployment to AWS, I’ve put the database in Amazon RDS.

Also for the AWS POC, I’ll only be doing the host server, and two jails: ingress and web.

Cert creation failure

I went to create a new cert today, as part of my AWS-FreshPorts work. It failed. Names have been changed.

The following shows my cert creation for foo.example.org:

$ acme.sh --issue --dns dns_nsupdate -d foo.example.org
[Thu Dec 24 12:48:15 UTC 2020] Using CA: https://acme-v02.api.letsencrypt.org/directory
[Thu Dec 24 12:48:15 UTC 2020] Creating domain key
[Thu Dec 24 12:48:16 UTC 2020] The domain key is here: /var/db/acme/certs/foo.example.org/foo.example.org.key
[Thu Dec 24 12:48:16 UTC 2020] Single domain='foo.example.org'
[Thu Dec 24 12:48:16 UTC 2020] Getting domain auth token for each domain
[Thu Dec 24 12:48:17 UTC 2020] Getting webroot for domain='foo.example.org'
[Thu Dec 24 12:48:17 UTC 2020] Adding txt value: iBVvRKd8mYvEUEA_QjISfl845RHS1wjmtgy5i2xgK8Y for domain:  _acme-challenge.foo.example.org
[Thu Dec 24 12:48:17 UTC 2020] adding _acme-challenge.foo.example.org. 60 in txt "iBVvRKd8mYvEUEA_QjISfl845RHS1wjmtgy5i2xgK8Y"
update failed: REFUSED
[Thu Dec 24 12:48:17 UTC 2020] error updating domain
[Thu Dec 24 12:48:17 UTC 2020] Error add txt for domain:_acme-challenge.foo.example.org
[Thu Dec 24 12:48:17 UTC 2020] Please check log file for more details: /var/log/acme.sh.log

Quite clearly, the TXT record was not added.

Looking at my DNS servers, I find:

24-Dec-2020 12:48:17.931 client @0x830f62f68 10.55.0.112#63757/key certs.example.org: 
updating zone 'example.org/IN': update failed: rejected by secure update (REFUSED)

Before issuing a new certificate, I need to first add a grant for the TXT record for all hostnames which will be present in that certificate. That is one grant per hostname.

The amendments

This is what I added to my zone files:

+ grant certs.example.org. name _acme-challenge.foo.example.org TXT;
+ grant certs.example.org. name _acme-challenge.bar.example.org TXT;

I might as well add the grant for the other cert I’ll create later today.

That fixed it.

Change in routine

Here is what I should be doing:

  1. Create A record, perhaps PTR record too
  2. add grant
  3. repeat for any other hostnames in the new cert
  4. issue new cert
Website Pin Facebook Twitter Myspace Friendfeed Technorati del.icio.us Digg Google StumbleUpon Premium Responsive