nsupdate Issues

Discussion in 'Server Operation' started by maverickws, Oct 25, 2018.

Tags:
  1. maverickws

    maverickws New Member

    Hi,
    I have an ISPConfig server setup serving DNS for our org domain.
    We also have a pfSense FW using ACME to generate certificates.

    I'm setting up the nsupdate method, but I can't get it to work.
    On the firewall I get:

    Code:
    [Thu Oct 25 14:38:15 WEST 2018] adding _acme-challenge.host.domain.tld. 60 in txt "lorem ipsum and something else"
    update failed: SURVEIL
    [Thu Oct 25 14:38:15 WEST 2018] error updating domain
    [Thu Oct 25 14:38:15 WEST 2018] Error add txt for domain:_acme-challenge.host.domain.tld
    On the server I get this:

    Code:
    Oct 25 14:38:15 de-pri named[13550]: client 1.2.3.4#46265/key keyname: signer "keyname" approved
    Oct 25 14:38:15 de-pri named[13550]: client 1.2.3.4#46265/key keyname: updating zone 'domain.tld/IN': adding an RR at '_acme-challenge.host.domain.tld' TXT
    Oct 25 14:38:15 de-pri named[13550]: dns_dnssec_findzonekeys2: error reading private key file domain.tld/NSEC3RSASHA1/54044: permission denied
    Oct 25 14:38:15 de-pri named[13550]: dns_dnssec_findzonekeys2: error reading private key file domain.tld/NSEC3RSASHA1/9873: permission denied
    Oct 25 14:38:15 de-pri named[13550]: client 87.103.127.114#46265/key keyname: updating zone 'domain.tld/IN': found no active private keys, unable to generate any signatures
    Oct 25 14:38:15 de-pri named[13550]: client 87.103.127.114#46265/key keyname: updating zone 'domain.tld/IN': RRSIG/NSEC/NSEC3 update failed: not found
    I believe this is an ISPConfig issue. Also, as I added to named.conf.local the key

    Code:
    key "keyname" {
    algorithm ...;
    secret ...;
    };
    But I have a feeling if I go to the DNS Panel on ISPConfig this is going to be overwritten.
    I need some help for direction on a solution or workaround. Thanks.
     
  2. maverickws

    maverickws New Member

    P.S. - It does get overwritten, just by navigating to "DNS" and selecting the zone.
    Each time I go to this section, the named.conf.local with the key is overwritten.
     
  3. ahrasis

    ahrasis Well-Known Member

    I do not think that is an ISPConfig issue as it is using database to update a domain zone file and nsupdate is not directly supported by ISPConfig.

    I think in order to use nsupdate, you may need to resync bind for that domain to update its zone serial and for that you may try to use a resync tool.

    You can try reading through a thread relating it in here though it may not directly related as it is using certbot.

    And if you are using acme.sh by neilpang, you may try to use ispconfig dns plugin instead of nsupdate but it is complicated.
     
  4. maverickws

    maverickws New Member

    I am getting mixed feelings about this.
    bc what I am reading is this piece of software isn't compliant with RFC 2136, and this is very disturbing.
    What I am currently considering is to create two vm's and setup bind on them manually, disabling the ISPConfig DNS. Which is a shame...
     
  5. Taleman

    Taleman Well-Known Member HowtoForge Supporter

  6. maverickws

    maverickws New Member

    So I can't automate creating certificates for other services bc ISPConfig DNS doesn't support an RFC on DNS, but your position on it is suggesting I'm saying "stupid things"?
    Stupid things is having a DNS service that denies its users of implementing features. I guess ppl who wrote that document were just bored. Stupid things is what comes our of your mouth. And "Good enough" is what, your moto?

    I'm trying not to be too rude, but stupid people do make it hard sometimes.
     
  7. maverickws

    maverickws New Member

    No, I have DNS setup. My goal is to be able to automate certificate creation on two pfSense firewalls that use the nsupdate RFC 2136 method to create the certificates.
    Since ISPConfig doesn't support it, I will have to create another authoritative server.
    Simply it's a shame that this is so. It is a useful feature.
     
  8. Taleman

    Taleman Well-Known Member HowtoForge Supporter

    Must you create the certificates on that pfsense? I let ISPConfig create Let's Encrypt certificates and use scrips by @ahrasis to copy the certificates to postfix, dovecot and pure-ftp.
     
    ahrasis likes this.
  9. maverickws

    maverickws New Member

    @Taleman

    I have a number of other services on the network which are not related to ISPConfig nor have to.
    ISPConfig is used for simple management of webspace and email and dns for some public pages.

    We have systems that require nsupdate to generate a txt key and validate the domain so the certificate can be issued.
    It would be outermost simple if it wasn’t for ISPConfig limitation.
     
  10. Taleman

    Taleman Well-Known Member HowtoForge Supporter

    Those are not Let's Encrypt certificates? Then I guess you are right, you have to get them some other way.
     
  11. maverickws

    maverickws New Member

    what is not Let's Encrypt certificates? I am solely using Let's Encrypt certificates.
    ISPConfig, AFAIK, has absolutely nothing to do with LE, it can use these as any others, plus what has been developed for ISPConfig was not done by ISPC's staff.
    nsupdate is not a let’s encrypt certificate. nsupdate is a documented functionality that is blocked by ISPConfig god figures why.
     
    Last edited: Oct 29, 2018
  12. edooze

    edooze Member

    Did you ever get this to work? I'm using a similar system, and know exactly what you mean when you talk about the setup.
    I saw a ftp option when browsing through the choices - thought this might work with the ISPC system in a DMZ - but I haven't had a chance to look further, so may be misunderstanding how it works.

    Would appreciate your insight.
     
  13. ahrasis

    ahrasis Well-Known Member

    I am not sure whether the brilliant guy was successful but as I said before, nsupdate is not blocked by ISPConfig but it is not directly supported. ISPConfig uses its main database and php to fully manage its dns server, as such, some modifications are needed if one wants to add such features.

    I personally am using LE dns validation for websites on my web server too, but since my dns server is CloudFlare and it is fully supported by official LE client - certbot, I don't have problem in creating LE SSL certs for my websites.

    I did share this in Create Lets Encrypt SSL Certs via Certbot DNS Validation in Acme v02 thread together with some rough ideas to update it using RFC 2136 which ideas I have taken from certbot documentation site.

    In any event, Neilpang acme.sh will be supported in the coming ISPConfig version 3.2 which hopefully will also add support to RFC 2136 altogether.
     

Share This Page