Problem with domain validation - DNS-01, opnsense with bind #3735
Comments
|
I'll look into it. Did you format the json string? Because for me, it looks like there are more white spaces then I get. Maybe I just have to relax the regex |
|
I didn't format it additionaly. It is copy/paste from log. |
|
I also see that you ask acme to create a acme dns entry for aaa.test.pl but the configured domain in opnsense looks like it is only test.pl. Did you create a dedicated (sub)zone aaa.test.pl? No promise to look into it sooner |
|
Yes, subzone is aaa.test.pl. I will leave here some info if i will look into it on weekend. |
Update for opnsense regards to error in acmesh-official#3735
|
Is there anything new to this? |
|
Do a test run with the MR #3764 . I only have subdomains and need domain-alias mode on my opnsense boxes. I just registered a new domain for testing, but am not sure If I can do the test today. |
|
Sorry but that's too much for me... |
Update for opnsense regards to error in acmesh-official#3735
Update for opnsense regards to error in #3735
|
Something new to this problem? |
|
because the mr is merged it should be fixed. I worked on some other fixes to also fix the CI check, but ran into problems with solaris check. I hadn't time to look into that. But this can be closed in my opinion. |
|
I updated OPNssense to 21.1.1 today... My log shows the following: Sorry for dumb question.. |
|
Debugging this myself, looks like the opnsense bind api has changed again. Seems to be a pretty fragile 270 character shell/grep regex to blame due to the new section in the domains response: "transferkeyalgo":{"":{"value":"none","selected":true} I'll get a hack working for it, but I wonder if there's any guidance on better json parsing in acme? A standard json parser wouldn't have these problems. |
|
Working againt os-bind 1.19 This will break again without a proper fix / json parser. |
|
Fix using jq: I'm testing it right now, maybe I will submit a PR later. |
|
Thanks @SBado, I had to modify your jq alternative a bit, because it failed when there are multiple domains in the _get_root() {
domain=$1
i=2
p=1
if _opns_rest "GET" "/domain/get"; then
_domain_response="$response"
else
return 1
fi
while true; do
h=$(printf "%s" "$domain" | cut -d . -f $i-100)
if [ -z "$h" ]; then
#not valid
return 1
fi
_debug h "$h"
id=$(echo $response | jq --arg h "$h" -r '.domain.domains.domain | with_entries(select(.value.domainname == $h)) | to_entries[] | .key')
if [ -n "$id" ]; then
_debug id "$id"
_host=$(printf "%s" "$domain" | cut -d . -f 1-$p)
_domain="${h}"
_domainid="${id}"
return 0
fi
p=$i
i=$(_math $i + 1)
done
_debug "$domain not found"
return 1
}Important note for OPNsense users: You'll have to install the sudo pkg install jqEDIT 2022-06-24: Reason: Due to this, domain validation fails, despite the /var/log/acme.sh.log |
|
I've edited by hand and installed the jq package to test it too. |
|
I have slightly updated the |
|
I completely forgot about this issue (and my fix)! I updated OPNsense the other day and now here I am again. |
|
Sry for late response. I already had a better regex, but I had Problems with the test workflow on some Platforms. I now found a regex which works on all Platforms. |
|
As the PR got merged this issue can be closed now I think. @wacki4 can you close this issue/mark it as resolved? |
|
Still Opnsense has old acme client - new change cannot connect to current version on Bind server. I will check everything when there would be avaiable correct client. |
|
The fix has been integrated into the new 3.0.5 release. Currently OPNsense only delivers version 3.0.4_2. You/we have to wait until the new release arrives in their update repos. |
|
I have seen it - now manually edited files by jq extension delivered here. When there would be avaiable new version, i will update opnsense and check if everything works ok. |
|
Confirmed - all works great on 22.7.11_1. |
Hi!
I'am trying to validate with DNS-01 my subdomain using opnsense acme plugin, and bind.
My DNS works without a problem - it is avaiable from outside, and returns correct IP addresses for entrances which i made.
But i cannot generate certificate cause of error: "invalid domain".
I found out that it is returned by acme.sh/dnsapi/dns_opnsense.sh .
Running /api/bind/domain/get i got in return:
{ "domain": { "domains": { "domain": { "19b51657-5206-4a1f-a0a6-98b7eab8eb51": { "enabled": "1", "type": { "master": { "value": "master", "selected": 1 }, "slave": { "value": "slave", "selected": 0 } }, "masterip": { "": { "value": "", "selected": 1 } }, "allownotifyslave": { "": { "value": "", "selected": 1 } }, "domainname": "test.pl", "allowtransfer": { "": { "value": "none", "selected": 0 }, "7ff76356-1da2-45bd-a733-52fe959f2518": { "value": "all", "selected": 1 } }, "allowquery": { "": { "value": "none", "selected": 0 }, "7ff76356-1da2-45bd-a733-52fe959f2518": { "value": "all", "selected": 1 } }, "serial": "2110031633", "ttl": "86400", "refresh": "21600", "retry": "3600", "expire": "3542400", "negative": "3600", "mailadmin": "admin.test.pl", "dnsserver": "ns.test.pl" } } } } }And this is my log where problem occurs:
Plugin in opnsense is running on version 3.2
The text was updated successfully, but these errors were encountered: