On Wednesday Oct 6th, I was greeted by these log messages:
04-Oct-2023 16:44:03.631 /var/db/acme/Kcerts.int.unixathome.org.+165+59977.private: Use of K* file pairs for HMAC is deprecated 04-Oct-2023 16:44:26.787 /var/db/acme/Kcerts.int.unixathome.org.+165+59977.private: Use of K* file pairs for HMAC is deprecated 04-Oct-2023 16:44:30.467 /var/db/acme/Kcerts.int.unixathome.org.+165+59977.private: Use of K* file pairs for HMAC is deprecated 04-Oct-2023 16:44:30.575 /var/db/acme/Kcerts.int.unixathome.org.+165+59977.private: Use of K* file pairs for HMAC is deprecated 04-Oct-2023 16:45:01.272 /var/db/acme/Kcerts.int.unixathome.org.+165+59977.private: Use of K* file pairs for HMAC is deprecated 04-Oct-2023 16:45:01.334 /var/db/acme/Kcerts.int.unixathome.org.+165+59977.private: Use of K* file pairs for HMAC is deprecated 04-Oct-2023 16:45:04.518 /var/db/acme/Kcerts.int.unixathome.org.+165+59977.private: Use of K* file pairs for HMAC is deprecated 04-Oct-2023 16:45:27.501 /var/db/acme/Kcerts.int.unixathome.org.+165+59977.private: Use of K* file pairs for HMAC is deprecated
This is the output from the cronjob run by the acme user in my jail called certs. This is the daily run to renew any certificates which are soon to expire. This is the job in question:
[19:36 certs dan ~] % sudo crontab -l -u acme 44 16 * * * /usr/local/sbin/acme.sh --cron --home /var/db/acme/.acme.sh > /dev/null [19:44 certs dan ~] %
By the by, I would rather that cronjob be in /usr/local/etc/cron.d/acme – I prefer that approach. One day, I will update the port.
The next part of this article goes into some details which you can skip over. It is not about solving the issue.
In this post:
- FreeBSD 13.2
- acme.sh 3.0.6_1 -> 3.0.7 (the error started with the former, and I installed the latter in the interim; the upgrade is not related to the fix)
- bind-tools-9.18.19
- bind916-9.16.44
Where are these messages
I found the messages here.
The messages are duplicated here:
[19:53 pkg01 dan ~/ports/head/dns/bind-tools] % grep -r 'file pairs for HMAC is deprecated' * work/bind-9.18.19/bin/tests/system/nsupdate/tests.sh: grep "Use of K\* file pairs for HMAC is deprecated" nsupdate.alg-$alg.out > /dev/null || ret=1 work/bind-9.18.19/bin/tests/system/tsig/tests.sh: grep "Use of K\* file pairs for HMAC is deprecated" dig.out.md5.legacy > /dev/null || ret=1 work/bind-9.18.19/bin/tests/system/tsig/tests.sh:grep "Use of K\* file pairs for HMAC is deprecated" dig.out.sha1.legacy > /dev/null || ret=1 work/bind-9.18.19/bin/tests/system/tsig/tests.sh:grep "Use of K\* file pairs for HMAC is deprecated" dig.out.sha224 > /dev/null || ret=1 work/bind-9.18.19/bin/tests/system/tsig/tests.sh:grep "Use of K\* file pairs for HMAC is deprecated" dig.out.sha256 > /dev/null || ret=1 work/bind-9.18.19/bin/tests/system/tsig/tests.sh:grep "Use of K\* file pairs for HMAC is deprecated" dig.out.sha384 > /dev/null || ret=1 work/bind-9.18.19/bin/tests/system/tsig/tests.sh:grep "Use of K\* file pairs for HMAC is deprecated" dig.out.sha512 > /dev/null || ret=1
The whole log
Added 2023-10-07 – Today some certs were renewed. I adjusted the cronjob so all the output came to me via email. This is what I got.
[Sat Oct 7 16:44:05 UTC 2023] Skipped freshports.net [Sat Oct 7 16:44:05 UTC 2023] Renew: 'freshports.org' [Sat Oct 7 16:44:05 UTC 2023] Renew to Le_API=https://acme-v02.api.letsencrypt.org/directory [Sat Oct 7 16:44:06 UTC 2023] Using CA: https://acme-v02.api.letsencrypt.org/directory [Sat Oct 7 16:44:06 UTC 2023] Multi domain='DNS:freshports.org,DNS:www.freshports.org' [Sat Oct 7 16:44:06 UTC 2023] Getting domain auth token for each domain [Sat Oct 7 16:44:07 UTC 2023] Getting webroot for domain='freshports.org' [Sat Oct 7 16:44:07 UTC 2023] Getting webroot for domain='www.freshports.org' [Sat Oct 7 16:44:07 UTC 2023] Adding txt value: WtqL4vsKttBiPkdiakeIDeQoaDvysZuoip6ThyWA for domain: _acme-challenge.freshports.org [Sat Oct 7 16:44:07 UTC 2023] adding _acme-challenge.freshports.org. 60 in txt "WtqL4vsKttBiPkdiakeIDeQoaDvysZuoip6ThyWA" 07-Oct-2023 16:44:07.926 /var/db/acme/Kcerts.int.unixathome.org.+165+59977.private: Use of K* file pairs for HMAC is deprecated ; TSIG error with server: tsig indicates error update failed: NOTAUTH(BADKEY) [Sat Oct 7 16:44:07 UTC 2023] error updating domain [Sat Oct 7 16:44:07 UTC 2023] Error add txt for domain:_acme-challenge.freshports.org [Sat Oct 7 16:44:07 UTC 2023] Please check log file for more details: /var/log/acme.sh.log [Sat Oct 7 16:44:08 UTC 2023] Error renew freshports.org.
Generating new keys
This took me a while to figure out. I went back to my old notes and found:
Keys for this purpose can be generated with dnssec-keygen, which came as part of bind-tools-9.11.1 which I have installed on this server.
EDIT 2020-12-16 When Michael W Lucas admitted that I am the source for everything he writes, it was pointed out, not by one, but two helpful tweets, that the “ability to generate TSIG keys was removed from dnssec-keygen a release or two ago”. Nowadays, you should use tsig-keygen (or ddns-confgen).
Sadly, I did not read that and spent some time trying to locate tsig-keygen and/or ddns-confgen.
Here we go: creating a new key
This is a sample run. This is not the key in use, but it will do for this blog post.
[20:15 certs dan ~] % ddns-confgen -k certs.int.unixathome.org
# To activate this key, place the following in named.conf, and
# in a separate keyfile on the system or systems from which nsupdate
# will be run:
key "certs.int.unixathome.org" {
algorithm hmac-sha256;
secret "soqq06w9G2/Xfqlo1N2aJM2nAZjy4D+nYczw2NYW01o=";
};
# Then, in the "zone" statement for each zone you wish to dynamically
# update, place an "update-policy" statement granting update permission
# to this key. For example, the following statement grants this key
# permission to update any name within the zone:
update-policy {
grant certs.int.unixathome.org zonesub ANY;
};
# After the keyfile has been placed, the following command will
# execute nsupdate using this key:
nsupdate -k
The following sections will show you what I updated.
~acme/.acme.sh/account.conf
For more information on my certs jail, see acme.sh: getting free SSL certificates – installation configuration on FreeBSD
In ~acme/.acme.sh/account.conf I updated the SAVED_NSUPDATE_KEY parameter.
It was: SAVED_NSUPDATE_KEY=’/var/db/acme/Kcerts.int.unixathome.org.+165+59977.key’
I changed it to SAVED_NSUPDATE_KEY=’/var/db/acme/certs.int.unixathome.org.key’ – this is the keyfile referenced in the output above.
That keyfile contains:
key "certs.int.unixathome.org" {
algorithm hmac-sha256;
secret "soqq06w9G2/Xfqlo1N2aJM2nAZjy4D+nYczw2NYW01o=";
};
The permissions look like this:
[20:21 certs dan ~] % sudo ls -l /var/db/acme/certs.int.unixathome.org.key
-rw-r—– 1 root acme 116 Oct 6 20:21 /var/db/acme/certs.int.unixathome.org.key
named changes
I’m running my top-level bind install in a hidden master (really, it’s just a jail with no public access, and to which all my public name servers take their instructions).
That BIND server looks like this when running:
[20:27 dns-hidden-master dan /usr/local/etc/namedb] % ps auwwx | grep named bind 58984 0.0 0.2 2350452 1129276 - IsJ Wed16 0:33.73 /usr/local/sbin/named -u bind -c /usr/local/etc/namedb/named.conf dan 26213 0.0 0.0 12812 2368 5 S+J 20:27 0:00.00 grep named
In that configuration file, there is a line like this:
include "zones.key";
This one file contains all the keys used by this installation. I prefer to keep them all in a file, for ease of use.
In zones.key, I had this:
// for dynamic updates, mostly for Let's Encrypt
key certs.int.unixathome.org {
algorithm HMAC-SHA512;
secret "oKm3xj+6etIN+uMoKK8ux1qDSE21+5LZGDQ91Fk3yJpyJpf/p0mB5IUk67s3LpIkmsXoxwCCpSA8EbYx9O2iMW==";
};
Now it contains the same key as shown in the previous section.
After making that change, I restarted named:
[20:45 dns-hidden-master dan /usr/local/etc/namedb] % sudo service named restart Stopping named. Waiting for PIDS: 58984. Starting named.
Now I wait and see what comes when the next certs update.
