OpnSense & ACME & NSUpdate (bind9 journal problem)

Posted on by clucas

If you need to use ACME plugin to register certificate (by using nsupdate (RFC2136)), you could be faced on the problem below

Nov  6 07:58:24 Sagitarius named[121]: client @0x7f68640c70d0 10.20.3.1#50544/key opnsense: signer "opnsense" approved
Nov  6 07:58:24 Sagitarius named[121]: client @0x7f68640c70d0 10.20.3.1#50544/key opnsense: updating zone 'clucas.fr/IN': adding an RR at '_acme-challenge.cloud-home.clucas.fr' TXT "-_UEEMEIYvUxwoHWhBbdxiSzil62dgNoHCBfZJCzIiE"
Nov  6 07:58:24 Sagitarius named[121]: /etc/bind/clucas.fr.zone.jnl: create: permission denied
Nov  6 07:58:24 Sagitarius named[121]: client @0x7f68640c70d0 10.20.3.1#50544/key opnsense: updating zone 'clucas.fr/IN': error: journal open failed: unexpected error

You can try to ‘touch’ this file, here “clucas.fr.zone.jnl”. Even if you change owner, permission (even 777), you will not ble able to make it work. You will be face this time on :

Nov  6 11:55:25 Sagitarius named[121]: client @0x7f68640d5860 10.20.3.1#59062/key opnsense: signer "opnsense" approved
Nov  6 11:55:25 Sagitarius named[121]: client @0x7f68640d5860 10.20.3.1#59062/key opnsense: updating zone 'clucas.fr/IN': adding an RR at '_acme-challenge.cloud-home.clucas.fr' TXT "eOTvsiOSI0I0eenYb2hfiD0KAAf2kXSPZjDo_5IY1yQ"
Nov  6 11:55:25 Sagitarius named[121]: client @0x7f68640d5860 10.20.3.1#59062/key opnsense: updating zone 'clucas.fr/IN': error: journal open failed: no more

I have read lot of blog posts, reddit post, and so on. The only solution I found is to change directory of journal file by means if :

include "/etc/bind/keys/opnsense.key";
[...]
zone "clucas.fr" {
       type master;
       file "/etc/bind/clucas.fr.zone";
       journal "/var/lib/bind/clucas.fr.jnl";
       also-notify { 217.169.242.186 port 53; 51.222.24.32 port 53; };
       allow-transfer { 217.169.242.186; 51.222.24.32;};
       notify yes;
       allow-update {
              key "opnsense";
       };
};

From an OpnSense point of view you will be have something like this :

  1. A Let’s Encrypt account in my case ;
  2. A challenge type : configured to use NSUPDATE ;
  3. A certificate generated by using the two above ;

 

In my case, even if as you could probably have seen I have a master bind9 and this one notify two slaves bind9 server, I have configured a 5 minutes (300 seconds) sleep time to be sure DNS propagation is OK.

 

 

When you will (re)cert you will normally see this :

Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>

This site uses Akismet to reduce spam. Learn how your comment data is processed.