DNSSEC: DNSKEY Missing with ACME client on OPNsense

SWEETGOOD · November 2, 2023, 5:38pm

I don’t really know what is wrong here but the issuing of certificates fails for all subdomains in deSEC.io using the ACME client built into OPNsense.

All subdomains are shown as “fully configured” in deSEC.io after clicking the (i) button but unfortunately I always get the following error message from the CA:
DNSSEC: DNSKEY Missing

This is the full log (normal level)

2023-11-02T18:22:54	acme.sh	[Thu Nov 2 18:22:54 CET 2023] See: https://github.com/acmesh-official/acme.sh/wiki/How-to-debug-acme.sh
2023-11-02T18:22:54	acme.sh	[Thu Nov 2 18:22:54 CET 2023] Please add '--debug' or '--log' to check more details.
2023-11-02T18:22:54	acme.sh	[Thu Nov 2 18:22:54 CET 2023] Removed: Success
2023-11-02T18:22:54	acme.sh	[Thu Nov 2 18:22:54 CET 2023] Deleted, OK
2023-11-02T18:22:54	acme.sh	[Thu Nov 2 18:22:54 CET 2023] Deleting record
2023-11-02T18:22:53	acme.sh	[Thu Nov 2 18:22:53 CET 2023] Using desec.io api
2023-11-02T18:22:53	acme.sh	[Thu Nov 2 18:22:53 CET 2023] Removing txt: XOc68CKBswVq3iqal6dyLl4_izBJqUreX8fy6nIU9ro for domain: _acme-challenge.redactedsubdomain1.dedyn.io
2023-11-02T18:22:53	acme.sh	[Thu Nov 2 18:22:53 CET 2023] Removing DNS records.
2023-11-02T18:22:53	acme.sh	[Thu Nov 2 18:22:53 CET 2023] Invalid status, redactedsubdomain1.dedyn.io:Verify error detail:DNS problem: looking up TXT for _acme-challenge.redactedsubdomain1.dedyn.io: DNSSEC: DNSKEY Missing
2023-11-02T18:22:51	acme.sh	[Thu Nov 2 18:22:51 CET 2023] See: https://github.com/acmesh-official/acme.sh/wiki/How-to-debug-acme.sh
2023-11-02T18:22:51	acme.sh	[Thu Nov 2 18:22:51 CET 2023] Please add '--debug' or '--log' to check more details.
2023-11-02T18:22:51	acme.sh	[Thu Nov 2 18:22:51 CET 2023] Removed: Success
2023-11-02T18:22:51	acme.sh	[Thu Nov 2 18:22:51 CET 2023] Deleted, OK
2023-11-02T18:22:51	acme.sh	[Thu Nov 2 18:22:51 CET 2023] Deleting record
2023-11-02T18:22:50	acme.sh	[Thu Nov 2 18:22:50 CET 2023] Pending, The CA is processing your order, please just wait. (1/30)
2023-11-02T18:22:50	acme.sh	[Thu Nov 2 18:22:50 CET 2023] Using desec.io api
2023-11-02T18:22:50	acme.sh	[Thu Nov 2 18:22:50 CET 2023] Removing txt: 0rATznihj-KGhznaaLK9mM44Qt0442w8fHe72SJVyQA for domain: _acme-challenge.redactedsubdomain3.dedyn.io
2023-11-02T18:22:50	acme.sh	[Thu Nov 2 18:22:50 CET 2023] Removing DNS records.
2023-11-02T18:22:50	acme.sh	[Thu Nov 2 18:22:50 CET 2023] Invalid status, redactedsubdomain3.dedyn.io:Verify error detail:DNS problem: looking up TXT for _acme-challenge.redactedsubdomain3.dedyn.io: DNSSEC: DNSKEY Missing
2023-11-02T18:22:50	acme.sh	[Thu Nov 2 18:22:50 CET 2023] See: https://github.com/acmesh-official/acme.sh/wiki/How-to-debug-acme.sh
2023-11-02T18:22:50	acme.sh	[Thu Nov 2 18:22:50 CET 2023] Please add '--debug' or '--log' to check more details.
2023-11-02T18:22:50	acme.sh	[Thu Nov 2 18:22:50 CET 2023] Removed: Success
2023-11-02T18:22:50	acme.sh	[Thu Nov 2 18:22:50 CET 2023] Deleted, OK
2023-11-02T18:22:49	acme.sh	[Thu Nov 2 18:22:49 CET 2023] Verifying: redactedsubdomain1.dedyn.io
2023-11-02T18:22:49	acme.sh	[Thu Nov 2 18:22:49 CET 2023] Deleting record
2023-11-02T18:22:49	acme.sh	[Thu Nov 2 18:22:49 CET 2023] Using desec.io api
2023-11-02T18:22:49	acme.sh	[Thu Nov 2 18:22:49 CET 2023] Removing txt: yDEbwgrYimojcEf20g-6rWalu32VVWmuMtWHTFMah-Y for domain: _acme-challenge.redactedsubdomain2.dedyn.io
2023-11-02T18:22:49	acme.sh	[Thu Nov 2 18:22:49 CET 2023] Removing DNS records.
2023-11-02T18:22:49	acme.sh	[Thu Nov 2 18:22:49 CET 2023] Invalid status, redactedsubdomain2.dedyn.io:Verify error detail:DNS problem: looking up TXT for _acme-challenge.redactedsubdomain2.dedyn.io: DNSSEC: DNSKEY Missing
2023-11-02T18:22:47	acme.sh	[Thu Nov 2 18:22:47 CET 2023] Pending, The CA is processing your order, please just wait. (1/30)
2023-11-02T18:22:46	acme.sh	[Thu Nov 2 18:22:46 CET 2023] Verifying: redactedsubdomain3.dedyn.io
2023-11-02T18:22:46	acme.sh	[Thu Nov 2 18:22:46 CET 2023] Pending, The CA is processing your order, please just wait. (1/30)
2023-11-02T18:22:45	acme.sh	[Thu Nov 2 18:22:45 CET 2023] Verifying: redactedsubdomain2.dedyn.io

2023-11-02T18:20:49	acme.sh	[Thu Nov 2 18:20:49 CET 2023] Sleep 120 seconds for the txt records to take effect
2023-11-02T18:20:49	acme.sh	[Thu Nov 2 18:20:49 CET 2023] The txt record is added: Success.
2023-11-02T18:20:49	acme.sh	[Thu Nov 2 18:20:49 CET 2023] Added, OK
2023-11-02T18:20:49	acme.sh	[Thu Nov 2 18:20:49 CET 2023] Adding record
2023-11-02T18:20:48	acme.sh	[Thu Nov 2 18:20:48 CET 2023] Using desec.io api
2023-11-02T18:20:48	acme.sh	[Thu Nov 2 18:20:48 CET 2023] Adding txt value: XOc68CKBswVq3iqal6dyLl4_izBJqUreX8fy6nIU9ro for domain: _acme-challenge.redactedsubdomain1.dedyn.io
2023-11-02T18:20:48	acme.sh	[Thu Nov 2 18:20:48 CET 2023] Getting webroot for domain='redactedsubdomain1.dedyn.io'
2023-11-02T18:20:46	acme.sh	[Thu Nov 2 18:20:46 CET 2023] Sleep 120 seconds for the txt records to take effect
2023-11-02T18:20:46	acme.sh	[Thu Nov 2 18:20:46 CET 2023] The txt record is added: Success.
2023-11-02T18:20:46	acme.sh	[Thu Nov 2 18:20:46 CET 2023] Added, OK
2023-11-02T18:20:46	acme.sh	[Thu Nov 2 18:20:46 CET 2023] Adding record
2023-11-02T18:20:45	acme.sh	[Thu Nov 2 18:20:45 CET 2023] Using desec.io api
2023-11-02T18:20:45	acme.sh	[Thu Nov 2 18:20:45 CET 2023] Adding txt value: 0rATznihj-KGhznaaLK9mM44Qt0442w8fHe72SJVyQA for domain: _acme-challenge.redactedsubdomain3.dedyn.io
2023-11-02T18:20:45	acme.sh	[Thu Nov 2 18:20:45 CET 2023] Getting domain auth token for each domain
2023-11-02T18:20:45	acme.sh	[Thu Nov 2 18:20:45 CET 2023] Getting webroot for domain='redactedsubdomain3.dedyn.io'
2023-11-02T18:20:45	acme.sh	[Thu Nov 2 18:20:45 CET 2023] Single domain='redactedsubdomain1.dedyn.io'
2023-11-02T18:20:45	acme.sh	[Thu Nov 2 18:20:45 CET 2023] Using CA: https://acme-v02.api.letsencrypt.org/directory
2023-11-02T18:20:45	acme.sh	[Thu Nov 2 18:20:45 CET 2023] Sleep 120 seconds for the txt records to take effect
2023-11-02T18:20:45	acme.sh	[Thu Nov 2 18:20:45 CET 2023] The txt record is added: Success.
2023-11-02T18:20:45	acme.sh	[Thu Nov 2 18:20:45 CET 2023] Added, OK
2023-11-02T18:20:45	acme.sh	[Thu Nov 2 18:20:45 CET 2023] Adding record
2023-11-02T18:20:44	acme.sh	[Thu Nov 2 18:20:44 CET 2023] Using desec.io api
2023-11-02T18:20:44	acme.sh	[Thu Nov 2 18:20:44 CET 2023] Adding txt value: yDEbwgrYimojcEf20g-6rWalu32VVWmuMtWHTFMah-Y for domain: _acme-challenge.redactedsubdomain2.dedyn.io
2023-11-02T18:20:44	acme.sh	[Thu Nov 2 18:20:44 CET 2023] Getting webroot for domain='redactedsubdomain2.dedyn.io'
2023-11-02T18:20:42	acme.sh	[Thu Nov 2 18:20:42 CET 2023] Getting domain auth token for each domain
2023-11-02T18:20:42	acme.sh	[Thu Nov 2 18:20:42 CET 2023] Single domain='redactedsubdomain3.dedyn.io'
2023-11-02T18:20:42	acme.sh	[Thu Nov 2 18:20:42 CET 2023] Using CA: https://acme-v02.api.letsencrypt.org/directory
2023-11-02T18:20:41	acme.sh	[Thu Nov 2 18:20:41 CET 2023] Getting domain auth token for each domain
2023-11-02T18:20:40	acme.sh	[Thu Nov 2 18:20:40 CET 2023] Single domain='redactedsubdomain2.dedyn.io'
2023-11-02T18:20:40	acme.sh	[Thu Nov 2 18:20:40 CET 2023] Using CA: https://acme-v02.api.letsencrypt.org/directory

This is the full log (debug3 level):
https://hastebin.skyra.pw/natovewazi.yaml

The TXT entries are being set correctly beforehand and I couldn’t recognize any other error message in the logs.

Did I miss something? Shouldn’t this verification be independent from my local config with HAProxy and my local DNS as it’s a DNS-01 challenge?

Looking forward to any kind of hint here

Thanks,
Christian

peter · November 3, 2023, 8:16am

Hi Christian,

Thank you for your message, and welcome to deSEC!

It’s impossible to debug this without knowing the affected domain name.

Stay secure,
Peter

SWEETGOOD · November 3, 2023, 11:03am

Hi Peter,

I will send you the domain names via PM.

Thanks,
Christian

SWEETGOOD · November 3, 2023, 3:39pm

Got really great support from @peter via email.

This was the issue:

If you create own subdomains like second.subdomain.dedyn.io you have to delegate them from the main subdomain subdomain.dedyn.io.

You can do that either by setting the DS records for the subdomain (use the values after clicking on the (i) near the main subdomain) or by setting NS records to ns1.desec.io/ns2.desec.org, if you want to disable DNSSEC for the subdomain.

Currently theres a bug which always shows “You’re domain is fully configured.” for the main subdomain so the delegation can only be made by the great support team currently until this is fixed.

Thanks for the fast and great support

peter · November 3, 2023, 4:11pm

This is fixed now.

Stay secure,
Peter