ACME not issuing certificate

raadms

Same issue as well, hope to find a solution soon.

raadms

anyone found a solution for this?

johnpoz

I can not duplicate this problem.

So 2.6 running on a VM, installed the acme 0.7_2 package. Created a new A record in cloudflare for the cert wanted to get testacme.mydomain.tld

Added my acme account key

Setup with dns-cloudflare

Only other thing since I have had issues with it in the past is update the default time from 120 to 180..

There you go got my cert. And installed in the cert manager.

And works on 22.01 as well - since I had tested it when they announced new version of acme..

jimp

For those with problems, what verification methods are you using?

Is there anything more informative in the acme_createdomainkey.log file? Or any other ACME log file under /tmp/acme?

mcury

Duckdns, using API key.
22.01 on a SG-3100
Acme: 0.7_3

Empty:

Key only:

Log requested:
[Mon Mar 7 12:38:31 -03 2022] readlink exists=0
[Mon Mar 7 12:38:31 -03 2022] dirname exists=0
[Mon Mar 7 12:38:31 -03 2022] Lets find script dir.
[Mon Mar 7 12:38:31 -03 2022] SCRIPT='/usr/local/pkg/acme/acme.sh'
[Mon Mar 7 12:38:31 -03 2022] _script='/usr/local/pkg/acme/acme.sh'
[Mon Mar 7 12:38:31 -03 2022] _script_home='/usr/local/pkg/acme'
[Mon Mar 7 12:38:31 -03 2022] Using config home:/tmp/acme/duckdns/
[Mon Mar 7 12:38:31 -03 2022] ACCOUNT_CONF_PATH='/tmp/acme/duckdns/accountconf.conf'
[Mon Mar 7 12:38:31 -03 2022] APP
[Mon Mar 7 12:38:31 -03 2022] 3:LOG_FILE='/tmp/acme/duckdns/acme_createdomainkey.log'
[Mon Mar 7 12:38:31 -03 2022] APP
[Mon Mar 7 12:38:31 -03 2022] 4:LOG_LEVEL='3'
[Mon Mar 7 12:38:31 -03 2022] LE_WORKING_DIR='/tmp/acme/duckdns/'
[Mon Mar 7 12:38:31 -03 2022] Running cmd: createDomainKey
[Mon Mar 7 12:38:31 -03 2022] Creating domain key
[Mon Mar 7 12:38:31 -03 2022] Using config home:/tmp/acme/duckdns/
[Mon Mar 7 12:38:31 -03 2022] ACCOUNT_CONF_PATH='/tmp/acme/duckdns/accountconf.conf'
[Mon Mar 7 12:38:31 -03 2022] ACME_DIRECTORY='https://acme-v02.api.letsencrypt.org/directory'
[Mon Mar 7 12:38:31 -03 2022] _ACME_SERVER_HOST='acme-v02.api.letsencrypt.org'
[Mon Mar 7 12:38:31 -03 2022] _ACME_SERVER_PATH='directory'
[Mon Mar 7 12:38:31 -03 2022] CA_CONF='/tmp/acme/duckdns//ca/acme-v02.api.letsencrypt.org/directory/ca.conf'
[Mon Mar 7 12:38:31 -03 2022] DOMAIN_PATH='/tmp/acme/duckdns//mydomain.duckdns.org'
[Mon Mar 7 12:38:31 -03 2022] _createkey for file:/tmp/acme/duckdns//mydomain.duckdns.org/mydomain.duckdns.org.key
[Mon Mar 7 12:38:31 -03 2022] Use length 2048
[Mon Mar 7 12:38:31 -03 2022] Using RSA: 2048
[Mon Mar 7 12:38:34 -03 2022] APP
[Mon Mar 7 12:38:34 -03 2022] 1:Le_Keylength='2048'
[Mon Mar 7 12:38:34 -03 2022] The domain key is here: /tmp/acme/duckdns//mydomain.duckdns.org/mydomain.duckdns.org.key
[Mon Mar 7 12:55:10 -03 2022] readlink exists=0
[Mon Mar 7 12:55:10 -03 2022] dirname exists=0
[Mon Mar 7 12:55:10 -03 2022] Lets find script dir.
[Mon Mar 7 12:55:10 -03 2022] SCRIPT='/usr/local/pkg/acme/acme.sh'
[Mon Mar 7 12:55:10 -03 2022] _script='/usr/local/pkg/acme/acme.sh'
[Mon Mar 7 12:55:10 -03 2022] _script_home='/usr/local/pkg/acme'
[Mon Mar 7 12:55:10 -03 2022] Using config home:/tmp/acme/duckdns/
[Mon Mar 7 12:55:10 -03 2022] ACCOUNT_CONF_PATH='/tmp/acme/duckdns/accountconf.conf'
[Mon Mar 7 12:55:10 -03 2022] APP
[Mon Mar 7 12:55:10 -03 2022] 3:LOG_FILE='/tmp/acme/duckdns/acme_createdomainkey.log'
[Mon Mar 7 12:55:10 -03 2022] APP
[Mon Mar 7 12:55:10 -03 2022] 4:LOG_LEVEL='3'
[Mon Mar 7 12:55:10 -03 2022] LE_WORKING_DIR='/tmp/acme/duckdns/'
[Mon Mar 7 12:55:10 -03 2022] Running cmd: createDomainKey
[Mon Mar 7 12:55:10 -03 2022] Creating domain key
[Mon Mar 7 12:55:10 -03 2022] Using config home:/tmp/acme/duckdns/
[Mon Mar 7 12:55:10 -03 2022] ACCOUNT_CONF_PATH='/tmp/acme/duckdns/accountconf.conf'
[Mon Mar 7 12:55:10 -03 2022] ACME_DIRECTORY='https://acme-v02.api.letsencrypt.org/directory'
[Mon Mar 7 12:55:10 -03 2022] _ACME_SERVER_HOST='acme-v02.api.letsencrypt.org'
[Mon Mar 7 12:55:10 -03 2022] _ACME_SERVER_PATH='directory'
[Mon Mar 7 12:55:10 -03 2022] CA_CONF='/tmp/acme/duckdns//ca/acme-v02.api.letsencrypt.org/directory/ca.conf'
[Mon Mar 7 12:55:10 -03 2022] DOMAIN_PATH='/tmp/acme/duckdns//mydomain.duckdns.org'
[Mon Mar 7 12:55:10 -03 2022] _createkey for file:/tmp/acme/duckdns//mydomain.duckdns.org/mydomain.duckdns.org.key
[Mon Mar 7 12:55:10 -03 2022] Use length 2048
[Mon Mar 7 12:55:10 -03 2022] Using RSA: 2048
[Mon Mar 7 12:55:14 -03 2022] OK
[Mon Mar 7 12:55:14 -03 2022] 1:Le_Keylength='2048'
[Mon Mar 7 12:55:14 -03 2022] The domain key is here: /tmp/acme/duckdns//mydomain.duckdns.org/mydomain.duckdns.org.key

jimp

I can reproduce it when making a completely new certificate with the nsupdate method. Renewing existing entries is OK.

Doesn't seem to be related to wildcard entries as I tried one with and one without wildcard, both failed.

https://redmine.pfsense.org/issues/12912

I'll have a fix in shortly, in the meantime, edit the cert entry and check the debug option. That should allow it to work for now.

mcury

Thanks jimp

To workaround this issue:

I imported the CAs Acmecert: O=Let's Encrypt, CN=R3, C=US and Acmecert: O=Internet Security Research Group, CN=ISRG Root X1, C=US from a backup.

Then, deleted the certificate (key_only), and imported the cert again, X.509 (PEM), including certificate data and private key data.

The new certificate generated is working properly now.

Donnyr

I have the same as mcury - no certificate, private key only.
I was on 0.7_1 and have now updated to 0.7_3 - same issue

acme_createdomainkey.log
[Mon Mar 7 18:39:19 EET 2022] readlink exists=0
[Mon Mar 7 18:39:19 EET 2022] dirname exists=0
[Mon Mar 7 18:39:19 EET 2022] Lets find script dir.
[Mon Mar 7 18:39:19 EET 2022] SCRIPT='/usr/local/pkg/acme/acme.sh'
[Mon Mar 7 18:39:19 EET 2022] _script='/usr/local/pkg/acme/acme.sh'
[Mon Mar 7 18:39:19 EET 2022] _script_home='/usr/local/pkg/acme'
[Mon Mar 7 18:39:19 EET 2022] Using config home:/tmp/acme/test2/
[Mon Mar 7 18:39:19 EET 2022] ACCOUNT_CONF_PATH='/tmp/acme/test2/accountconf.conf'
[Mon Mar 7 18:39:19 EET 2022] APP
[Mon Mar 7 18:39:19 EET 2022] 3:LOG_FILE='/tmp/acme/test2/acme_createdomainkey.log'
[Mon Mar 7 18:39:19 EET 2022] APP
[Mon Mar 7 18:39:19 EET 2022] 4:LOG_LEVEL='3'
[Mon Mar 7 18:39:19 EET 2022] LE_WORKING_DIR='/tmp/acme/test2/'
[Mon Mar 7 18:39:19 EET 2022] Running cmd: createDomainKey
[Mon Mar 7 18:39:19 EET 2022] Creating domain key
[Mon Mar 7 18:39:19 EET 2022] Using config home:/tmp/acme/test2/
[Mon Mar 7 18:39:19 EET 2022] ACCOUNT_CONF_PATH='/tmp/acme/test2/accountconf.conf'
[Mon Mar 7 18:39:19 EET 2022] ACME_DIRECTORY='https://acme-staging-v02.api.letsencrypt.org/directory'
[Mon Mar 7 18:39:19 EET 2022] _ACME_SERVER_HOST='acme-staging-v02.api.letsencrypt.org'
[Mon Mar 7 18:39:19 EET 2022] _ACME_SERVER_PATH='directory'
[Mon Mar 7 18:39:19 EET 2022] CA_CONF='/tmp/acme/test2//ca/acme-staging-v02.api.letsencrypt.org/directory/ca.conf'
[Mon Mar 7 18:39:19 EET 2022] DOMAIN_PATH='/tmp/acme/test2//.abc.xz'
[Mon Mar 7 18:39:19 EET 2022] _createkey for file:/tmp/acme/test2//.abc.xz/.abc.xz.key
[Mon Mar 7 18:39:19 EET 2022] Use length 2048
[Mon Mar 7 18:39:19 EET 2022] Using RSA: 2048
[Mon Mar 7 18:39:19 EET 2022] APP
[Mon Mar 7 18:39:19 EET 2022] 1:Le_Keylength='2048'
[Mon Mar 7 18:39:19 EET 2022] The domain key is here: /tmp/acme/test2//.abc.xz/*.abc.xz.key

last issued date is still the original

certificates showing a private key only

cloudflare

jimp

0.7_3 doesn't include the fix, it will be in 0.7_4.

You can check the debug option on a cert to work around it until that is available (which will be shortly, it's building now).

The debug option was the problem, it's a recent feature and seems to have some unintended side effects. I've removed it for now.

Donnyr

@jimp thank you.
It just took me a while to copy/paste logs and edit pictures and did not see your reply.

thanks for your support - take your time.

mrsunfire

I'm having the problem with dyn.com and wildcard cert.

raadms

Thank you @jimp much appreciate your support. Looking forward for the new release again thank you for your effort.

Regards,

Donnyr

I can confirm it's working as expected in 0.7_4. Many thanks!

raadms

@donnyr @jimp it is working and I got my car renwed thank you much appreciated

Robert de Wit

@jimp

Got two questions (running on 2.6 CE):

1. how do I check the debug option ?
2. how can I run pkg version 0.7_4 ?

johnpoz

@robert-de-wit said in ACME not issuing certificate:

how can I run pkg version 0.7_4 ?

make sure you update your package in the package manager. Current version I show as 7.1_1

Which is newer then the .7_4 version...

Robert de Wit

@johnpoz

Running indeed on version 7.1_1.

I' ve got also a certificate error during creation, the logging tells me that

"You haven't specified the DirectAdmin Login data, URL and whether you want check the DirectAdmin SSL cert. Please try again."

In the array showed above this message the correct login data and URL information is displayed.

Any idea?

johnpoz

@robert-de-wit said in ACME not issuing certificate:

DirectAdmin

Have no idea what that is - its not listed a supported ddns service that I see.

Robert de Wit

@johnpoz

It should, you can select DNS-DirectAdmin and is working on older certificates but not on a new one.

johnpoz

@robert-de-wit DOH!!! I was looking in ddns services ;) hehehe

I don't use who ever that is, so there is no way for me to test that. Working fine here with clouldflare.