ACME

• 

  ACME package version 0.6.8
  • jimp  

  1
  2
  Votes
  1
  Posts
  102
  Views

  No one has replied

• 

  HEADS UP: Let's Encrypt ACMEv1 server EOL starting
  • jimp  

  1
  0
  Votes
  1
  Posts
  194
  Views

  No one has replied

• 

  FYI - ACME on 2.3.x
  • jimp  

  1
  0
  Votes
  1
  Posts
  308
  Views

  No one has replied

• C

  Update: This is now working. 4096-bit RSA Private Key appears not to be working
  • costanzo  

  4
  0
  Votes
  4
  Posts
  50
  Views

  

  This : is the Let'senscrypt' intermediate certificat, not the certificate you received from Letsenscrypt. When you inspect the sit's (pfSense) cert with a normal browser like FF, you'll see the 3 of them : Yours is the most left one. Like mine : 4096 .... But hey, even 2048 will do for decades ...... although you have to trach it after 90 days max. edit : also .... the details of the cert you showed last for some 15 months .... that's not the 90 days max duration Letsencrypt is advertising with ;)
• P

  HAProxy/acme script bug?
  • pfdog  

  7
  0
  Votes
  7
  Posts
  59
  Views

  P

  @PiBa I believe that the reference to the cert was valid. If memory serves me correctly, there were validation problems with the acme-challenge or missing txn parameters for acme's Domain SAN list / DNS-[provider] method. Perhaps that caused an empty cert file. The ^M remains as before, and now Let's Encrypt successfully verifies the domain.
• W

  Available DNS providers in ACME package
  • wickeren  

  11
  0
  Votes
  11
  Posts
  603
  Views

  

  I don't see any code in ACME which would take those parameters. Not currently or ever in the history of the git repository. This was opened a few weeks ago but has not yet been merged: https://github.com/acmesh-official/acme.sh/pull/2895 So that's what you're waiting on to get merged into ACME and then after that point we can add it to pfSense.
• 

  How to enable ACMEv2 ?
  • chudak  

  3
  0
  Votes
  3
  Posts
  36
  Views

  

  @jimp Easy, thx!
• C

  Acme issue with DNSMadeEasy
  • cjbujold  

  13
  0
  Votes
  13
  Posts
  167
  Views

  C

  Finally got time to go back to the certificates and I can confirm that the latest update has fixed my issue. Thanks much appreciated.
• V

  Freeradius, ACME, Built-in Cert Manager - workarounds with intermediate certificate
  certificate freeradius acme • • vherrlein  

  1
  0
  Votes
  1
  Posts
  23
  Views

  No one has replied

• B

  ACME issue with Godaddy DNS
  • Broncoman  

  11
  0
  Votes
  11
  Posts
  84
  Views

  B

  I had my dns pointing to opendns servers. I moved them to google and the issue went away. I wouldn't have dreamed that opendns was causing this. Thank you so much for your help!
• S

  0.6.5 is now showing in package manager
  • scockman  

  2
  0
  Votes
  2
  Posts
  38
  Views

  

  If you are on 2.4.4-p3, then 0.6.5 is the latest version you can safely install. You must upgrade to 2.4.5 to get the latest packages. Installing 2.4.5 packages on 2.4.4-p3 is dangerous.
• B

  DNS-Hurricane Electric: Operation timed out - resolved
  • bartkowski  

  6
  0
  Votes
  6
  Posts
  73
  Views

  B

  The issue was definitely with ZoneEdit. I re-edited the nameservers in ZoneEdit, saved, and after a while Quad9 and Cloudflare DNS servers were serving up HE's nameservers.
• C

  0.6.7 still showing in package manager
  • costanzo  

  2
  0
  Votes
  2
  Posts
  26
  Views

  C

  @costanzo FYI - It's showing the correct version this morning. Just needed to wait.
• 

  Unable To Renew Certs Since last ACME package Update
  • yuljk  

  25
  0
  Votes
  25
  Posts
  240
  Views

  R

  @raiderj said in Unable To Renew Certs Since last ACME package Update: @costanzo said in Unable To Renew Certs Since last ACME package Update: @raiderj said in Unable To Renew Certs Since last ACME package Update: One for the wildcard cert, one for the regular cert. But they're both looking for the same key valu Odd. Can you post a screen capture of the message show when issuing the cert. Be sure to blur out any sensitive data. I am not seeing this issue, but may be different for you. Also, keep in mind generating too many certs under production will cap you out and you will need to wait a week. Best to use the staging option. I'll do that if I see it again. I can't replicate the issue at the moment. The only issue I have now, with both staging and production is that the second domain in the SAN list won't get an updated cert. Haven't tried switching to the DNS-Cloudflare option though. Ok, I believe it's working now with the original "DNS-Cloudflare" option. I think I can also remove the new API token I created as well. So, if I'm understanding this properly, all I need for cert generation is the global API key from Cloudflare. Wildcard plus normal cert generation in the same request seems to still not work. I still only get the first domain in the SAN list.
• C

  Broken pipe error
  • cjbujold  

  4
  0
  Votes
  4
  Posts
  48
  Views

  C

  Made further changes and now getting: head: illegal byte count -- -2 [Fri Apr 24 15:43:46 ADT 2020] Multi domain='DNS:protector.accra.ca,DNS:geneabujold.accra.ca,DNS:remotehelp.accra.ca' [Fri Apr 24 15:43:46 ADT 2020] Getting domain auth token for each domain [Fri Apr 24 15:43:48 ADT 2020] Getting webroot for domain='protector.accra.ca' [Fri Apr 24 15:43:48 ADT 2020] Getting webroot for domain='geneabujold.accra.ca' [Fri Apr 24 15:43:48 ADT 2020] Getting webroot for domain='remotehelp.accra.ca' [Fri Apr 24 15:43:48 ADT 2020] Adding txt value: 9yxloPu3sHM1YzQRJicL-EUeYdXRZQ2CsMZeJic80Mk for domain: _acme-challenge.protector.accra.ca head: illegal byte count -- -2 [Fri Apr 24 15:43:49 ADT 2020] invalid domain [Fri Apr 24 15:43:49 ADT 2020] Error add txt for domain:_acme-challenge.protector.accra.ca [Fri Apr 24 15:43:49 ADT 2020] Please check log file for more details: /tmp/acme/accra/acme_issuecert.log
• C

  Acme fails with DNSMadeEasy and need alternative
  • cjbujold  

  3
  0
  Votes
  3
  Posts
  38
  Views

  C

  Using the latest. acme and PFsense. Updated this morning acme to 0.6.7. and will try to update again. With regards to your question is they do offer nsupdate, the issue is that it needs that all records have to be sent. we have over 250 records in our DNS and they are the primary. Concerned about something going wrong and affecting something else Before we upgraded to 2.4.5 and 0.6.6, the api to DNSmadeEasy was working for the past 3 years without a hitch. They are confirming the issue I see that the plugin is not negotiating the authentication properly "the API is saying that it is unable to verify the HMAC"
• C

  error renewing certificate ""urn:ietf:params:acme:error:unauthorized"
  • cjbujold  

  4
  0
  Votes
  4
  Posts
  38
  Views

  

  Then I'd check that. It doesn't look like it's doing what you think it should be doing.
• J

  How to restart unbound on renew of certificate?
  • JobH  

  11
  0
  Votes
  11
  Posts
  105
  Views

  J

  @Gertjan I confirmed that the last solution works for me too (unbound, Restart Local Service).
• J

  DoH Verification Method
  • jb09  

  7
  0
  Votes
  7
  Posts
  188
  Views

  R

  @Risfold said in DoH Verification Method: I have just started having the same issue, and came across this thread in researching it. I hope to revive the discussion. I also use the above referenced DoT/DoH blocking list. I block the the domains and IPs via pfblocker for LAN clients to stop any circumvention of DNS or hard coded DNS in clients. I alternatively use DoT from unbound in pfsense. The acme.sh discussion of this addition appears to be here, added mid-February 2020. It is discussed as "support" for DoH, but it appears to be implemented more as a change rather than an option. I fully support the addition of DoH in acme.sh, even as a default, but is there a way to turn off the use of acme.sh's use of DoH, and return to using the firewall for DNS? I could temporarily disable my blocking of DoH but that would defeat the purpose of automated certificates. Work around noted here. add dnssleep time of 180
• 

  ACME package version 0.6.6
  • jimp  

  1
  2
  Votes
  1
  Posts
  121
  Views

  No one has replied

• I

  Having issues with Acme and Cloudflare
  • iPenguin  

  1
  0
  Votes
  1
  Posts
  46
  Views

  No one has replied

• 

  Setup ACME with Webroot Local Folder
  • anggit  

  4
  0
  Votes
  4
  Posts
  65
  Views

  

  Logs ? Open a console, SSH, or better SFTP and look in /tmp/acme/your-domain.tld - there is a dot log file. This one : Also : If I visit : I have a TLS error - as acme has : because the cert is expired since March 6. So, when the Letenscypt hits that site, it will bail out. I'm not using HAProxy myself, neither the acme webroot method. What about : pfsense haproxy acme ,
• S

  DNS-FreeDNS and ACME can't find the domain
  • Stefan Milev  

  1
  1
  Votes
  1
  Posts
  60
  Views

  No one has replied

• G

  ARUBA Api DNS domain
  • gtrotta  

  2
  0
  Votes
  2
  Posts
  50
  Views

  

  You need to suggest that over on the acme.sh page. We don't create new providers, we only add support for providers made available in acme.sh.
• D

  ACME renewal fails for DNS Made Easy
  • danielvanderwal  

  8
  0
  Votes
  8
  Posts
  265
  Views

  D

  @Blfrg Thanks, that worked perfectly. Your last fix also works with the GUI of PFSense when added from hand. After merge all should be fine again. Thanks for your patch!
• 

  ACME package version 0.6.5
  • jimp  

  5
  5
  Votes
  5
  Posts
  227
  Views

  B

  @Wasca Thank you for reporting the issue! A pull request has been created here Please watch for that pull request to be merged and the fix should be available in the next acme.sh release (>2.8.6)
• P

  Acme and Dyn
  • piperspace  

  22
  0
  Votes
  22
  Posts
  3804
  Views

  I

  This may be OBE in a few months, but I just set this up and wanted to pull everything together for Dyn.com ACME updates as I just got it working with info from a number of posts in this thread. I'm using Version 0.6.5 of the ACME client on 2.4.4-RELEASE-p3 of PFSense. Dyn.com has 3 products https://help.dyn.com/dyn-dns-products-compared/ Managed DNS - you log in at https://portal.dynect.net/ ** "Professional DNS Solution" Standard DNS - you log in at https://account.dyn.com/ ** mange domains, the domain registration recently was migrated to name.com DynDNS Pro, now just called Dynamic DNS - also at https://account.dyn.com/ ** get up to 30 hostnames in prepopulated domains. The new Oracle Cloud DNS service is completely different. The "Dyn.com" method only works with Managed DNS. The nsupdate method works with Standard DNS server = update.dyndns.com keyname = see below Key Algorithm = HMAC-MD5 Key = see below Zone = your zone to use You have to get a TSIG key for the keyname and key. The directions are at https://dyn.com/updater/tsig/ and the key itself can be created or updated at https://account.dyn.com/profile/tsig.html I suspect this will not work for DynDNS Pro as there seems to be no way to create a TXT entry.
• M

  Warning: certs cancellation due to LE bug
  • maverick_slo  

  4
  0
  Votes
  4
  Posts
  66
  Views

  

  Also noteworthy that I am still occasionally seeing account registration/verification failures over IPv6 even when attempting renewals. If you get a cURL error (like error 35) when attempting to renew, set the firewall to prefer IPv4: System > Advanced, Networking tab, check Prefer to use IPv4 even if IPv6 is available. Then try the ACME renew again.
• 

  ACME
  • ejaj  

  11
  0
  Votes
  11
  Posts
  97
  Views

  

  The resulat (green text) said already to you : But this could be an important indication : Let me rephrase that message : the acme.sh couldn't add the "_acme-challenge.............." to your domain. A problem with the domain ? An API error ? The registrar that hosts the API has problems ? Can't tell much more.
• F

  ACME & HAProxy secondary step failed after backup restore
  • Foxi352  

  3
  0
  Votes
  3
  Posts
  153
  Views

  F

  @PiBa I use the 'simple' haproxy package. I am not blocking anything special. pfSense and all packages are on newest versions. I also disabled snort, pfblocker and everything else during debugging. As i said, it worked before moving from bhyve to proxmox. Or probably what counts more is before backup up and restoring on a clean install. But nevermind, i got it working now by using the haproxy chroot'ed webroot instead of standalone http server. After hours or fiddeling i have up on the other solution and switched all my certs to webroot. This is even faster as the script does not have to spin up an extra http server ... But thank you for taking the time to reply ;-)
• T

  Is using tftp a safe way to distribute newly obtained certs internally?
  • tazmo  

  2
  0
  Votes
  2
  Posts
  69
  Views

  

  I would not consider TFTP safe by any means. It's unencrypted and unauthenticated. So you can't verify that the client is pulling the certificate from the proper source or ensure that it has not been interfered with along the way. On a local network that may not appear like a huge concern, but it's best not to get complacent or make assumptions when dealing with security. If you are only transferring the certificate and not private key data then the unencrypted part isn't as large of a concern. Some people write the certs to a central location and copy them around with scp, which is better. Though it sounds like you're using the ACME package for a role it really was not intended to fill. You might be better suited using a dedicated ACME setup on a local system (small VM, Pi, etc) which can securely deploy the certificates in a manner better suited for your needs.
• Y

  Certs not written to /conf/config.xml if "write certificates" selected in general settings
  • yobyot  

  2
  0
  Votes
  2
  Posts
  88
  Views

  

  Before posting : Right after manual cert renewal : You saw the date/time change ? The concerned <cert> .... <crt> ........</crt> ..... </cert> in the config.xml showed me the cert was changed thus saved to config.xml How could pfSense otherwise use the new certificate dater a reboot ? Because it's in the config.xml .... (and no where else). Btw : edit : I tend to say : read the log from /tmp/acme/<your domain>/acme_issuecert.log and you have your answer why it was not renewed and thus why it wasn't written to config.xml and why it didn't doesn't show in System > Certificate Manager > Certificates Edit : See the official video : https://www.netgate.com/resources/videos/lets-encrypt-on-pfsense.html => 49 minutes and 30 seconds ;)
• A

  Can't renew with updated/changed validation method
  • amsteel  

  4
  0
  Votes
  4
  Posts
  101
  Views

  M

  It is fixed: https://github.com/acmesh-official/acme.sh/commit/4f303de00c8d640351db5fb065bf0861786fab18 We need to wait for offical release (2.8.6). Or you can copy acme.sh from master branch it will work as well.
• R

  ACME DNS Challenge & Cloudflare
  • rkgraves  

  5
  1
  Votes
  5
  Posts
  1146
  Views

  F

  @rkgraves just want to add this worked for me as well.
• A

  ACME Subdomain revoke Cert
  • Anfänger  

  2
  0
  Votes
  2
  Posts
  58
  Views

  

  It will still be valid until the old certificate expires, which thanks to ACME's short life, will only be 90 days from the date it was issued. No need to go through the hassle of revoking.
• C

  Error when creating new certificate - "error": "Unable to verify HMAC"'
  • cjbujold  

  5
  0
  Votes
  5
  Posts
  102
  Views

  

  Looks like the error is being sent back from api.dnsmadeeasy.com -- so I'd check your account settings there and the credentials. Maybe they have some limit you're exceeding, or something else wrong.
• D

  How to restart ipsec on renew of certificate
  • dumarjo  

  2
  0
  Votes
  2
  Posts
  68
  Views

  

  One of these should work: Method = Restart Local Service, Command = ipsec (This may be enough to refresh the IPsec config, but it's not a full restart) Method = PHP Command, Command = ipsec_configure(true) (This may fail since it may not have the right required libraries) Method = Shell Command, Command = /usr/local/sbin/pfSsh.php playback restartipsec (This may fail since the ACME script which starts the command is PHP, and launching pfSsh.php from within PHP doesn't always work) Method = PHP Command, Command = file_get_contents("/etc/phpshellsessions/restartipsec") (If the shell command fails, this should work instead)
• 

  acme when dns provider does not allow dns challenge
  • tn1rpi3  

  44
  0
  Votes
  44
  Posts
  811
  Views

  

  @Gertjan said in acme when dns provider does not allow dns challenge: I see how speed may become an issue here. set DNS-Sleep to 300 seconds, or more. I'll certainly remember that setting when needed.
• B

  ACME 0.6.4 Godaddy DNS showing invalid domain
  • Broncoman  

  1
  0
  Votes
  1
  Posts
  73
  Views

  No one has replied

• P

  [SOLVED] Accountkey is not saved
  • pixel24  

  4
  0
  Votes
  4
  Posts
  72
  Views

  P

  I read here in the forum that someone had a similar problem and it suddenly solved itself without intervention. Here the same. PFSense was running all the time and I tried again yesterday to create the account key which didn't work as described. The system wasn't changed all the time because I think the settings are correct. I have just tried it again and see there it is created. So (probably) done but strange I find it already.