ACME

• 

  ACMEv2 is live!
  • jimp  

  17
  0
  Votes
  17
  Posts
  4174
  Views

  

  I updated acme.sh from upstream and pushed out package version 0.2.6. If you still have problems on 0.2.6, please start separate threads.
• 

  HEADS UP for ACME package users: Let's Encrypt disabling TLS-SNI-01 / TLS-SNI-02
  • jimp  

  1
  1
  Votes
  1
  Posts
  2033
  Views

  No one has replied

• P

  Wildcard Generation Error `Error rm webroot api for domain:dns_aws` Despite Success?
  • postables  

  5
  0
  Votes
  5
  Posts
  99
  Views

  L

  Similary happens to me time ago with duckdns and wildcar certificate, i really no worry any more about it... i receive the certificate so all is well.. i will check on the next and last renew...
• B

  fw1 and fw2 let's encrypt certificates not syncing
  haproxy certificate acme high availabili • • benson  

  2
  0
  Votes
  2
  Posts
  29
  Views

  

  Do it even easier: Run acme package on FW1 (I assume it's a CARP cluster with syncing?) and let it create a certificate for both names (fw1.xxx AND fw2.xxx). When it's done, select the cert for the webui. Then login to FW2 and select it, too, as certificates get synchronized automatically (if selected) to the secondary. There choose the same certificate as WebUI cert and be done :) Just check that you configure the acme service on fw1 to restart its own webserver after renewal AND via remote the service on fw2 (see the help for this)! Greets
• D

  New Install unable to load Private Key
  • Demigawd  

  4
  0
  Votes
  4
  Posts
  103
  Views

  D

  I tried deleting all the settings in account keys and certificates and starting over but ended up with the same error. In the end I just reformatted the system and started from scratch. Everything is working great now. I just wish I knew what went wrong the first time.
• M

  GUI cert limit
  • maverick_slo  

  16
  0
  Votes
  16
  Posts
  211
  Views

  

  If you update to the latest version of the ACME package, the patch is included. You will no longer need that max_input_vars workaround.
• M

  .io domain not recognised by Acme Package
  • mehstg  

  5
  0
  Votes
  5
  Posts
  113
  Views

  M

  Hi guys Apologies, it appears to have been a transient error. Put all of the information in the same fields later in the day and it generated the certificates fine.
• W

  Available DNS providers in ACME package
  • wickeren  

  4
  0
  Votes
  4
  Posts
  161
  Views

  

  As the others mentioned, you'll need to ask acme.sh to add it. I periodically update the version of acme.sh bundled in the ACME package for pfSense and update the GUI to add the new DNS providers. They add a lot of them, usually a few per month. It will take someone with shell scripting knowledge and access to their API to make it happen, however. I believe most of their DNS API scripts are submitted by users in the acme.sh community and not by the acme.sh author himself.
• G

  ACMEv2 / RFC 2136 / dyn.com: Unable to update TXT record via script
  • gstos  

  9
  0
  Votes
  9
  Posts
  328
  Views

  F
• M

  Certificate long time to issue
  • maverick_slo  

  21
  0
  Votes
  21
  Posts
  379
  Views

  M

  Well we all have our own opinions. For me it is simpler: I don`t need special settings I don`t need any scripts I can do it out of the box Didn`t fail once (except long times because of acme.sh bug) If netgate can include that script and integrate it, that would be cool :)
• S

  ACME Pre-Actions
  • spyingwind  

  4
  0
  Votes
  4
  Posts
  90
  Views

  

  HAProxy wouldn't have anything to do with DNS-Manual. Maybe you mean standalone mode? Nothing else would conflict with HAProxy. If you want to use ACME and HAProxy there are much better ways to integrate them, like https://forum.netgate.com/post/677786 -- that uses webroot instead of standalone and requires no special actions once it's setup.
• L

  Error validating wildcar *.domain using duckdns.org
  • luisenrique  

  5
  0
  Votes
  5
  Posts
  156
  Views

  L

  @gertjan Yes, I know the requirement to demand a wild car certificate domaine.tld .domaine.tld, but I am detecting many errors, on the other hand, I am not planning using my base domain at this time to publish and protect some services using my base domain name. I read about the alias mode, added to my dns _acme-challenge IN CNAME _acme-challenge.b1c54cu.duckdns.org. bicsa.co.cu _acme-challenge IN CNAME _acme-challenge.b1c54c0cu.duckdns.org. ibicsa.co.cu _acme-challenge IN CNAME _acme-challenge.ib1c54c0cu.duckdns.org. these domains under duckdns.org exist ... but I am detecting these errors, when I request a wildcard certificate for domaine.tld, * .domaine.tld / *. domaine.tld, so if a certificate for * .domaine.tld covers My hosts under * .domaine.tld alone (no base domain) they are fine, it works for me, but in this case I get the certificate for * .domaine.tld fine! hurra! but in the end I see the error: @gertjan Yes, I know the requirement to demand a wild car certificate domaine.tld .domaine.tld, but I am detecting many errors, on the other hand, I am not planning using my base domain at this time to publish and protect some services using my base domain name. I read about the alias mode, added to my dns _acme-challenge IN CNAME _acme-challenge.b1c54cu.duckdns.org. bicsa.co.cu _acme-challenge IN CNAME _acme-challenge.b1c54c0cu.duckdns.org. ibicsa.co.cu _acme-challenge IN CNAME _acme-challenge.ib1c54c0cu.duckdns.org. these domains under duckdns.org exist ... but I am detecting these errors, when I request a wildcard certificate for domaine.tld, * .domaine.tld / *. domaine.tld, so if a certificate for * .domaine.tld covers My hosts under * .domaine.tld alone (no base domain) they are fine, it works for me, but in this case I get the certificate for * .domaine.tld fine! hurra! but in the end I see the error: [Thu, 7 February 10:58:35 CST 2019] Failed to extract the domain. [Thu, 7 February 10:58:35 CST 2019] Error rm webroot api for the domain: dns_duckdns related in the other post https://forum.netgate.com/topic/140381/error-rm-webroot-api-for-domain-dns_duckdns You tell me that the error is an error or error in aceme.sh? the error described for you, I see that error before in some test "netnsupdate.key is illegible" related in the other post https: //forum.netgate.com/topic/140381/error-rm-webroot-api-for-domain-dns_duckdns. You tell me that the error is an error or error in aceme.sh? si u or some developer most repair the problem. I've seen the error described for you, many times read read change, compare etc but nothing, by now get a *.mydomain.net without base domain is my solution. What I can do? thanks
• L

  Error rm webroot api for domain:dns_duckdns
  • luisenrique  

  1
  0
  Votes
  1
  Posts
  83
  Views

  No one has replied

• L

  /usr/local/pkg/acme/acme_command.sh importcert
  • luisenrique  

  4
  0
  Votes
  4
  Posts
  144
  Views

  

  @luisenrique said in /usr/local/pkg/acme/acme_command.sh importcert: thus removing headaches using third-party scripts The acme package could be considered as a third party script Ok, true, it has been developed by someone who happens to know pfSense pretty well. The thing is : the acme package is build own the existent acme freebsd package, and a boatload of GUI and other glue ware. If @jimp decides to remodel the package, your 'solution' will be broken. I advise you to use parts of the present (acme) code to make your own "insert cert" script. Btw : check out the code (acme.inc) : the cert should exists already : ($cert['descr'] == $certificatename) thus the cert description / name should already exists, and then it's updated.
• V

  Strange things happening in ACME standalone server validation
  • VincentEmmanuel  

  3
  0
  Votes
  3
  Posts
  111
  Views

  V

  @netgate-james said in Strange things happening in ACME standalone server validation: /tmp/acme/ACME-HUPER-STAGE/acme_issuecert.log [Sat Feb 2 23:26:34 +08 2019] response='{"type":"urn:ietf:params:acme:error:malformed","detail":"Unable to update challenge :: authorization must be pending","status": 400}' [Sat Feb 2 23:26:34 +08 2019] code='400'
• 

  Last time updated?
  • chudak  

  34
  0
  Votes
  34
  Posts
  640
  Views

  

  @chudak said in Last time updated?: Everything worked perfectly, CA renewed. So you're good ! The acme package is not related to the firewall (rules) what so ever. That's up to you.
• 

  ACME 0.5 update (TLS-ALPN, BuyPass, and more)
  • jimp  

  12
  1
  Votes
  12
  Posts
  593
  Views

  B

  great work as always :)
• A

  Certificate with multiple SAN from two different DNS accounts result in failure
  • apundir  

  8
  0
  Votes
  8
  Posts
  183
  Views

  

  @apundir said in Certificate with multiple SAN from two different DNS accounts result in failure: Can I contribute to nsupdate script as patch? I do understand we'll have to store different key/secret under different keys and use them contextually in every DNS operation. I did look into Submitting a Pull Request via Github page and did browse pfSense/FreeBSD-ports on github but couldn't find acme there. Looks like I am looking into wrong place. Can you please point me in right direction so that I am able to contribute back in case I am able to fix it? Not sure I follow what you are saying about nsupdate. The changes to nsupdate work fine, but they are specific to how the pfSense ACME package calls nsupdate and thus aren't a good candidate to submit upstream back into acme.sh. If you are talking about changing the GoDaddy script in a similar way, then you can submit a PR to us for that. The files are under https://github.com/pfsense/FreeBSD-ports/tree/devel/security/pfSense-pkg-acme and the GoDaddy script specifically is at https://github.com/pfsense/FreeBSD-ports/blob/devel/security/pfSense-pkg-acme/files/usr/local/pkg/acme/dnsapi/dns_gd.sh
• C

  ACME problem with IDN Domains
  • cannyit  

  1
  0
  Votes
  1
  Posts
  84
  Views

  No one has replied

• 

  Feature Idea: scheduled rule for acme.sh certificate process
  • JeGr  

  4
  0
  Votes
  4
  Posts
  359
  Views

  

  @jimp said in Feature Idea: scheduled rule for acme.sh certificate process: I'm sure there is a way but it hasn't been something directly on my todo list for ACME yet. If you already have port 80 forwarded somehwere, the easiest thing to do is let ACME glom onto that and use sftp to push the ACME challenge/response files on that web server. HAProxy may also help here. If you must do standalone mode, one tactic you can do is to bind standalone mode to a weird port on localhost that nothing else will use. Then setup a NAT rule on WAN without an automatic firewall rule to forward WAN:80 to localhost:yourport. Then setup a schedule to activate a firewall rule for the 15 minute block around when the check will happen. In an ideal world, everyone would use DNS validation instead, but... It would be really helpful to consider a feature when Acme is listening to an odd port and NAT/WF Rule is enabled/disabled only when Acme needs this check (for standalone). Could be a check box on general tab something like "auto enable NAT on port: xxx"
• 

  ACME 0.5.2 update
  • jimp  

  1
  4
  Votes
  1
  Posts
  138
  Views

  No one has replied

• 

  Problems with webroorFTP method
  • chudak  

  17
  0
  Votes
  17
  Posts
  451
  Views

  

  I checked Disable DNS Rebinding Checks and added the host name to Alternate Hostnames and it ... worked ! As @jimp suggested here https://forum.netgate.com/topic/38870/how-to-get-rid-of-potential-dns-rebind-attack-detected/3
• L

  ACME and Bind dns Server on pfsense in the same server
  • luisenrique  

  12
  0
  Votes
  12
  Posts
  529
  Views

  

  @luisenrique said in ACME and Bind dns Server on pfsense in the same server: after trying several times I notice that the txt record of each attempt is not eliminated Your TXT records confirm what you saw. The logs say the very same thing : @luisenrique said in ACME and Bind dns Server on pfsense in the same server: [Tue Jan 15 08:46:04 CST 2019] Error rm webroot api for domain:dns_nsupdate rm (or "remove") means "delete file". The Letencrypt "test server" can't find (==resolve) the record " _acme-challenge.enlinea.bicsa.cu" which means the DNS name server (s !! - there should be least 2 of them) of the domain "bicsa.cu" didn't have the subdomain "_acme-challenge.enlinea". This can happens when synchronisation is functioning well.The TXT subdomain was set on the master DNS server, but wasn't synced in 120 seconds with the slave dns server). Check : Your name servers : dig bicsa.cu any +short .... ns2.bicsa.cu. ns1.bicsa.cu. .... root@ns311465:~# dig @ns2.bicsa.cu _acme-challenge.enlinea.bicsa.cu TXT +short "s1ChQK6dg8tvuYY1Nb05W5i9zQc1S1iqMtevjiw1uCs" "DDzVdoZ6o2T_YqRZ2o5uybK4GjXAZ6jU3DaYXAhfnV4" "F6LjsjDmIwWPrw6K6EFthVUxaocmusRApXRPnRbkyCo" root@ns311465:~# dig @ns1.bicsa.cu _acme-challenge.enlinea.bicsa.cu TXT +short .... nothing = no good; Btw : you have serious DNSSEC troubles ..... DNSSEC should be perfect .... or your site will not be found on the net. Use http://dnsviz.net/ to check .(you"re good for some nights without sleep). It is feasible thought : http://dnsviz.net/d/test-domaine.fr/XD5boA/dnssec/ (one of my domains). If the LE test server used the NS1 (your) name server (not synced) it will error out (it says : NXDOMAIN looking up TXT for _acme-challenge.enlinea.bicsa.cu). Like : see here https://zonemaster.iis.se/?resultid=e3f70901711cfd8f .... which looks .... not good. Btw : @luisenrique said in ACME and Bind dns Server on pfsense in the same server: dig _acme-challenge.enlinea.bicsa.cu txt When I run dig _acme-challenge.enlinea.bicsa.cu TXT +short from a server server I own (some where in France) I see .... nothing - no result. What I see is what the LE test servers see : nothing (answer also known as 'NXDOMAIN'). Check your DNS setup.
• 

  ACME method for ddns.net or freemyip.com
  • chudak  

  7
  0
  Votes
  7
  Posts
  321
  Views

  

  @chudak said in ACME method for ddns.net or freemyip.com: Am I understanding correctly that I would need to enable sftp or ftps on my pfsense router in order to use this ? Well ... I never used the webroot method but pfSense has all on board to handle the file transfer. I guess it will ask your for credentials needed, so it can login on the the remote (on a pfSense LAN or OPTx interface) (web) server so it can place the files in the web server root.
• U

  HAPROXY + ACME (Standalone)
  • uwscia  

  2
  0
  Votes
  2
  Posts
  131
  Views

  

  @uwscia said in HAPROXY + ACME (Standalone): Question: DNS-NSUpdate / RFC 2136 vs Standalone which is better? As you said, the latter is : @uwscia said in HAPROXY + ACME (Standalone): cumbersome and not advised : see https://www.netgate.com/docs/pfsense/certificates/acme-validation.html#standalone @uwscia said in HAPROXY + ACME (Standalone): DNS-NSUpdate / RFC 2136 IMHO : the best ! I real set-it-and-forget-it method. As you mentioned : it needs to be supported by "the other side", or to be more precise : the place where your domain name is registered, probably your registrar or, even better : on some (master) DNS server that serves the zone of your domain that you administer yourself - see here for an RFC 2136 example. Most 'big' registrar support some procedure that is implemented by the acme package. Just cross-check https://github.com/Neilpang/acme.sh/tree/master/dnsapi with what your regisrar offers you. If not, no panic : read https://github.com/Neilpang/acme.sh/tree/master/dnsapi - scroll down to see what is possible. If none : start thinking about moving your domain name - and/or read https://github.com/Neilpang/acme.sh/wiki/DNS-alias-mode
• S

  Please Help, Can't get ACME to work at all.
  • Skehardscooby  

  5
  0
  Votes
  5
  Posts
  213
  Views

  

  After dealing with ACME for quite some time now, I've come to accept that it can be... quirky :-)
• P

  ACME 0.5.1 and dyn using dns_nsupdate.sh
  • presence  

  2
  0
  Votes
  2
  Posts
  125
  Views

  

  There isn't a way to pass the zone info into the script yet. I haven't hooked that up in the GUI.
• 

  Namecheap API Access is working!
  • jimp  

  3
  2
  Votes
  3
  Posts
  298
  Views

  

  @occamsrazor said in Namecheap API Access is working!: That's nice, thanks.... I'd like to give it a try when I have a chance. A couple questions.... From here: https://www.netgate.com/docs/pfsense/certificates/acme-validation.html#namecheap-api Warning The Namecheap DNS API requires that the client read all records and then write them all back when making any change. This is potentially dangerous. Take a backup of all DNS records on the domain before attempting to use the API. It reads all DNS records held in your Namecheap account, or just for that domain you are trying to set up... i.e. is the risk of a bad writeback just to that domain or all? How risky is it do you think? It reads all your domains but only reads/writes DNS records for the domain being acted upon. It should be safe, but given the weird atomic/destructive nature of their requirements, it's always possible something could go wrong. It should only be isolated to a single domain, however. Once the API is enabled, then perform the following steps: ...... Click Edit and add whitelisted IP addresses that can contact the API using this API key. Is whitelisting your IP mandatory? I guess it makes sense from security viewpoint, but if you are running on dynamic IP (hence the reason using namecheap as a dynamic dns) that wouldn't work would it? The Namecheap site implies it is required but I have not yet tested it without adding a whitelist entry. It is possible that the API may work without it, but it needs confirmation.
• R

  DNS / namesilo validation method not working
  • regexaurus  

  3
  0
  Votes
  3
  Posts
  181
  Views

  R

  @gertjan said in DNS / namesilo validation method not working: First of all : you saw what Google said about the subject ? Yes, I saw that after starting this topic. I noticed the unbalanced parens errors in my case too, but that didn't seem to be the main trouble, or prevent the request process from running. @gertjan said in DNS / namesilo validation method not working: Your image is out of time sync : after 12:48:43 it goes back in time : 12:48:36 ... ? Good catch. The pfSense install in question is a Hyper-V VM. I've experienced clock issues with virtual machines in the past but never on Hyper-V to my recollection. Not sure if that's the case here. Some services really don't like when time goes backward. @gertjan said in DNS / namesilo validation method not working: I saw you use the 120 seconds delay : a typical delay so the master zone can signal the modification to it's DNS slaves. It's the default delay in the ACME package. After your reply, I tried 300 seconds, then 960 seconds. After changing to 960 seconds, I attempted twice to acquire a certificate. The second attempt succeeded. The process didn't take anywhere near 16 minutes, or even 5 for that matter. So the validation delay setting didn't work as expected. Maybe it's a clock/timing problem. If the VM frequently adjusts its time backward to compensate for drift, that might very well precipitate trouble for timing/delays... @gertjan said in DNS / namesilo validation method not working: edit : you are using acme pfSEnse package version 0.3.2_4 right ? Yup
• 

  ACME 0.4 Update
  • jimp  

  1
  4
  Votes
  1
  Posts
  185
  Views

  No one has replied

• T

  Not working with Linode API v4
  • threatsense  

  2
  0
  Votes
  2
  Posts
  127
  Views

  

  I had not synced up the code with acme.sh upstream in a while. I just pulled in a bunch of new things and pushed pkg version 0.4 to 2.4.5 snapshots. If it tests out OK there I'll make it available for 2.4.4.
• A

  Cert Renewal Failed using DNS-Godaddy
  • ahking19  

  1
  0
  Votes
  1
  Posts
  157
  Views

  No one has replied

• P

  Bug when cron renew certificate
  • pulcov  

  10
  0
  Votes
  10
  Posts
  345
  Views

  

  That's the only method I use, and all of them are working perfectly here.
• H

  DNS alias mode
  • hakkers  

  10
  0
  Votes
  10
  Posts
  631
  Views

  U

  Ok, now I've got it. Thanks for your help!
• M

  Let's Encypt w Acme package working, but not ideal
  • mervincm  

  10
  0
  Votes
  10
  Posts
  1523
  Views

  M

  Thank you Jim! I know the limitations still hold true but luckily they don't affect me!
• C

  HaProxy, ACME, and multiple domains/servers - revisited.
  • Craash  

  3
  0
  Votes
  3
  Posts
  731
  Views

  M

  Would you mind to share your solution ?
• D

  ACME doesn't have Dreamhost option for DNS
  • davidwang  

  6
  0
  Votes
  6
  Posts
  291
  Views

  D

  Thank you all. Very helpful. I'm going to try to install x64 version (I think in the past I tried and it failed).
• 

  Some advice regarding certificates
  • wgstarks  

  21
  0
  Votes
  21
  Posts
  756
  Views

  

  Great. Thanks to everyone for your help.
• T

  ACME package installation destroyed my WebUI!!
  • tomleitner  

  9
  0
  Votes
  9
  Posts
  378
  Views

  

  You are login with the user "admin" ?
• P

  Acme and Dyn
  • piperspace  

  10
  0
  Votes
  10
  Posts
  2469
  Views

  B

  @piperspace, @taius ... Thank you both. Background: I was unfortunately not able to use the webserver/port 80 method, as I need to forward the port to an internal webserver, on which I can't/won't use the FTP method. Also, the Dyn.com built-in provider does not work with a Standard DNS account at Dyn.com, which meant using the nsupdate method was the only one left available to me. Without this helpful post, I would have given up in despair! Because I prefer to have my setup configurable through the webGUI, I decided to attack the dns_nsupdate.sh file to allow configuration through the existing webGUI fields. For this I have explicitly checked for "update.dyndns.com" as the target, and therefore used the "KEY" textarea to provide the necessary ZONE and KEY lines required. First, replace the dns_nsupdate.sh file with the one attached. Then configure your domains in the webGUI as usual, with the server specified as "update.dyndns.com", and the Key as: zone example.com key [Key Name] [Key HMAC] This way you can use multiple domains/keys/etc. all from the webGUI. The changes/additions I made to the file are as follows: _info "adding ${fulldomain}. 60 in txt \"${txtvalue}\"" if [ "${THISNSUPDATE_SERVER}"="update.dyndns.com" ]; then THISNSUPDATE_DATA=`awk -F '"' 'BEGIN{RS=";"}NR>1{print $2}' "${THISNSUPDATE_KEY}"` nsupdate <<EOF ${THISNSUPDATE_DATA} server ${THISNSUPDATE_SERVER} ${NSUPDATE_SERVER_PORT} update add ${fulldomain}. 60 in txt "${txtvalue}" send quit EOF else nsupdate -k "${THISNSUPDATE_KEY}" <<EOF server ${THISNSUPDATE_SERVER} ${NSUPDATE_SERVER_PORT} update add ${fulldomain}. 60 in txt "${txtvalue}" send EOF fi and _info "removing ${fulldomain}. txt" if [ "${THISNSUPDATE_SERVER}"="update.dyndns.com" ]; then THISNSUPDATE_DATA=`awk -F '"' 'BEGIN{RS=";"}NR>1{print $2}' "${THISNSUPDATE_KEY}"` nsupdate <<EOF ${THISNSUPDATE_DATA} server ${THISNSUPDATE_SERVER} ${NSUPDATE_SERVER_PORT} update delete ${fulldomain}. txt send quit EOF else nsupdate -k "${THISNSUPDATE_KEY}" <<EOF server ${THISNSUPDATE_SERVER} ${NSUPDATE_SERVER_PORT} update delete ${fulldomain}. txt send EOF fi Other than the "cryptic" awk command to extract the text out of the generated key file - everything else is very self explanatory. Thanks again ... very helpful, and very timely info! Cheers. 0_1539932589907_dns_nsupdate.sh.txt