I think I'm missing something simple with my Acme Client setup in pfsense.
I followed the following steps and I'm get a TSIG error (note NSUPDATE
worked when run by hand).
- dnssec-keygen -a HMAC-MD5 -b 512 -n HOST fw.sample.com
- Copy secret from Kfw.sample.com.*.key (note this secret has a space in
the middle)
- Added the following to named.conf and then restarted name
- key "fw.sample.com." {
- algorithm HMAC-MD5;
- secret "<<secret string from .key file>>";
- };
- zone "sample.com" {
- type master;
- file "dynamic/sample.com";
- allow-update key fw.sample.com; };
- };
- I then setup a Acme account
- I configured the Domain SAN List like this:
- Domainname = fw.landsraad.org
- Method = DNS-NSUpdate
- Server = DNSServer hostname
- Key Type = HOST
- Key Algorith = HMAC-MS5
- Key = "<<secret string from .key file>>"
- I click on issue/renew
- I get the follow error in the DNS server logs:
- client x.y.z.t#11498: request has invalid signature: TSIG _
acme-challenge.fw.sample.com: tsig verify failure (BADKEY)
What piece did I miss, do wrong? If I copy both of the Kfw.sample.com
records to a different server, I can run nsupdate by hand and it works.
Walter
--
The greatest dangers to liberty lurk in insidious encroachment by men of
zeal, well-meaning but without understanding. -- Justice Louis D. Brandeis
_______________________________________________
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold
