ACME, Let's Encrypt, Timeout during connect (likely firewall problem)

aelhar · Sep 17, 2021, 2:34 PM

Hello,

I'm getting the following error (from the web GUI) when I click on "Issue/Renew".

My setup:

pfSense v2.5.2-RELEASE (amd64).
I have a dynamic DNS name, for privacy reason say, myserver.mydomain.com. I am using Google Domain's Dynamic DNS service.
I verified that the nslookup reports same IP address as my WAN address.
pfSense GUI is on port 10443.
Disable webConfigurator redirect rule is checked.
Tried both "Standalone HTTP server" port 80 and "Standardalone TLS-ALPN server" port 443.
Edit: Account Keys: letsencrypt-staging-2

I am new to pfSense and just installed it a few days ago.
From reading the docs, it seem that ACME will automatically do: open port, run a web server there, and close both of those when renew is done.
I feel like it's an operator error.
Am I supposed to open port 443?

myserver
Renewing certificate 
account: myserver 
server: letsencrypt-staging-2 

/usr/local/pkg/acme/acme.sh  --issue  --domain 'myserver.mydomain.com' --standalone --listen-v4 --httpport '80' --home '/tmp/acme/myserver/' --accountconf '/tmp/acme/myserver/accountconf.conf' --force --reloadCmd '/tmp/acme/myserver/reloadcmd.sh' --log-level 3 --log '/tmp/acme/myserver/acme_issuecert.log'
Array
(
    [path] => /etc:/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/bin/
    [PATH] => /etc:/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/bin/
    [port] => 80
    [ipv6] => 
)
[Fri Sep 17 23:01:58 JST 2021] Using CA: https://acme-staging-v02.api.letsencrypt.org/directory
[Fri Sep 17 23:01:58 JST 2021] Standalone mode.
[Fri Sep 17 23:01:58 JST 2021] Single domain='myserver.mydomain.com'
[Fri Sep 17 23:01:58 JST 2021] Getting domain auth token for each domain
[Fri Sep 17 23:02:01 JST 2021] Getting webroot for domain='myserver.mydomain.com'
[Fri Sep 17 23:02:01 JST 2021] Verifying: myserver.mydomain.com
[Fri Sep 17 23:02:01 JST 2021] Standalone mode server
[Fri Sep 17 23:02:05 JST 2021] Pending
[Fri Sep 17 23:02:08 JST 2021] Pending
[Fri Sep 17 23:02:11 JST 2021] Pending
[Fri Sep 17 23:02:13 JST 2021] myserver.mydomain.com:Verify error:Fetching http://myserver.mydomain.com/.well-known/acme-challenge/aBnHjgC4X6tAWEI5DEWWha9WQTogOedrFyC9NlOVtEI: Timeout during connect (likely firewall problem)
[Fri Sep 17 23:02:13 JST 2021] Please check log file for more details: /tmp/acme/myserver/acme_issuecert.log

I have access to /tmp/acme/myserver/acme_issuecert.log

Edit: this section seems safe to post:

server: nginx
date: Fri, 17 Sep 2021 14:02:14 GMT
content-type: application/problem+json
content-length: 144
boulder-requester: 26908158
cache-control: public, max-age=0, no-cache
link: <https://acme-staging-v02.api.letsencrypt.org/directory>;rel="index"
replay-nonce: 0002OZoSro2iNuEkzXJ-ro0xnw7rLNorzK1Y8vDTJwsNKkQ

'
[Fri Sep 17 23:02:14 JST 2021] code='400'
[Fri Sep 17 23:02:14 JST 2021] original='{
  "type": "urn:ietf:params:acme:error:malformed",
  "detail": "Unable to update challenge :: authorization must be pending",
  "status": 400
}'
[Fri Sep 17 23:02:14 JST 2021] response='{
  "type": "urn:ietf:params:acme:error:malformed",
  "detail": "Unable to update challenge :: authorization must be pending",
  "status": 400
}'