Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    ACME not renewing one certificate as scheduled

    Scheduled Pinned Locked Moved ACME
    8 Posts 4 Posters 888 Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • S
      sensewolf
      last edited by

      Hi,

      I am running a pfsense in my homelab and I have a couple of domains for which the ACME package obtains LE certificates.

      Generally, renewal works. It is my understanding that pfSense renews certificates after 60 days, i.e. 30 days ahead of their expiry.

      However, this morning I received an email from LE for one of my certificates that such certificate is about to expire (in 20 days). The renewal setting for this certificate is unchanged/default. All other certificates are up to date (the newest was renewed on 27 November).

      What might be going on here? Where should I look to find what might be the issue?

      There is a cron job at 3:16am every day for the acme package to renew all:

      /usr/local/pkg/acme/acme_command.sh "renewall" | /usr/bin/logger -t ACME 2>&1

      Thanks!

      S 1 Reply Last reply Reply Quote 1
      • S
        SteveITS Galactic Empire @sensewolf
        last edited by

        @sensewolf Without knowing anything else, you might double check whether that certificate is in use (and if so, its expiration date). If it was recreated/reissued then the warning might be for the old one. We see that a lot for web sites where, for whatever reason, one hostname didn't renew so we need to reissue, and LE doesn't know any better so it warns about the expiring/invalid cert.

        Pre-2.7.2/23.09: Only install packages for your version, or risk breaking it. Select your branch in System/Update/Update Settings.
        When upgrading, allow 10-15 minutes to restart, or more depending on packages and device speed.
        Upvote πŸ‘ helpful posts!

        S 1 Reply Last reply Reply Quote 0
        • S
          sensewolf @SteveITS
          last edited by

          @steveits

          It is not just LE telling me (I just mentioned LE because their email made me aware). pfsense is also showing the certificate as expiring (yellow in the list of certificates) on December 26.

          So pfsense/ACME knows the certificate is due for renewal and has had a chance to renew it for the last 10 days but doesn't.

          S 1 Reply Last reply Reply Quote 0
          • S
            sensewolf @sensewolf
            last edited by

            Another day, another cron job run and - nothing.

            Is there a log I could consult to see whether it at least attempts to renew and fails or whether it doesn't even try?

            1 Reply Last reply Reply Quote 0
            • GertjanG
              Gertjan
              last edited by

              @sensewolf said in ACME not renewing one certificate as scheduled:

              Is there a log I could consult to see whether it at least attempts to renew and fails or whether it doesn't even try?

              Yep.
              The word 'log' is in here :

              @sensewolf said in ACME not renewing one certificate as scheduled:

              /usr/local/pkg/acme/acme_command.sh "renewall" | /usr/bin/logger -t ACME 2>&

              😊

              In the pfSense main system log, you will find not much, but important info :

              2022-12-08 03:16:00.258995+01:00 	ACME 	93405 	Renewal number of days not yet reached.
2022-12-08 03:16:00.258615+01:00 	ACME 	93405 	Checking if renewal is needed for: V2_my-cert-account.net

              The data time tells you the cron job works at the right moment.
              It also lists the domain(s) that it is testing.

              For the real stuff, you have to use the keyboard (or SSH + SFTP access, which brings everything down to mouse click level).

              You will find a folder called /acme in /tmp/, and another sub folder into that, with the domain name (account name) :

              /tmp/acme/V2_my-cert-account.net/

              In this folder there is the famous "acme_issuecert.log" with the complete log trace of everything the acme.sh core script file does.
              If you can read and understand what's happening in here, line by line, then please call me, I have some questions ;)
              Joke aside, this log file is understandable.

              I can clearly see that it decide, or not, to update the cert.
              Asking LE for a secret random code.
              Picking my update method (I'm using nsupdate or RFC2136).
              Adding the needed DNS TXT records with the secret code into my domain name server master server
              Waiting 120 seconds (so DNS slaves will get synced with the DNS master).
              Then it signals LE : Go check !
              LE, on his side, checks the TXT record for the presence of the secret code.
              If it find the secret code, it files me a new updated cert for my domain.

              When you click on Issue Renew yourself,

              6b2622b9-83fe-4e25-803b-3f518f995250-image.png

              you should see, after a while (notably the DNS sleep wait period), a green 'text box with the principal events logged to the screen.
              This green log screen contains the absolute most important logged message at the top, whatever (good or fail) was the result :

              3a2c3717-112f-4ddf-a748-a97210519137-image.png

              You see the log file ? I guess you missed that one ;)

              No "help me" PM's please. Use the forum, the community will thank you.
              Edit : and where are the logs ??

              1 Reply Last reply Reply Quote 0
              • jimpJ
                jimp Rebel Alliance Developer Netgate
                last edited by

                Did you maybe change this setting?

                9cdd14ce-49d0-4538-94d6-64f92d42493a-image.png

                It's at the very bottom of the page when editing a ACME entry.

                Remember: Upvote with the πŸ‘ button for any user/post you find to be helpful, informative, or deserving of recognition!

                Need help fast? Netgate Global Support!

                Do not Chat/PM for help!

                S 1 Reply Last reply Reply Quote 0
                • S
                  sensewolf @jimp
                  last edited by

                  @jimp

                  No, I didn't touch that.

                  GertjanG 1 Reply Last reply Reply Quote 0
                  • GertjanG
                    Gertjan @sensewolf
                    last edited by

                    @sensewolf

                    What did the green 'log' in the GUI tell you ?

                    Or, better : zero the log file I mentioned above.
                    Do a manual renew.
                    Look at the file again, it has many lines now.

                    Upload them to (whatever) => pastebin.org
                    Past the link here.

                    Btw : be careful, don't press several times per day at the manual reew button : after 5 times or so, you'll get blacklisted for a day, as the number of times you renew a cert is limited.

                    No "help me" PM's please. Use the forum, the community will thank you.
                    Edit : and where are the logs ??

                    1 Reply Last reply Reply Quote 0
                    • First post
                      Last post
                    Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.