Project

General

Profile

Actions

Bug #10411

closed

ACME only uses DoH, Broken renewal

Added by theodore adams over 4 years ago. Updated over 4 years ago.

Status:
Needs Patch
Priority:
Normal
Assignee:
-
Category:
ACME
Target version:
-
Start date:
04/02/2020
Due date:
% Done:

0%

Estimated time:
Plus Target Version:
Affected Version:
Affected Plus Version:
Affected Architecture:

Description

The issue is described on the forum here:

https://forum.netgate.com/topic/150984/doh-verification-method

DoH appears to have been added mid-February 2020, and there doesn't appear to be a way to fallback to non-DoH verification. Can ACME fallback (as an opt-in option) to using system DNS settings instead of DoH directly?

Currently, ACME renewal is broken when DoH is blocked.

Actions #1

Updated by Jim Pingle over 4 years ago

  • Status changed from New to Needs Patch

That will need to be raised as an issue directly with acme.sh not here.

Actions #2

Updated by theodore adams over 4 years ago

Thank you for reviewing Jim.

I have been researching further and found closed issues on the acme.sh github:
https://github.com/acmesh-official/acme.sh/issues/2576
https://github.com/acmesh-official/acme.sh/issues/2587

Using public DoH is just because that letsencrypt CA is using public dns servers to validate.
To disable ns lool up, you can use --dnssleep 180

I have tested dnssleep of 180 in the pfsense acme GUI, and the certificate successfully generates when one manually Issue/Renews. However, the GUI reports that the issuance was unsuccessful (the broken icon appears, and there is no successful message at top). After a little while longer, a refresh of the page does show the successful issue of certificate, and the system log does show the appropriate shell commands run.

Might an update be made to the package that accounts for added dnssleep time?

Actions #3

Updated by Jim Pingle over 4 years ago

Still seems like acme.sh should handle that more gracefully without relying on such a long timeout, or have an option to disable DoH.

Actions #4

Updated by theodore adams over 4 years ago

Jim Pingle wrote:

Still seems like acme.sh should handle that more gracefully without relying on such a long timeout, or have an option to disable DoH.

I certainly agree, I'm glad to have found a workaround, but this is a pain. Unfortunately it doesn't seem that acme.sh agrees since they have closed at least two issues raising this.

Actions

Also available in: Atom PDF