ACME pkg v0.7.5

jimp

ACME pkg v0.7.5 is building now and will be available shortly for Plus 23.05.1, CE 2.7.0, and dev snapshots for Plus and CE.

This version addresses several issues with ACME private key handling as described in https://redmine.pfsense.org/issues/14592

The next time a certificate renews after this update, check and make sure the private key is updated and matches the settings in the ACME certificate entry.

For example, look in the ACME certificate entry settings at the Private Key setting:

login-to-view

Then look in the certificate manager at the corresponding entry for the same certificate and check its private key details (Click the "i" icon):

login-to-view

If you check before it renews, it may not match, indicating the package wasn't honoring the setting properly. It should match after renewing the next time, and will also honor future changes going forward if you change the key length/type and then renew again.

johnpoz

@jimp hmm - I didn't see this with v0.7.4, I just double checked mine. And I had changed one from being the old rsa type even. Guess I got lucky.

Thanks for the update and info..

jimp

@johnpoz said in ACME pkg v0.7.5:

@jimp hmm - I didn't see this with v0.7.4, I just double checked mine. And I had changed one from being the old rsa type even. Guess I got lucky.

Thanks for the update and info..

I checked a couple of mine and almost all of mine were at the default (RSA, 2048) so they never hit this bug since when it would run it checked that the old key type/length matched and it always did.

The couple I saw that I set differently in ACME were also actually RSA 2048 in the cert manager, not what I picked, but they were fine after updating.

I know I've seen a few other posts over the years about people saying it didn't respect their key choices but at the time I couldn't reproduce it. Not sure what changed/when but either way it should be good all around now.