Cannot get nsupdate to work (for letsencrypt acme.sh client)
Brett Delmage
Brett at BrettDelmage.ca
Wed Aug 5 03:12:54 UTC 2020
On Wed, 5 Aug 2020, Mark Andrews wrote:
> Your key name usage is not consistent. acmesh-ottawatch != ottawatch-acmesh
Thank you! Fixed and working.
> Why are you adding `check-names warn;`? check-names does NOT apply to TXT
> records.
Previously I was getting the error "bad owner name (check-names)".
So a search for that error led me to this page
https://linux.m2osw.com/setting-bind-get-letsencrypt-wildcards-work-your-system-using-rfc-2136
which states
"The check-names option is required in case the name letsencrypt adds
_acme-challenge to your list of known sub-domains. The underscore
character is not liked by BIND9. This is because it is not part of the
domain name specification. It is not allowed at all. By default BIND will
generate an error and log it and skip over that entry entirely (i.e. it
will not serve that zone at all, albeit all the other zones will work just
fine.)
You can also set this parameter to ignore. In that case, no warning is
emitted in your logs.
Here is the error you get ("bad owner name") when a name uses characters
that are not supposed to be used in a domain name:
09-Feb-2019 03:02:31.988 general: error:
/var/lib/bind/restarchitect.com.zone:31:
_acme-challenge.restarchitect.com:
bad owner name (check-names)
The check-names option is currently the only way to fix this problem (i.e.
you can't use an escape for that one specific letter.)"
-----------------------------------
Is this incorrect? My same error went away when I added it. I certainly
was not familar with the option earlier.
I am running BIND 9.16.5 from Ondřej's PPA for Ubuntu 18.04
That page's "Create and Setup an HMAC Key" uses dnssec-keygen to create
the dynamic key, which I understand has been deprecated in newer versions.
Is that correct? (as I mentioned, I used ddns-confgen.)
> Thanks for full details.
Thank you for looking at them!
Often, preparing a complete help request helps me see something I am
overlooking that is incorrect, so then I don't need to send a help plea
and look like an idiot. Just not in this report, although an earlier
version led me to seeing another problem, which was good.
Brett
>
>
>
> Mark
>
>> On 5 Aug 2020, at 08:44, Brett Delmage <Brett at BrettDelmage.ca> wrote:
>>
>> I'm having a problem getting nsupdate to work, as shown below.
>>
>> (Despite reading the man pages I'm not 100% clear about the exact scope of the grant options and it may not be right. Examples would be helpful.)
>>
>> I generated the key:
>>
>> ddns-confgen -k acmesh-ottawatch. -z ottawatch.ca
>> # To activate this key, place the following in named.conf, and
>> # in a separate keyfile on the system or systems from which nsupdate
>> # will be run:
>> key "acmesh-ottawatch." {
>> algorithm hmac-sha256;
>> secret <deleted>;
>> };
>>
>> - this is included in my named.conf
>> My config file zone entry has the statements
>>
>> check-names warn;
>> update-policy { grant ottawatch-acmesh. name _acme-challenge.ottawatch.ca. txt; };
>> to permit the update and limit the scope.
>>
>> As I understand, I need check-names (warn | ignore) because _acme-challenge has an underscore. (How the heck did LE come up with an incompatible name?)
>>
>>
>> Here's my nsupdate script:
>> # cat test-acme
>>
>> server cacloud.ottawatch.ca
>> zone ottawatch.ca
>> debug
>> update add _acme-challenge.ottawatch.ca. 999 TXT "test 1"
>> send
>>
>>
>> # nsupdate -k acmesh-ottawatch.ca test-acme
>>
>> Sending update to 2607:7b00:7200:1::281a:5de2#53
>> Outgoing update query:
>> ;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id: 42504
>> ;; flags:; ZONE: 1, PREREQ: 0, UPDATE: 1, ADDITIONAL: 1
>> ;; ZONE SECTION:
>> ;ottawatch.ca. IN SOA
>>
>> ;; UPDATE SECTION:
>> _acme-challenge.ottawatch.ca. 999 IN TXT "test 1"
>>
>> ;; TSIG PSEUDOSECTION:
>> acmesh-ottawatch. 0 ANY TSIG hmac-sha256. 1596580550 300 32 966kN1nqxXRP+smNYmqpGKUIepEV0gkuOVz42ywCY0g= 42504 NOERROR 0
>>
>>
>> Reply from update query:
>> ;; ->>HEADER<<- opcode: UPDATE, status: REFUSED, id: 42504
>> ;; flags: qr; ZONE: 1, PREREQ: 0, UPDATE: 0, ADDITIONAL: 1
>> ;; ZONE SECTION:
>> ;ottawatch.ca. IN SOA
>>
>> ;; TSIG PSEUDOSECTION:
>> acmesh-ottawatch. 0 ANY TSIG hmac-sha256. 1596580550 300 32 eqUVlwgfwGnW0B7UX+WaB4mgqMgh9Aia/YauLRLa054= 42504 NOERROR 0
>>
>> Sending update to 2607:7b00:7200:1::281a:5de2#53
>> Outgoing update query:
>> ;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id: 32884
>> ;; flags:; ZONE: 1, PREREQ: 0, UPDATE: 0, ADDITIONAL: 1
>> ;; ZONE SECTION:
>> ;ottawatch.ca. IN SOA
>>
>> ;; TSIG PSEUDOSECTION:
>> acmesh-ottawatch. 0 ANY TSIG hmac-sha256. 1596580550 300 32 M+Lr8IckyEVknrX+jHoDQYFrlGxzyQ/PYHX9WwpNBZw= 32884 NOERROR 0
>>
>>
>>
>> # dig _acme-challenge.ottawatch.ca. txt
>> - the TXT RR has not been added
>>
>> ; <<>> DiG 9.16.5-Ubuntu <<>> _acme-challenge.ottawatch.ca. txt
>> ;; global options: +cmd
>> ;; Got answer:
>> ;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 45640
>> ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1
>>
>> ;; OPT PSEUDOSECTION:
>> ; EDNS: version: 0, flags:; udp: 4096
>> ; COOKIE: f735fda5ecb94793010000005f29e1bed617055d59cb5d75 (good)
>> ;; QUESTION SECTION:
>> ;_acme-challenge.ottawatch.ca. IN TXT
>>
>> ;; AUTHORITY SECTION:
>> ottawatch.ca. 900 IN SOA cacloud.ottawatch.ca. hostmaster.ottawatch.ca. 2020072912 900 180 2419200 900
>>
>> ;; Query time: 0 msec
>> ;; SERVER: 127.0.0.1#53(127.0.0.1)
>> ;; WHEN: Tue Aug 04 18:31:26 EDT 2020
>> ;; MSG SIZE rcvd: 140
>>
>>
>> What am I missing ort doing wrong, please?
>> _______________________________________________
>> Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list
>>
>> ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information.
>>
>>
>> bind-users mailing list
>> bind-users at lists.isc.org
>> https://lists.isc.org/mailman/listinfo/bind-users
>
>
More information about the bind-users
mailing list