ACME, Let's Encrypt, Timeout during connect (likely firewall problem)
-
Hello,
I'm getting the following error (from the web GUI) when I click on "Issue/Renew".
My setup:
- pfSense v2.5.2-RELEASE (amd64).
- I have a dynamic DNS name, for privacy reason say, myserver.mydomain.com. I am using Google Domain's Dynamic DNS service.
- I verified that the nslookup reports same IP address as my WAN address.
- pfSense GUI is on port 10443.
- Disable webConfigurator redirect rule is checked.
- Tried both "Standalone HTTP server" port 80 and "Standardalone TLS-ALPN server" port 443.
- Edit: Account Keys: letsencrypt-staging-2
I am new to pfSense and just installed it a few days ago.
From reading the docs, it seem that ACME will automatically do: open port, run a web server there, and close both of those when renew is done.
I feel like it's an operator error.
Am I supposed to open port 443?myserver Renewing certificate account: myserver server: letsencrypt-staging-2 /usr/local/pkg/acme/acme.sh --issue --domain 'myserver.mydomain.com' --standalone --listen-v4 --httpport '80' --home '/tmp/acme/myserver/' --accountconf '/tmp/acme/myserver/accountconf.conf' --force --reloadCmd '/tmp/acme/myserver/reloadcmd.sh' --log-level 3 --log '/tmp/acme/myserver/acme_issuecert.log' Array ( [path] => /etc:/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/bin/ [PATH] => /etc:/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/bin/ [port] => 80 [ipv6] => ) [Fri Sep 17 23:01:58 JST 2021] Using CA: https://acme-staging-v02.api.letsencrypt.org/directory [Fri Sep 17 23:01:58 JST 2021] Standalone mode. [Fri Sep 17 23:01:58 JST 2021] Single domain='myserver.mydomain.com' [Fri Sep 17 23:01:58 JST 2021] Getting domain auth token for each domain [Fri Sep 17 23:02:01 JST 2021] Getting webroot for domain='myserver.mydomain.com' [Fri Sep 17 23:02:01 JST 2021] Verifying: myserver.mydomain.com [Fri Sep 17 23:02:01 JST 2021] Standalone mode server [Fri Sep 17 23:02:05 JST 2021] Pending [Fri Sep 17 23:02:08 JST 2021] Pending [Fri Sep 17 23:02:11 JST 2021] Pending [Fri Sep 17 23:02:13 JST 2021] myserver.mydomain.com:Verify error:Fetching http://myserver.mydomain.com/.well-known/acme-challenge/aBnHjgC4X6tAWEI5DEWWha9WQTogOedrFyC9NlOVtEI: Timeout during connect (likely firewall problem) [Fri Sep 17 23:02:13 JST 2021] Please check log file for more details: /tmp/acme/myserver/acme_issuecert.log
I have access to
/tmp/acme/myserver/acme_issuecert.log
Edit: this section seems safe to post:
server: nginx date: Fri, 17 Sep 2021 14:02:14 GMT content-type: application/problem+json content-length: 144 boulder-requester: 26908158 cache-control: public, max-age=0, no-cache link: <https://acme-staging-v02.api.letsencrypt.org/directory>;rel="index" replay-nonce: 0002OZoSro2iNuEkzXJ-ro0xnw7rLNorzK1Y8vDTJwsNKkQ ' [Fri Sep 17 23:02:14 JST 2021] code='400' [Fri Sep 17 23:02:14 JST 2021] original='{ "type": "urn:ietf:params:acme:error:malformed", "detail": "Unable to update challenge :: authorization must be pending", "status": 400 }' [Fri Sep 17 23:02:14 JST 2021] response='{ "type": "urn:ietf:params:acme:error:malformed", "detail": "Unable to update challenge :: authorization must be pending", "status": 400 }'