@johnpoz

That did not make any difference.

After putting a CAA record in place and removing DNSSEC it starting working.

@robert-de-wit DOH!!! I was looking in ddns services ;) hehehe

I don't use who ever that is, so there is no way for me to test that. Working fine here with clouldflare.

Issue resolved ,
I did add domains manually that ACME try to resolve :
Services > DNS Resolvers> General Settings> Host Overrides
5be85b50-3522-407f-94b3-06afafc4018f-image.png

And finally, in case someone else is waiting for this to land, you can patch this issue yourself by doing the following:

Install the System Patches Package. Create a new custom patch and enter the following as settings: Description: Fix ACME Netlify API Patch Contents: diff --git a/usr/local/pkg/acme/dnsapi/dns_netlify.sh b/usr/local/pkg/acme/dnsapi/dns_netlify.sh index 2ce13e2..65e803c 100644 --- a/usr/local/pkg/acme/dnsapi/dns_netlify.sh +++ b/usr/local/pkg/acme/dnsapi/dns_netlify.sh @@ -114,7 +114,7 @@ _get_root() { fi if _contains "$response" "\"name\":\"$h\"" >/dev/null; then - _domain_id=$(echo "$response" | _egrep_o "\"[^\"]*\",\"name\":\"$h" | cut -d , -f 1 | tr -d \") + _domain_id=$(echo "$response" | _egrep_o "\"[^\"]*\",\"name\":\"$h\"" | cut -d , -f 1 | tr -d \") if [ "$_domain_id" ]; then if [ "$i" = 1 ]; then #create the record at the domain apex (@) if only the domain name was provided as --domain-alias Path Strip Count: 1 Base Directory: / Ignore Whitespace: Checked Auto Apply: Checked Save then click debug to make sure the patch is able to apply successfully. Click apply and you're good to go.

@mrjoli021 said in ACME cert with rackspace:

tmp/acme/wc_some_domain.com/acme_issuecert.log

What do you see in the file when it fails?

@jimp Excellent, thank you!

The staging server is for testing and is not publicly trusted. You need to edit the account key and set it to use the production server instead, then renew the certificate.

@johnpoz Yes I did. But the older ISRG Root X1 that has DST Root CA X3 as its root keeps coming back.

It turned out that, after digging deeply into the issue, my domain registrar does not support DNS_NSupdate RFC2136. So, I switched name server to Cloudflare and after a few stumble, got my certificate...wipe off sweat for lots of reading, swearing, and more reading.

[Fri Feb 18 13:04:37 CST 2022] Your cert is in /tmp/acme/nollivoipserver_cert//nollivoipserver.nollicomm.net/nollivoipserver.nollicomm.net.cer
[Fri Feb 18 13:04:37 CST 2022] Your cert key is in /tmp/acme/nollivoipserver_cert//nollivoipserver.nollicomm.net/nollivoipserver.nollicomm.net.key
[Fri Feb 18 13:04:37 CST 2022] The intermediate CA cert is in /tmp/acme/nollivoipserver_cert//nollivoipserver.nollicomm.net/ca.cer
[Fri Feb 18 13:04:37 CST 2022] And the full chain certs is there: /tmp/acme/nollivoipserver_cert//nollivoipserver.nollicomm.net/fullchain.cer
[Fri Feb 18 13:04:37 CST 2022] Run reload cmd: /tmp/acme/nollivoipserver_cert/reloadcmd.sh

@gertjan said in Renew Certificate Downstream:

I never used something like HAproxy ; but, from what I make of it, if HAproxy is doing the TLS (https) front end, unpacking the TLS an sending plain http (NON TLS) to the back end, your PBX, then yes, no certs needed on the PBX.

@johnpoz said in Renew Certificate Downstream:

This is correct, if you do the ssl offload on haproxy - you don't need any sort of ssl on the backend your sending the traffic too if your sending it has just normal http traffic.

Thank you all for the good sound of music...that's what I thought and is much better than leaving port 80 opens for Lets Encrypt on FreePBX to renew the certificate. This is just a cleaner method and basically creates a secure tunnel to the PBX.

@gertjan Well thats the thing... I used to do it that way but what I'm trying to do is to automate the new cert propagation on the network to avoid having to go manually everywhere every 90 days when acme update the certs with letsencrypt...

@gertjan thanks for the info. Needed that on another system right now.

@johnpoz I finally graduated from the University of Slow Learners after three years of repeating webGUI certificate class...wipe of sweat.

Screen Shot 2022-02-12 at 8.55.53 PM.png

Screen Shot 2022-02-12 at 8.58.37 PM.png

@gertjan Here is my thread on Let's Encrypt forum. Someone mentioned the curl POST was failing.
I have the full log posted there.

Nevermind! I had the IP address entered wrong in my RP config! It worked now!

@johnpoz OMG, I just understood what you mean 😳
Sorry, it just took me few days ...

I didn't knew we could do that, it's amazing !

Well, I will keep my first solution on that project as the person I'm working with also need to use domain from his clients which want keep managing their own zone.

But dame, I keep that for later !
Thanks a lot !

@gertjan
I was able to get it working thanks in part for your suggestion of checking the option “Enable DNS domain alias mode”.

The other part of the problem was that I typed the wrong CNAME information in my DNS provider.

I had:

_acme-challenge.cloud.MYDOMAIN.com --> MYDDNS.duckdns.org

The acme challenge Alias needs this CNAME to be

_acme-challenge.cloud.MYDOMAIN.com --> _acme-challenge.MYDDNS.duckdns.org

CNAME-corrected.jpg

After making these corrections ACME was able to issue a certificate for my domain as expected.

Thank you so much for the help.

@gertjan

Correct

So checking Firewall -> pfBlockerNG -> Alerts:
Reports: Alerts:

DNSBL Block

acme-v02.api.letsencrypt.org [ TLD ] DNSBL-HTTPS Abuse_urlhaus DNSBL_Phishing

This Feed/group is the culprit.

I'm having this error now renewing certs using ACME on GoDaddy via API keys. Anyone else having this issue?

[Thu Dec 16 15:33:20 PST 2021] Adding txt value: [REDACTED] for domain: _acme-challenge.[REDACTED] [Thu Dec 16 15:33:21 PST 2021] invalid domain [Thu Dec 16 15:33:21 PST 2021] Error add txt for domain:_acme-challenge.[REDACTED] [Thu Dec 16 15:33:21 PST 2021] Please check log file for more details: /tmp/acme/ACME-[REDACTED]-COM-CERTS-Test/acme_issuecert.log

Useful feature as Android clients no longer connect to unbound's DNS over TLS with the Letsencrypt default settings in pfSense. They will only work with Buypass certs or Letsencrypt certs with --preferred-chain 'ISRG Root X1'

@viktor_g I've added a comment to the feature request showing my interest in this. Any idea on getting this added. It really is a game changer for admins responsible for managing certs.

@gertjan
my bad! i never has see thats option!
Thanks!

@victorlclopes thank you so much for your reply. I ended up using the same solution you are suggesting on your post.

I wish i found your post back then because you explained everything in a very simple and systematic manner. Kudos to you.

I tried the HA Proxy solution but i couldn’t make it work for the life of me. I even followed the videos from Lawrence on youtube without success. That’s when i found about the “scp” and have been using it since.

In addition to what you suggested, I wanted to automate the process of downloading the certificate from the pfsense firewall and installing it in the local server because i knew that at some point i was going to forget to manually check if there was a new certificate.

So, i created a scrip that runs as a cron job on the local server once a day. The scripts checks if there is a new certificate available in the pfsence firewall and only attempts to download such certificate if there is a new one.

Then, it sends me an email letting me know that a new certificate was installed. It doesn’t send me any emails unless a new certificate is found and installed.

I wanted to share this solution before but i was waiting to see if the script worked before posting it here. You just beat me by a couple of days because my certificate was successfully updated this morning. Although the email portion failed for some reason, i need to hunt down that bug.

If anybody is interested, my script is as follows, i figured this could be my contribution to the community. Just make sure to adjust the variables to match your enviroment:

#!/bin/bash #script to download the SSL certficicates #from pfsense for the indicated domain # #by lrossi 07-18-2021 ################################################################## # modify the variables for host, cert, key # localcert, localkey and TMP_output # to meet your needs # change host to match the name of the ssh # connection to the pfsense firewall # as defined in the file ~/.ssh/config host='pfsense' # location of the ssl certificate and # keyfile in pfsense firewall cert='/cf/conf/acme/URLOFVERTIFICATE.com.crt' key='/cf/conf/acme/URLOFVERTIFICATE.com.key' # location of the ssl certificate and # key file in local server localcert='/etc/apache2/ssl/URLOFVERTIFICATE.com.crt' localkey='/etc/apache2/ssl/URLOFVERTIFICATE.com.key' #name and location of the log file in the local server TMP_OUTPUT="/var/log/pfsense-certificates.log" #information for email notifications EMAIL_SUBJECT_PREFIX="SSL Certificate -" TO_EMAIL_ADDRESS="EMAIL-OF-ADMIN@@DOMAIN.com" FROM_EMAIL_ADDRESS="EMAIL-OF-LOCAL-SERVER@DOMAIN.com" FROM_NAME="HOSTNAME OF LOCAL SERVER" # end of variables # start of script # DO NOT MODIFY BELOW THIS LINE unless you understand the code ##################################################################### #create a log file if one is not found. if [ ! -f $TMP_OUTPUT ]; then touch $TMP_OUTPUT fi echo '===============================' >$TMP_OUTPUT echo '===============================' >>$TMP_OUTPUT echo 'Verification of SSL Certificate' >>$TMP_OUTPUT echo 'from PFSense' >>$TMP_OUTPUT echo $(date) >>$TMP_OUTPUT echo '===============================' >>$TMP_OUTPUT echo '' >>$TMP_OUTPUT #download the online certificate and key only if certificate is newer if cmp -s $localcert <(ssh $host "cat $cert") then echo 'the online certificate' >>$TMP_OUTPUT echo 'has not been updated.' >>$TMP_OUTPUT echo 'nothing to do' >>$TMP_OUTPUT echo '' >>$TMP_OUTPUT echo '===============================' >>$TMP_OUTPUT echo '===============================' >>$TMP_OUTPUT else echo 'There is a new certificate' >>$TMP_OUTPUT echo '' >>$TMP_OUTPUT echo 'Downloading new certificate' >>$TMP_OUTPUT scp $host:$cert $localcert >>$TMP_OUTPUT wait echo '' >>$TMP_OUTPUT echo 'Downloading new Key' >>$TMP_OUTPUT scp $host:$key $localkey >>$TMP_OUTPUT wait echo '' >>$TMP_OUTPUT echo 'Restarting the apache webserver' >>$TMP_OUTPUT systemctl restart apache2 >>$TMP_OUTPUT wait echo'' >>$TMP_OUTPUT echo 'New certificate has been installed' >>$TMP_OUTPUT echo '' >>$TMP_OUTPUT echo '=================================' >>$TMP_OUTPUT echo '=================================' >>$TMP_OUTPUT cat "$TMP_OUTPUT" | /usr/bin/mail -s "$EMAIL_SUBJECT_PREFIX Updated and installed" -a "FROM: $FROM_NAME <$FROM_EMAIL_ADDRESS>" $TO_EMAIL_ADDRESS wait fi exit 0;