Setup a wildcard certificate with ACME on a custom domain name "hosted" by PowerDNS

AkechiShiro · September 16, 2021, 9:18pm

Hi,

I’m trying to setup a wildcard certificate with a custom domain name however I’m hitting an error which I don’t understand.

I’ve taken a look at the following URLs :

github.com/NixOS/nixpkgs

Replace simp-le with lego and support DNS-01 challenge

NixOS:master ← m1cr0man:master

opened 09:40PM - 12 Jan 20 UTC

m1cr0man

+256 -61

###### Motivation for this change Continuation of #63613 Closes #34941, #…35168 I have the following things still to do: - Add a deprecation notice for `security.acme.certs.<name>.plugins` (I don't know how, need help) - Similarly add some equivalent of `mkChangedOptionModule` to convert `extraDomains` to a list since custom webroots are no longer possible. It is mostly backwards compatible, with a few caveats. - `extraDomains` can no longer have different webroots to the main webroot for the cert. - An email address is now mandatory for CA registration. I added a more globally scoped `security.acme.email` to make transitioning easier, and an assertion. - Accepting terms of service was a topic discussed in the other PR. For now, I have added `security.acme.acceptTerms` and defaulted it to `true` to avoid breaking user's configs. There may be reason to change this default depending on what reviewers think. The following other changes were required: - Deprecate `security.acme.certs.<name>.plugins`, as this was specific to simp-le - Rename `security.acme.validMin` to `validMinDays`, to avoid confusion and errors. Lego requires the TTL to be specified in days. I have added a `mkChangedOptionModule` to cover this. - Add options to cover DNS-01 challenge (`dnsProvider`, `credentialsFile`, `dnsPropagationCheck`) - A shared state directory is now used (`/var/lib/acme/.lego`) to avoid account creation rate limits and share credentials between certs I have tested converting my own simp-le generated certs to lego and it worked fine. I also have lego in production generating 28 HTTP validated certs and a DNS-01 cert with a bind DNS server (also on a NixOS box :smile: ). This is a non-breaking change if you haven't used custom webroots or plugins. Also I have tried to keep the diff as small as possible but that other PR was so old it took me a full day to manually rebase on top of all the more recent changes to the ACME module. I'd be tempted to do some other cleanup to the module but there's good git blame as it is now. ###### Things done - [ ] Tested using sandboxing ([nix.useSandbox](http://nixos.org/nixos/manual/options.html#opt-nix.useSandbox) on NixOS, or option `sandbox` in [`nix.conf`](http://nixos.org/nix/manual/#sec-conf-file) on non-NixOS linux) - Built on platform(s) - [X] NixOS - [ ] macOS - [ ] other Linux distributions - [ ] Tested via one or more NixOS test(s) if existing and applicable for the change (look inside [nixos/tests](https://github.com/NixOS/nixpkgs/blob/master/nixos/tests)) - [ ] Tested compilation of all pkgs that depend on this change using `nix-shell -p nixpkgs-review --run "nixpkgs-review wip"` - [ ] Tested execution of all binary files (usually in `./result/bin/`) - [ ] Determined the impact on package closure size (by running `nix path-info -S` before and after) - [X] Ensured that relevant documentation is up to date - [X] Fits [CONTRIBUTING.md](https://github.com/NixOS/nixpkgs/blob/master/.github/CONTRIBUTING.md).

https://go-acme.github.io/lego/dns/pdns/

github.com

NixOS/nixpkgs/blob/master/nixos/modules/security/acme.nix

{ config, lib, pkgs, options, ... }:
with lib;
let
  cfg = config.security.acme;

  # Used to calculate timer accuracy for coalescing
  numCerts = length (builtins.attrNames cfg.certs);
  _24hSecs = 60 * 60 * 24;

  # Used to make unique paths for each cert/account config set
  mkHash = with builtins; val: substring 0 20 (hashString "sha256" val);
  mkAccountHash = acmeServer: data: mkHash "${toString acmeServer} ${data.keyType} ${data.email}";
  accountDirRoot = "/var/lib/acme/.lego/accounts/";

  # There are many services required to make cert renewals work.
  # They all follow a common structure:
  #   - They inherit this commonServiceConfig
  #   - They all run as the acme user
  #   - They all use BindPath and StateDirectory where possible
  #     to set up a sort of build environment in /tmp

This file has been truncated. show original

In my case, here is my config file for the wildcard certificate :

{...}:

{
        security.acme = {
                acceptTerms = true;
                email = "example@domain.com";
                certs."example.domain.com" = {
                        dnsProvider = "pdns";
                        dnsResolver = "localhost:53"; # This should be pdns.
                        dnsPropagationCheck = true;
                        credentialsFile = "/var/lib/secrets/pdns-api-tokens";
                        domain = "*.example.domain.com";
                };
        };
}

I’m hitting the current error when running sudo nixos-rebuild test:

[*.example.domain.com] [*.example.domain.com] acme: error presenting token: pdns: could not find the start of authority for _acme-challenge.example.domain.com.: read udp [::1]:54563->[::1]:53: read: connection refused

Also port 53 is opened in the Firewall for UDP and TCP.

And checking inside the powerDNS zone, no record has been added via the pdns API which seems weird to me.

Seebi · September 17, 2021, 7:34pm

I have a similar setup (powerdns and wildcard certificates), but I’m using the rfc2136 provider:

{...}:
{
  security.acme.certs."domain.com" = {
    dnsProvider = "rfc2136";
    #server = "https://acme-staging-v02.api.letsencrypt.org/directory";
    credentialsFile = "/var/lib/secrets/certs.secret";
    extraDomainNames = [ "*.domain.com" ];
  };
}

And /var/lib/secrets/certs.secret contains

RFC2136_NAMESERVER = 127.0.0.1:53
RFC2136_TSIG_ALGORITHM = hmac-sha512.
RFC2136_TSIG_KEY = acme-key
RFC2136_TSIG_SECRET = …

AkechiShiro · September 17, 2021, 7:53pm

Did you setup anything related to rfc2136 on your NixOS machine, how did you get the secret key, did you generate it ?
Is there an rfc2136 nameserver running on your host machine?

Edit 1: Also, did you add any record about “_acme-challenge” into your pdns dns zone ?

shimun · September 17, 2021, 9:04pm

Have you tried putting in your public ip rather than localhost? After all those dns query have to be performed by letsencrypt.

Seebi · September 18, 2021, 8:47am

pdnsutil can generate secret keys and they need to be imported into the pdns database. The steps are here: Dynamic DNS Update (RFC2136) — PowerDNS Authoritative Server documentation

dnsupdate=yes in the pdns.config is required and I have these entries in the domainmetadata table (they are mentioned in the pdns docs above):

NOTIFY-DNSUPDATE=1
SOA-EDIT-DNSUPDATE=DEFAULT
TSIG-ALLOW-DNSUPDATE=acme-key

I also have ALLOW-DNSUPDATE-FROM entries in my database and set it empty in my pdns.config (allow-dnsupdate-from=). The defaults allow updates from 127.0.0.0/8, so that shouldn’t be needed.

AkechiShiro · September 18, 2021, 11:31am

I’ve been making some progress, however I did try what you told me to setup @Seebi, but it amounted to no success, it ended up with the error could not find start of authority for the domain.

So I cleaned up the config I just did, the meta-data, the dnsupdate=yes as well as the tsig-key I imported.

And I gave a try yet again at using the pdns API, and I’ve been getting a different error now, it seems I’m close to finally making it work I think, I had to add a NS record to my pdns zone to solve the could not find authoritative nameserver error.

Then at the moment I have another error which is the following, I don’t know why it happens :
time limit exceeded: last error: dial udp: lookup ns1.example.com.: Temporary failure in name resolution.

My records are the following inside my zone file :

$ORIGIN .
example.com 3600 IN SOA ns1.example.com mail.exemple.com 1 10800 3600 604800 3600
example.com 3600 IN NS ns1.example.com
blog.example.com 3600 IN AAAA [redacted IPv6]
ns1.example.com 3600 IN AAAA [redacted IPv6]

My NS record has indeed the ns1.example.com, but I wonder why there is a temporary failure in name resolution, if anyone has any advice or way to solve this issue, I’m willing to give it a try.

Edit 1: Manually doing a nslookup ns1.example.com works successfully from a client machine, and dig AAAA @9.9.9.9 ns1.example.com also works and resolve successfully.

AkechiShiro · September 18, 2021, 12:07pm

Turns out I had issues with my current set DNS on my PowerDNS server after fixing that, I encountered another error which was about adding CAA records to allow a CA authority to issue certificate, I create the proper records for that and then tried again and finally, it ended up working successfully.

Edit answer to @shimun : About what you told me to try, I did set it up that way, I will try to change it and see if triggers an error with localhost for instance.