Trying to get a new certificate and I get a time out

swemattias

I made some changes to my root certificate (not used just created) and when I push renew I get this after, lets say 5 mins:

2023/01/02 18:20:19 [error] 60761#100105: *4728 upstream timed out 
(60: Operation timed out) while reading response header from upstream, 
client: 10.20.1.119, server: , request: "POST /acme/acme_certificates.php 
HTTP/2.0", upstream: "fastcgi://unix:/var/run/php-fpm.socket", host: 
"10.1.1.1:8081", referrer: "https://10.1.1.1:8081/acme/acme_certificates.php"

Have I done something wrong? Or what has just happend? Same result after trying it 2 times.

jimp

Hard to say where it's getting hung up, but you can check the logs it keeps under /tmp/acme/<cert name>/acme_issuecert.log and see if there is any helpful info in there. There may also be other logs in the same directory you can check.

Usually timeouts there are problems contacting the remote portions of the process (e.g. it can't reach Let's Encrypt servers, the LE servers can't reach you to validate, whatever provider you've configured for DNS validation can't be reached, etc)

swemattias

@jimp Thanks for sticking with me. First up in that /tmp/acme folder, all the old (erased) certificates is still there, oh well, I went into the folder for the current one, looked at that log-file and I think I got something, that I do not how to solve.

TXT for _acme-challenge.domain.io - check that a DNS record exists for this domain

I tried to add this TXT to this domain, still no luck.
Same error:

server: nginx
date: Wed, 04 Jan 2023 19:09:49 GMT
content-type: application/problem+json
content-length: 144
boulder-requester: 898486957
cache-control: public, max-age=0, no-cache
link: <https://acme-v02.api.letsencrypt.org/directory>;rel="index"
replay-nonce: Ytp0p-Wk6HsJ_B-nN6jeV-vQ
^M'
[Wed Jan  4 20:09:49 CET 2023] code='400'
[Wed Jan  4 20:09:49 CET 2023] original='{
  "type": "urn:ietf:params:acme:error:malformed",
  "detail": "Unable to update challenge :: authorization must be pending",
  "status": 400
}'
[Wed Jan  4 20:09:49 CET 2023] response='{
  "type": "urn:ietf:params:acme:error:malformed",
  "detail": "Unable to update challenge :: authorization must be pending",
  "status": 400
}'

swemattias

So I added a TXT record to the domain:

After this, I have had a fall forward (a Swedish saying...)
Now an error that you actually might be able to help me with!

[Thu Jan  5 14:08:24 CET 2023] domain.io:Verify error:Incorrect TXT record

So how do I format a correct TXT record?

jimp

That's something ACME should be setting up in Cloudflare directly, provided it has the correct settings in there for your Cloudflare account (and assuming your ACME cert entry is set to DNS-Cloudflare)

swemattias

@jimp I studied the issuecert log some more and I saw that it succeeds with the certificate, but on another of my cloudflare domains. I had a certificate for this domain months ago, but I have removed them from pfSense all together before I began with this.

In the /tmp/acme there are files for the other domains that I have removed, both from Acme and Cert. Manager. I guess a restart would empty the tmp folder?

So how do I move forward?

swemattias

So I removed the AccountID, ZoneID and the Token from the Cloudflare panel under certificates. After that issuing new certificates started to work just as expected.