ACME

• 

  ACMEv2 is live!
  • jimp

  17
  0
  Votes
  17
  Posts
  3523
  Views

  

  I updated acme.sh from upstream and pushed out package version 0.2.6. If you still have problems on 0.2.6, please start separate threads.
• 

  HEADS UP for ACME package users: Let's Encrypt disabling TLS-SNI-01 / TLS-SNI-02
  • jimp

  1
  0
  Votes
  1
  Posts
  1699
  Views

  No one has replied

• A

  Cert Renewal Failed using DNS-Godaddy
  • ahking19

  1
  0
  Votes
  1
  Posts
  26
  Views

  No one has replied

• P

  Bug when cron renew certificate
  • pulcov

  10
  0
  Votes
  10
  Posts
  137
  Views

  

  That's the only method I use, and all of them are working perfectly here.
• H

  DNS alias mode
  • hakkers

  10
  0
  Votes
  10
  Posts
  370
  Views

  U

  Ok, now I've got it. Thanks for your help!
• M

  Let's Encypt w Acme package working, but not ideal
  • mervincm

  10
  0
  Votes
  10
  Posts
  1135
  Views

  M

  Thank you Jim! I know the limitations still hold true but luckily they don't affect me!
• C

  HaProxy, ACME, and multiple domains/servers - revisited.
  • Craash

  3
  0
  Votes
  3
  Posts
  554
  Views

  M

  Would you mind to share your solution ?
• D

  ACME doesn't have Dreamhost option for DNS
  • davidwang

  6
  0
  Votes
  6
  Posts
  146
  Views

  D

  Thank you all. Very helpful. I'm going to try to install x64 version (I think in the past I tried and it failed).
• 

  Some advice regarding certificates
  • wgstarks

  21
  0
  Votes
  21
  Posts
  377
  Views

  

  Great. Thanks to everyone for your help.
• T

  ACME package installation destroyed my WebUI!!
  • tomleitner

  9
  0
  Votes
  9
  Posts
  193
  Views

  

  You are login with the user "admin" ?
• P

  Acme and Dyn
  • piperspace

  10
  0
  Votes
  10
  Posts
  1871
  Views

  B

  @piperspace, @taius ... Thank you both. Background: I was unfortunately not able to use the webserver/port 80 method, as I need to forward the port to an internal webserver, on which I can't/won't use the FTP method. Also, the Dyn.com built-in provider does not work with a Standard DNS account at Dyn.com, which meant using the nsupdate method was the only one left available to me. Without this helpful post, I would have given up in despair! Because I prefer to have my setup configurable through the webGUI, I decided to attack the dns_nsupdate.sh file to allow configuration through the existing webGUI fields. For this I have explicitly checked for "update.dyndns.com" as the target, and therefore used the "KEY" textarea to provide the necessary ZONE and KEY lines required. First, replace the dns_nsupdate.sh file with the one attached. Then configure your domains in the webGUI as usual, with the server specified as "update.dyndns.com", and the Key as: zone example.com key [Key Name] [Key HMAC] This way you can use multiple domains/keys/etc. all from the webGUI. The changes/additions I made to the file are as follows: _info "adding ${fulldomain}. 60 in txt \"${txtvalue}\"" if [ "${THISNSUPDATE_SERVER}"="update.dyndns.com" ]; then THISNSUPDATE_DATA=`awk -F '"' 'BEGIN{RS=";"}NR>1{print $2}' "${THISNSUPDATE_KEY}"` nsupdate <<EOF ${THISNSUPDATE_DATA} server ${THISNSUPDATE_SERVER} ${NSUPDATE_SERVER_PORT} update add ${fulldomain}. 60 in txt "${txtvalue}" send quit EOF else nsupdate -k "${THISNSUPDATE_KEY}" <<EOF server ${THISNSUPDATE_SERVER} ${NSUPDATE_SERVER_PORT} update add ${fulldomain}. 60 in txt "${txtvalue}" send EOF fi and _info "removing ${fulldomain}. txt" if [ "${THISNSUPDATE_SERVER}"="update.dyndns.com" ]; then THISNSUPDATE_DATA=`awk -F '"' 'BEGIN{RS=";"}NR>1{print $2}' "${THISNSUPDATE_KEY}"` nsupdate <<EOF ${THISNSUPDATE_DATA} server ${THISNSUPDATE_SERVER} ${NSUPDATE_SERVER_PORT} update delete ${fulldomain}. txt send quit EOF else nsupdate -k "${THISNSUPDATE_KEY}" <<EOF server ${THISNSUPDATE_SERVER} ${NSUPDATE_SERVER_PORT} update delete ${fulldomain}. txt send EOF fi Other than the "cryptic" awk command to extract the text out of the generated key file - everything else is very self explanatory. Thanks again ... very helpful, and very timely info! Cheers. 0_1539932589907_dns_nsupdate.sh.txt
• D

  ACME package with EasyDNS.org
  • danb35

  4
  0
  Votes
  4
  Posts
  838
  Views

  E

  Me four! There are tonnes of providers supporting Lexicon rather than their own API these days. Can we make it happen?
• G

  [Feature Request] Add "Expires in" Column or replace "Last renewed" Column with "Expires in" Column
  • ghitea.andrei.paul

  2
  0
  Votes
  2
  Posts
  110
  Views

  

  That's already shown under System > Cert Manager where the certificates are held. The ACME package doesn't track renewal times. Though it's not terribly hard to calculate (last renew +90d). If you are worried about expiring certificates, add your e-mail address under the account key when making a new cert, then LE will e-mail you if anything gets close to expiring.
• T

  Is the WebGUI missing Acme DNS Alias Verification?
  • tazmo

  5
  0
  Votes
  5
  Posts
  291
  Views

  

  dns_cf is the DNS-Cloudflare selection in the ACME certificate settings. When you choose that, there is still a box for Enable DNS alias mode to do what you want.
• R

  ACME Setup Steps
  • rmonette

  15
  0
  Votes
  15
  Posts
  637
  Views

  R

  Im all set. I was able to create wild card certs (since Sept 27)
• 

  How to generate a wildcard certificate with ACME and AWS Route53?
  • ssbarnea

  6
  0
  Votes
  6
  Posts
  465
  Views

  
• 

  Private key only
  • umademelosemyusernamepfsense

  5
  1
  Votes
  5
  Posts
  180
  Views

  

  I have disabled IPv6 network-wide at the moment. It is advertised by my ISP on the edge interfaces though--anyway--I don't think it was that. I thought HAProxy was broken so I resorted to other means and I move back the domains to Cloudflare and on the same entry on ACME I changed each of the requests from Dynu to Cloudflare's credentials and API key and ti went through this time. I have to rinse and repeat now with the production CA, although I set the cert on HAProxy, tunneled in and it got me a green padlock right away. I think I might just stay put. :) Thanks!
• 

  ACME v2 servers are experimental and only the staging service is active at the moment....
  • Gertjan

  3
  0
  Votes
  3
  Posts
  192
  Views

  

  Ok, got it (0.3.2_3). Guess I gonna line up for 2.4.4 now
• I

  [Bug]ACME adds a blank for Duckdns TXT
  • iqjet

  8
  0
  Votes
  8
  Posts
  214
  Views

  I

  yes I found. Looks like this tag></tag>
• N

  Script Error in DNS-Namesilo method
  • nguoidien

  3
  0
  Votes
  3
  Posts
  212
  Views

  N

  Will do. Thanks
• 

  Feature Idea: scheduled rule for acme.sh certificate process
  • JeGr

  3
  0
  Votes
  3
  Posts
  211
  Views

  

  @jimp said in Feature Idea: scheduled rule for acme.sh certificate process: In an ideal world, everyone would use DNS validation instead, but... I'm completely with you in that. Doing that myself even on my home setup (moved the domain to cloudflare for that - very successfully). So much easier with the added perk of providing your own "dynamic" DNS adresses with your own domain, eliminating one more external dependency. But the SFTP one is something I have to ponder over, could work for quite a few users that fall under the initial description. Thanks for the reminder
• K

  Create ACME cert for an existing website SSL?
  • killmasta93

  6
  0
  Votes
  6
  Posts
  316
  Views

  

  If you want to offload SSL to HAProxy on pfSense and let ACME handle the validation, you can. You do not need to import anything from your other servers, let the ACME package create and request the certificates for you. Even though they already exist, as long as the validation passes it will be OK. From the look of that last error you do not have the proper settings for DNS validation. You could instead follow the example at https://forum.netgate.com/topic/90643/let-s-encypt-support/31 and configure it so HAProxy can assist in handling the validation instead of using DNS.
• S

  How to automate pulling certs to DMZ?
  • sgw

  3
  0
  Votes
  3
  Posts
  194
  Views

  S

  ok. Installed cert-bot on the mailserver and set up that ACME-challenge-dir etc // seems to work now. Thanks so far!
• Y

  unable to load EC Private Key
  • yon 0

  3
  0
  Votes
  3
  Posts
  196
  Views

  

  The GUI does not have support for EC keys at this time.
• M

  Generated certificates do not include full certificate chain
  • mvalen

  10
  0
  Votes
  10
  Posts
  450
  Views

  M

  Ok worked fine with HAProxy. I would suggest you to drop the Squid packages since many features are deprecated or not working properly :) Thank you for all your amazing stuff.
• K

  ACME issue?
  • killmasta93

  5
  0
  Votes
  5
  Posts
  299
  Views

  K

  Thanks for the reply, gotcha i thought it was a bug on pfSense will update it the package edit: solved thank you @jimp
• B

  Account key registration throwing curl error 52
  • benjamin_riggs

  13
  0
  Votes
  13
  Posts
  509
  Views

  B

  Well I don't know WTF changed, but this problem has automagically resolved itself after a reboot. My guess is some stale routing state somewhere. The GUI changes in latest ACME package work well, though!
• B

  Certificate Manager only exports insecure P12 Server certificates
  • bigtfromaz

  4
  0
  Votes
  4
  Posts
  309
  Views

  B

  @napsterbater Thanks for the response. I found that post before posing my question here. The issue is that this solution required the installation of a different certificate manager. What follows is not a complaint but an observation. It is now clear to me that the pfSense Certificate Manager is designed to import and export certificates needed by the router. It's a great router. We really shouldn't need it to be a CA as well. So I installed OpenSSL and used it to recreated all my certs, replacing the old ones as needed. We no longer generate certificates in the pfSense Certificate Manager.
• B

  [BUG] Account registration failing silently in GUI
  • benjamin_riggs

  2
  0
  Votes
  2
  Posts
  203
  Views

  

  I opened https://redmine.pfsense.org/issues/8682 to add a proper check on the AJAX response for this, and just pushed the change in the latest version of the ACME package. An update should show up shortly. It won't solve your other issue (which I can't reproduce) but it will at least hopefully indicate success or failure properly. It did in my testing, but I couldn't induce a server side failure to test a real-world failure, only a locally faked one.
• C

  ACME Wildcard - Export Key Pair - Programmaticly?
  • Cheaha

  2
  0
  Votes
  2
  Posts
  227
  Views

  

  In the ACME general settings, check Write Certificates, and then have your script check in /conf/acme/ and copy them wherever you want. The script doesn't need to hook on an update, it could check the file modification time or use some other method. Calling it from cron once a day some time after the ACME update would be sufficient.
• S

  ACME TXT entry and Plesk XML API?
  • stilez

  2
  0
  Votes
  2
  Posts
  240
  Views

  

  That would be a matter of configuring plesk to accept updates via the nsupdate method. Using their API is going to be completely different unless it implements that somehow. nsupdate is an implementation of a specific protocol, RFC2136. This is a guide on what is required to get a bind server configured to accept updates: https://www.netgate.com/docs/pfsense/dns/rfc2136-dynamic-dns.html An alternate strategy might be to set up a bind server like in that link that serves as the master of a dynamic zone with the plesk as the slave but that would preclude managing the zone in plesk which is likely undesirable. The heavy lifting for this probably needs to be done on the plesk. Instead of accepting updates via their proprietary API they should have a standard method such as RFC2136.
• G

  SFTP/FTPS error connecting for challenge aquisition
  acme sftp ftps • • greenmr

  5
  0
  Votes
  5
  Posts
  279
  Views

  G

  @gertjan - Thanks so much! Your suggestion led me to a realization. I dropped to the pfSense shell and SSH'd into my Serv-U instance. First thing I noticed (I suspected this would be the case) was that the SSH crypto key wasn't recognized in the host list, and I didn't know if the ACME package forced acceptance the first time it connected so I added the key to the list manually from the shell and then realized something else... I had originally assumed that the FTP Webroot connection was coming from Let's Encrypt issuing servers, but I remembered reading somewhere in their forums that they don't use FTP at all for challenges, rather this is a function of the pfSense ACME package. I had been using one of my DDNS hostnames for the SFTP setup in the ACME package and I realized that this meant that if the FTP connection was coming from the pfSense box then the DDNS URI would be trying to use reflection to resolve the IP address, which probably wouldn't work. Now that I understood the FTP connection was coming from pfSense and not Let's Encrypt I should change the URI to use the actual LAN IP of the Serv-U host. I did this and the FTP Webroot challenge worked like a charm.
• R

  ACME / Let's Encrypt - "Verify error:Fetching: Timeout"
  • riahc3

  8
  0
  Votes
  8
  Posts
  1479
  Views

  L

  I'm posting this response simply to add to the information here on the configuration of the acme plugin to successfully create/renew a Let'sEncrypt certificate. I had quite a struggle to get it to work and also got a timeout error message. It seems essential that port 80 is open for the pfSense web interface. Under "System / Advanced / Admin Access" the WebGUI redirect" tickbox must not be ticked, to allow port 80 to be redirected to port 443. If this is ticked, port 80 does not respond and the certbot script to fails. Under "Services / Acme / Certificate options: Edit" it's easy to miss the small little "+" for RootFolder under Domain SAN list. Here's the spot! Ensure that the directory is specified. Lastly, I have created a firewall rule that allows port 80 access to "this firewall" in the WAN rules. I did this before I discovered point 1 above, so it may not be required, but I'm not going to delete my cert now to test it again :-) Hope that helps future finders of this thread.
• Y

  ACME USE DNS-NSupdate / RFC 2136 Add txt record error.
  • yon 0

  3
  0
  Votes
  3
  Posts
  501
  Views

  Y

  i still can't fix it. i am using simple dns plus dns server. and why i can't input add EC PRIVATE KEY in custom key? -----BEGIN EC PRIVATE KEY----- MHQCAQEEIIJtk7xEZdevLY597iBUD59GQra/Uh/hzoQg9DCIAUy9oAcGBSuBBAAK oUQDQgAE6atp4nEZ1LapCAHdwY6REzljZHUZI0HYH16lCOOGQ+uh +z1ZmWWXuqSEEThQvpZjESy66GcGWQ== -----END EC PRIVATE KEY----- i try change to -----BEGIN PRIVATE KEY----- get log: getCertificatePSK updating custom key /usr/local/pkg/acme/acme.sh --renew -d 'xi.net' -d '*.xi.net' --home '/tmp/acme/xi.net/' --accountconf '/tmp/acme/xi.net/accountconf.conf' --force --reloadCmd '/tmp/acme/xi.net/reloadcmd.sh' --yes-I-know-dns-manual-mode-enough-go-ahead-please --dns --ocsp-must-staple --log-level 3 --log '/tmp/acme/xi.net/acme_issuecert.log' Array ( [path] => /etc:/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/bin/ [PATH] => /etc:/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/bin/ ) [Sun Jun 24 02:27:14 CST 2018] Renew: 'xi.net' [Sun Jun 24 02:27:18 CST 2018] Multi domain='DNS:xi .net,DNS:*.xi.net' unable to load Private Key 34380776392:error:0D0680A8:asn1 encoding routines:ASN1_CHECK_TLEN:wrong tag:/builder/ce-243/tmp/FreeBSD-src/crypto/openssl/crypto/asn1/tasn_dec.c:1200: 34380776392:error:0D07803A:asn1 encoding routines:ASN1_ITEM_EX_D2I:nested asn1 error:/builder/ce-243/tmp/FreeBSD-src/crypto/openssl/crypto/asn1/tasn_dec.c:374:Type=X509_ALGOR 34380776392:error:0D08303A:asn1 encoding routines:ASN1_TEMPLATE_NOEXP_D2I:nested asn1 error:/builder/ce-243/tmp/FreeBSD-src/crypto/openssl/crypto/asn1/tasn_dec.c:700:Field=pkeyalg, Type=PKCS8_PRIV_KEY_INFO 34380776392:error:0907B00D:PEM routines:PEM_READ_BIO_PRIVATEKEY:ASN1 lib:/builder/ce-243/tmp/FreeBSD-src/crypto/openssl/crypto/pem/pem_pkey.c:142: [Sun Jun 24 02:27:18 CST 2018] Create CSR error. [Sun Jun 24 02:27:18 CST 2018] Please check log file for more details: /tmp/acme/xiaoyu.net/acme_issuecert.log [Sun Jun 24 02:27:18 CST 2018] The dns manual mode can not renew automatically, you must issue it again manually. You'd better use the other modes instead.
• S

  ACME: generating and managing LE-certs for internal web-services
  • sgw

  16
  0
  Votes
  16
  Posts
  944
  Views

  

  @sgw if you've got problem importing certs or CAs into things like switches etc. make sure which format they need. Some won't like normal PEM style format and want sth like PKCS8 or PKCS12 format. Others want key+cert in the same file. :)
• S

  ACME Package generating EC KEY parameters along with key.
  • semalb

  1
  0
  Votes
  1
  Posts
  241
  Views

  No one has replied

• K

  Letsencrypt cert did not renew after 60 days
  • kiekar

  3
  0
  Votes
  3
  Posts
  496
  Views

  K

  Thanks for the reply well-known/acme-challenge/my_token at  http://www.mydomain.com/ did not give back the token. do you mean a token should be returned after the colon in the following example errordetail='Invalid response from http://www.mydomain.com/.well-known/acme-challenge/F-diHXNvud92akJo7Va8450ZS-6MHt23A9n2KjEBBsFc: ' web root file not present No file existed at /tmp/haproxy_chroot/.well-known/acme-challenge Is this an authorization issue error='"error":{"type":"urn:acme:error:unauthorized"
• E

  ACME and non-standard webgui port
  • eshield

  3
  0
  Votes
  3
  Posts
  424
  Views

  

  You will have to use a DNS-based validation method. ACME requires port 80. TLS validation on port 443 is also no longer supported.
• A

  Automatic LetsEncrypt for proxy with ACME plugin
  • adamoutler

  2
  0
  Votes
  2
  Posts
  578
  Views

  

  Why on Earth would you do it that way vs just handling ACME on the server? If the certificate has nothing to do with pfSense, and the proxy or web server is capable of handling the request, just handle it there with a local ACME client (certbot, acme.sh, dehydrated, etc) Exposing the firewall web server, adding users to scp keys around… Lots of things here are using insecure practices, or at least less-than-ideal ones.
• N

  No luck with ACME + Amazon Route53
  • nrasmus

  2
  0
  Votes
  2
  Posts
  420
  Views

  N

  After further diagnosis, this appears to be an upstream routing or firewall issue.  pfsense cannot ping route53.amazonaws.com and traceroute gets hung up 1 hop away with our ISP–working with them on that.