ACME not issuing certificate
-
anyone found a solution for this?
-
I can not duplicate this problem.
So 2.6 running on a VM, installed the acme 0.7_2 package. Created a new A record in cloudflare for the cert wanted to get testacme.mydomain.tld
Added my acme account key
Setup with dns-cloudflare
Only other thing since I have had issues with it in the past is update the default time from 120 to 180..
There you go got my cert. And installed in the cert manager.
And works on 22.01 as well - since I had tested it when they announced new version of acme..
-
For those with problems, what verification methods are you using?
Is there anything more informative in the
acme_createdomainkey.log
file? Or any other ACME log file under/tmp/acme
? -
Duckdns, using API key.
22.01 on a SG-3100
Acme: 0.7_3Empty:
Key only:
Log requested:
[Mon Mar 7 12:38:31 -03 2022] readlink exists=0
[Mon Mar 7 12:38:31 -03 2022] dirname exists=0
[Mon Mar 7 12:38:31 -03 2022] Lets find script dir.
[Mon Mar 7 12:38:31 -03 2022] SCRIPT='/usr/local/pkg/acme/acme.sh'
[Mon Mar 7 12:38:31 -03 2022] _script='/usr/local/pkg/acme/acme.sh'
[Mon Mar 7 12:38:31 -03 2022] _script_home='/usr/local/pkg/acme'
[Mon Mar 7 12:38:31 -03 2022] Using config home:/tmp/acme/duckdns/
[Mon Mar 7 12:38:31 -03 2022] ACCOUNT_CONF_PATH='/tmp/acme/duckdns/accountconf.conf'
[Mon Mar 7 12:38:31 -03 2022] APP
[Mon Mar 7 12:38:31 -03 2022] 3:LOG_FILE='/tmp/acme/duckdns/acme_createdomainkey.log'
[Mon Mar 7 12:38:31 -03 2022] APP
[Mon Mar 7 12:38:31 -03 2022] 4:LOG_LEVEL='3'
[Mon Mar 7 12:38:31 -03 2022] LE_WORKING_DIR='/tmp/acme/duckdns/'
[Mon Mar 7 12:38:31 -03 2022] Running cmd: createDomainKey
[Mon Mar 7 12:38:31 -03 2022] Creating domain key
[Mon Mar 7 12:38:31 -03 2022] Using config home:/tmp/acme/duckdns/
[Mon Mar 7 12:38:31 -03 2022] ACCOUNT_CONF_PATH='/tmp/acme/duckdns/accountconf.conf'
[Mon Mar 7 12:38:31 -03 2022] ACME_DIRECTORY='https://acme-v02.api.letsencrypt.org/directory'
[Mon Mar 7 12:38:31 -03 2022] _ACME_SERVER_HOST='acme-v02.api.letsencrypt.org'
[Mon Mar 7 12:38:31 -03 2022] _ACME_SERVER_PATH='directory'
[Mon Mar 7 12:38:31 -03 2022] CA_CONF='/tmp/acme/duckdns//ca/acme-v02.api.letsencrypt.org/directory/ca.conf'
[Mon Mar 7 12:38:31 -03 2022] DOMAIN_PATH='/tmp/acme/duckdns//mydomain.duckdns.org'
[Mon Mar 7 12:38:31 -03 2022] _createkey for file:/tmp/acme/duckdns//mydomain.duckdns.org/mydomain.duckdns.org.key
[Mon Mar 7 12:38:31 -03 2022] Use length 2048
[Mon Mar 7 12:38:31 -03 2022] Using RSA: 2048
[Mon Mar 7 12:38:34 -03 2022] APP
[Mon Mar 7 12:38:34 -03 2022] 1:Le_Keylength='2048'
[Mon Mar 7 12:38:34 -03 2022] The domain key is here: /tmp/acme/duckdns//mydomain.duckdns.org/mydomain.duckdns.org.key
[Mon Mar 7 12:55:10 -03 2022] readlink exists=0
[Mon Mar 7 12:55:10 -03 2022] dirname exists=0
[Mon Mar 7 12:55:10 -03 2022] Lets find script dir.
[Mon Mar 7 12:55:10 -03 2022] SCRIPT='/usr/local/pkg/acme/acme.sh'
[Mon Mar 7 12:55:10 -03 2022] _script='/usr/local/pkg/acme/acme.sh'
[Mon Mar 7 12:55:10 -03 2022] _script_home='/usr/local/pkg/acme'
[Mon Mar 7 12:55:10 -03 2022] Using config home:/tmp/acme/duckdns/
[Mon Mar 7 12:55:10 -03 2022] ACCOUNT_CONF_PATH='/tmp/acme/duckdns/accountconf.conf'
[Mon Mar 7 12:55:10 -03 2022] APP
[Mon Mar 7 12:55:10 -03 2022] 3:LOG_FILE='/tmp/acme/duckdns/acme_createdomainkey.log'
[Mon Mar 7 12:55:10 -03 2022] APP
[Mon Mar 7 12:55:10 -03 2022] 4:LOG_LEVEL='3'
[Mon Mar 7 12:55:10 -03 2022] LE_WORKING_DIR='/tmp/acme/duckdns/'
[Mon Mar 7 12:55:10 -03 2022] Running cmd: createDomainKey
[Mon Mar 7 12:55:10 -03 2022] Creating domain key
[Mon Mar 7 12:55:10 -03 2022] Using config home:/tmp/acme/duckdns/
[Mon Mar 7 12:55:10 -03 2022] ACCOUNT_CONF_PATH='/tmp/acme/duckdns/accountconf.conf'
[Mon Mar 7 12:55:10 -03 2022] ACME_DIRECTORY='https://acme-v02.api.letsencrypt.org/directory'
[Mon Mar 7 12:55:10 -03 2022] _ACME_SERVER_HOST='acme-v02.api.letsencrypt.org'
[Mon Mar 7 12:55:10 -03 2022] _ACME_SERVER_PATH='directory'
[Mon Mar 7 12:55:10 -03 2022] CA_CONF='/tmp/acme/duckdns//ca/acme-v02.api.letsencrypt.org/directory/ca.conf'
[Mon Mar 7 12:55:10 -03 2022] DOMAIN_PATH='/tmp/acme/duckdns//mydomain.duckdns.org'
[Mon Mar 7 12:55:10 -03 2022] _createkey for file:/tmp/acme/duckdns//mydomain.duckdns.org/mydomain.duckdns.org.key
[Mon Mar 7 12:55:10 -03 2022] Use length 2048
[Mon Mar 7 12:55:10 -03 2022] Using RSA: 2048
[Mon Mar 7 12:55:14 -03 2022] OK
[Mon Mar 7 12:55:14 -03 2022] 1:Le_Keylength='2048'
[Mon Mar 7 12:55:14 -03 2022] The domain key is here: /tmp/acme/duckdns//mydomain.duckdns.org/mydomain.duckdns.org.key -
I can reproduce it when making a completely new certificate with the nsupdate method. Renewing existing entries is OK.
Doesn't seem to be related to wildcard entries as I tried one with and one without wildcard, both failed.
https://redmine.pfsense.org/issues/12912
I'll have a fix in shortly, in the meantime, edit the cert entry and check the debug option. That should allow it to work for now.
-
Thanks jimp
To workaround this issue:
I imported the CAs Acmecert: O=Let's Encrypt, CN=R3, C=US and Acmecert: O=Internet Security Research Group, CN=ISRG Root X1, C=US from a backup.
Then, deleted the certificate (key_only), and imported the cert again, X.509 (PEM), including certificate data and private key data.
The new certificate generated is working properly now.
-
I have the same as mcury - no certificate, private key only.
I was on 0.7_1 and have now updated to 0.7_3 - same issueacme_createdomainkey.log
[Mon Mar 7 18:39:19 EET 2022] readlink exists=0
[Mon Mar 7 18:39:19 EET 2022] dirname exists=0
[Mon Mar 7 18:39:19 EET 2022] Lets find script dir.
[Mon Mar 7 18:39:19 EET 2022] SCRIPT='/usr/local/pkg/acme/acme.sh'
[Mon Mar 7 18:39:19 EET 2022] _script='/usr/local/pkg/acme/acme.sh'
[Mon Mar 7 18:39:19 EET 2022] _script_home='/usr/local/pkg/acme'
[Mon Mar 7 18:39:19 EET 2022] Using config home:/tmp/acme/test2/
[Mon Mar 7 18:39:19 EET 2022] ACCOUNT_CONF_PATH='/tmp/acme/test2/accountconf.conf'
[Mon Mar 7 18:39:19 EET 2022] APP
[Mon Mar 7 18:39:19 EET 2022] 3:LOG_FILE='/tmp/acme/test2/acme_createdomainkey.log'
[Mon Mar 7 18:39:19 EET 2022] APP
[Mon Mar 7 18:39:19 EET 2022] 4:LOG_LEVEL='3'
[Mon Mar 7 18:39:19 EET 2022] LE_WORKING_DIR='/tmp/acme/test2/'
[Mon Mar 7 18:39:19 EET 2022] Running cmd: createDomainKey
[Mon Mar 7 18:39:19 EET 2022] Creating domain key
[Mon Mar 7 18:39:19 EET 2022] Using config home:/tmp/acme/test2/
[Mon Mar 7 18:39:19 EET 2022] ACCOUNT_CONF_PATH='/tmp/acme/test2/accountconf.conf'
[Mon Mar 7 18:39:19 EET 2022] ACME_DIRECTORY='https://acme-staging-v02.api.letsencrypt.org/directory'
[Mon Mar 7 18:39:19 EET 2022] _ACME_SERVER_HOST='acme-staging-v02.api.letsencrypt.org'
[Mon Mar 7 18:39:19 EET 2022] _ACME_SERVER_PATH='directory'
[Mon Mar 7 18:39:19 EET 2022] CA_CONF='/tmp/acme/test2//ca/acme-staging-v02.api.letsencrypt.org/directory/ca.conf'
[Mon Mar 7 18:39:19 EET 2022] DOMAIN_PATH='/tmp/acme/test2//.abc.xz'
[Mon Mar 7 18:39:19 EET 2022] _createkey for file:/tmp/acme/test2//.abc.xz/.abc.xz.key
[Mon Mar 7 18:39:19 EET 2022] Use length 2048
[Mon Mar 7 18:39:19 EET 2022] Using RSA: 2048
[Mon Mar 7 18:39:19 EET 2022] APP
[Mon Mar 7 18:39:19 EET 2022] 1:Le_Keylength='2048'
[Mon Mar 7 18:39:19 EET 2022] The domain key is here: /tmp/acme/test2//.abc.xz/*.abc.xz.keylast issued date is still the original
certificates showing a private key only
cloudflare
-
0.7_3 doesn't include the fix, it will be in 0.7_4.
You can check the debug option on a cert to work around it until that is available (which will be shortly, it's building now).
The debug option was the problem, it's a recent feature and seems to have some unintended side effects. I've removed it for now.
-
@jimp thank you.
It just took me a while to copy/paste logs and edit pictures and did not see your reply.thanks for your support - take your time.
-
I'm having the problem with dyn.com and wildcard cert.
-
Thank you @jimp much appreciate your support. Looking forward for the new release again thank you for your effort.
Regards,
-
I can confirm it's working as expected in 0.7_4. Many thanks!
-
-
Got two questions (running on 2.6 CE):
- how do I check the debug option ?
- how can I run pkg version 0.7_4 ?
-
@robert-de-wit said in ACME not issuing certificate:
how can I run pkg version 0.7_4 ?
make sure you update your package in the package manager. Current version I show as 7.1_1
Which is newer then the .7_4 version...
-
Running indeed on version 7.1_1.
I' ve got also a certificate error during creation, the logging tells me that
"You haven't specified the DirectAdmin Login data, URL and whether you want check the DirectAdmin SSL cert. Please try again."
In the array showed above this message the correct login data and URL information is displayed.
Any idea?
-
@robert-de-wit said in ACME not issuing certificate:
DirectAdmin
Have no idea what that is - its not listed a supported ddns service that I see.
-
It should, you can select DNS-DirectAdmin and is working on older certificates but not on a new one.
-
@robert-de-wit DOH!!! I was looking in ddns services ;) hehehe
I don't use who ever that is, so there is no way for me to test that. Working fine here with clouldflare.