@splodge said in ISRG Root X1 CA keeps re-appearing in Cert Manager when renewing in acme:

Followed the advice at https://forum.netgate.com/topic/166269/heads-up-dst-root-ca-x3-expiration-september-2021/1, deleted the old "ISRG Root X1" CA, then

.... then the expired root certifcate doesn't exist any more on your system.

@splodge said in ISRG Root X1 CA keeps re-appearing in Cert Manager when renewing in acme:

renew the certificate through acme, the expired "ISRG Root X1" CA gets re-added to the CAs list in Certificate Manager,

Your saying : it wasn't there but some one else ( = Letenscrypt ) gives you back the certificate that no one trusts ?
Really 🤤

Check this :
Locate the file
/tmp/acme/YOURACCOUNTNAMIE_IN_ACME/TOUR.DOMAINE.TLD/fullchain.cer

In this file you find 3 blocks :
-----BEGIN CERTIFICATE-----
......
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
.......
-----END CERTIFICATE-----
and root certificate :
-----BEGIN CERTIFICATE-----
MIIFYDCCBEigAwIBAgIQQAF3ITfU6UK47naqPGQKtzANBgkqhkiG9w0BAQsFADA/
......
Dfvp7OOGAN6dEOM4+qR9sdjoSYKEBpsr6GtPAQw4dy753ec5
-----END CERTIFICATE-----

Go here : https://letsencrypt.org/certificates/ and load this file :

ac8ca021-413b-4280-a99b-932bd8e63f9b-image.png

and compare the first line and last line - ar, why not, the entire block : they are the same !!!
This root certificate is valid up until

Not After : Sep 30 18:14:03 2024 GMT

You issue is probably :
The front end that is tested doesn't use the certificate (chain) that you renewed.

@splodge said in ISRG Root X1 CA keeps re-appearing in Cert Manager when renewing in acme:

which then results in warnings from our scans.

Using a public 'scanner' (what do you mean by "scanning" ?) ?
What front-ned tool are you using ? => HA-proxy.
Check the HA-proxy settings : what certs it is using.

edit :

SSLLabs and Nessus scans showed that everything went well

Wondering if anyone has seen what I'm seeing with acme and the LetsEncrypt

Have to ask :: what are you seeing ?

@gertjan again, thanks for your ongoing help. I think I have worked out the issue.

Further reading of the log file shows that the API call that is being made is;

[Mon Nov 1 15:20:35 GMT 2021] body='<packet><customer><get-domain-list><filter/></get-domain-list></customer></packet>'

And that this call returns;

[Mon Nov 1 15:05:39 GMT 2021] The responses from the Plesk XML server were: [Mon Nov 1 15:05:39 GMT 2021] retcode=0. Literal response: [Mon Nov 1 15:05:39 GMT 2021] '<?xml version="1.0" encoding="UTF-8"?> <packet version="1.6.9.1"> <customer> <get-domain-list> <result> <status>ok</status> </result> </get-domain-list> </customer> </packet>'

Again, I am making an assumption here that this should have returned a list of domains in the result section but it isn't and that's a problem.

I then spotted that the API that's being called is a Customer related API, asking for a list of domains that a customer owns... So, I tried creating a customer (I don't use customers on this server), moved the required subscription over, changed the username and password in pfsense to the "customer" ones and we are in business.

So, to summarise. When pfsense asks for a username and password it needs to be the details for a plesk customer and the customer needs to own the subscription containing the domain you want to work with. Using and Admin account or a reseller account does not work.

all ok! after copy all works! 👍

@jimp , thank you for the copy tip.

Please note that I chose to revert to 2.4.5 for stability because of 2.5.1 dual wan issue or unbound crashes issues (unbound on 2.5.2 is still crashing).

I though that the 2.4.5 released in 2020 would support the ISRG Root X1 certificate since it was released in 2015 but I also had the issue with Ubuntu 16.04.6 (upgrading to 16.04.7 fixed it).

@sshami said in ACME certificates not syncing with backup node:

The solution is in the HA mode, you have to install ACME package only on Master node not on the backup node.

@mrpete said in ACME certificates not syncing with backup node:

Maybe having ACME installed on Secondary causes trouble for Cert manager sync???

That literally IS what @sshami already wrote ;)
If you have ACME stuff that you want replicated, only install ACME package on the primary node, NOT on the secondary one and let the certs sync normally via HA instead of having two packages battle it out :)

@talisker said in Renewed certificate was not imported into Cert Manager:

One strange thing is that the certificate isn't removed from the /tmp.

Nothing is removed from /tmp when exectuing "acme_command.sh importcert" - neither the sub folders and their content.
The /tmp folder is only emptied when you reboot pfSense.

The "acme_command.sh importcert CERTNAME DOMAIN KEY_PATH CERT_PATH CA_CERT_PATH CERT_FULLCHAIN_PATH" takes old the files created by the acme package (files are stored in /tmp/acme/domain/....) and imports them intp the pfSense "cert Manager".
It doesn't wipe them - there is no need to do so.

@talisker said in Renewed certificate was not imported into Cert Manager:

The certificates from cloudflare (other domain) is removed

Test for yourself :
Wait a week or so.
Now force renew all certs you have.
You will find as many /tmp/acme/domain sub folders as you have certs requested.
"domain' will be the base domain name;
These "domain" folders will stay there.
Until you reboot.

If you don't reboot after 60 days or so, the content of the certs will get renewed and overwritten.

OK Realy stupid
I have two ssh shortcuts to two pfsense servers and was looking at the wrong one.
I owe you a beer for waisting your time.

@jimp thank you for your help, much appreciated.

Regards,
Mauro

That makes sense, since the firewall GUI wouldn't involve CloudFlare. The fact that you were seeing that means it must not have been resolving to something local. A DNS host override is the right thing to do there.

@gertjan thank you for your help. I will take a look very soon.