DV for Lets Encrypt

slacker9876

Hello all,

I am testing the ACME script to provide an ssl certificate to my web GUI on pfsense. I have followed the configuration process and received the "staging" record text which is now in my DNS (correctly). I host my own DNS with BIND How long does it take for pfSense to make another attempt? I'd left the default setting of 120 seconds, but I see no attempt by lets encrypt to attempt the auth. Here is the current log:

/tmp/acme/pfsense-GUI-Cert/acme_issuecert.log

[[Wed May 17 08:02:46 -05 2017] response='{"identifier":{"type":"dns","value":"pfsense.labf5.com"},"status":"pending","expires":"2017-05-24T13:02:46.59526629Z","challenges":[{"type":"tls-sni-01","status":"pending","uri":"https://acme-staging.api.letsencrypt.org/acme/challenge/jxQ-Iyr10CxFmc4yYQAIRer0g_bynWQ_DHfeqUWRkHQ/39376928","token":"D8DIa2EdANYwfQmZ5sIed1JZBxJ0GrvITxyOykFkCVI"},{"type":"dns-01","status":"pending","uri":"https://acme-staging.api.letsencrypt.org/acme/challenge/jxQ-Iyr10CxFmc4yYQAIRer0g_bynWQ_DHfeqUWRkHQ/39376929","token":"wWAT37-J9FETtvjQWpT3jGmaa20bLrWht8z4ERYGMY0"},{"type":"http-01","status":"pending","uri":"https://acme-staging.api.letsencrypt.org/acme/challenge/jxQ-Iyr10CxFmc4yYQAIRer0g_bynWQ_DHfeqUWRkHQ/39376930","token":"TpVkDOc0JyOWP_Ex1nVyjn9F3TK5c2a_w5IS6qbb2Pw"}],"combinations":[[1],[2],[0]]}'
[Wed May 17 08:02:46 -05 2017] code='201'
[Wed May 17 08:02:46 -05 2017] The new-authz request is ok.
[Wed May 17 08:02:46 -05 2017] base64 single line.
[Wed May 17 08:02:46 -05 2017] entry='"type":"dns-01","status":"pending","uri":"https://acme-staging.api.letsencrypt.org/acme/challenge/jxQ-Iyr10CxFmc4yYQAIRer0g_bynWQ_DHfeqUWRkHQ/39376929","token":"wWAT37-J9FETtvjQWpT3jGmaa20bLrWht8z4ERYGMY0"'
[Wed May 17 08:02:46 -05 2017] token='wWAT37-J9FETtvjQWpT3jGmaa20bLrWht8z4ERYGMY0'
[Wed May 17 08:02:46 -05 2017] uri='https://acme-staging.api.letsencrypt.org/acme/challenge/jxQ-Iyr10CxFmc4yYQAIRer0g_bynWQ_DHfeqUWRkHQ/39376929'
[Wed May 17 08:02:46 -05 2017] keyauthorization='wWAT37-J9FETtvjQWpT3jGmaa20bLrWht8z4ERYGMY0.mFIgUxO81dgLgbfGWbrmQlScd_Np4ldlK6TLYuUOSHg'
[Wed May 17 08:02:46 -05 2017] dvlist='pfsense.labf5.com#wWAT37-J9FETtvjQWpT3jGmaa20bLrWht8z4ERYGMY0.mFIgUxO81dgLgbfGWbrmQlScd_Np4ldlK6TLYuUOSHg#https://acme-staging.api.letsencrypt.org/acme/challenge/jxQ-Iyr10CxFmc4yYQAIRer0g_bynWQ_DHfeqUWRkHQ/39376929#dns-01#dns'
[Wed May 17 08:02:46 -05 2017] vlist='pfsense.labf5.com#wWAT37-J9FETtvjQWpT3jGmaa20bLrWht8z4ERYGMY0.mFIgUxO81dgLgbfGWbrmQlScd_Np4ldlK6TLYuUOSHg#https://acme-staging.api.letsencrypt.org/acme/challenge/jxQ-Iyr10CxFmc4yYQAIRer0g_bynWQ_DHfeqUWRkHQ/39376929#dns-01#dns,'
[Wed May 17 08:02:46 -05 2017] txtdomain='_acme-challenge.pfsense.labf5.com'
[Wed May 17 08:02:46 -05 2017] base64 single line.
[Wed May 17 08:02:46 -05 2017] txt='F9A<removed>fy-1A'
[Wed May 17 08:02:46 -05 2017] d_api
[Wed May 17 08:02:46 -05 2017] Add the following TXT record:
[Wed May 17 08:02:46 -05 2017] Domain: '_acme-challenge.pfsense.labf5.com'
[Wed May 17 08:02:46 -05 2017] TXT value: 'F9A<removed>fy-1A'
[Wed May 17 08:02:46 -05 2017] Please be aware that you prepend _acme-challenge. before your domain
[Wed May 17 08:02:46 -05 2017] so the resulting subdomain will be: _acme-challenge.pfsense.labf5.com
[Wed May 17 08:02:46 -05 2017] OK
[Wed May 17 08:02:46 -05 2017] 9:Le_Vlist='pfsense.labf5.com#wWAT37-J9FETtvjQWpT3jGmaa20bLrWht8z4ERYGMY0.mFIgUxO81dgLgbfGWbrmQlScd_Np4ldlK6TLYuUOSHg#https://acme-staging.api.letsencrypt.org/acme/challenge/jxQ-Iyr10CxFmc4yYQAIRer0g_bynWQ_DHfeqUWRkHQ/39376929#dns-01#dns,'
[Wed May 17 08:02:46 -05 2017] Dns record not added yet, so, save to /tmp/acme/pfsense-GUI-Cert//pfsense.labf5.com/pfsense.labf5.com.conf and exit.
[Wed May 17 08:02:46 -05 2017] Please add the TXT records to the domains, and retry again.
[Wed May 17 08:02:46 -05 2017] pid
[Wed May 17 08:02:46 -05 2017] No need to restore nginx, skip.
[Wed May 17 08:02:46 -05 2017] _clearupdns
[Wed May 17 08:02:46 -05 2017] Dns not added, skip.
[Wed May 17 08:02:46 -05 2017] _on_issue_err
[Wed May 17 08:02:46 -05 2017] Please check log file for more details: /tmp/acme/pfsense-GUI-Cert/acme_issuecert.log

How long does pfsense take to honor the request and provide the challenge?</removed></removed>

slacker9876

I thought I might want to show my record, here it is:

; TXT Redords
_acme-challenge.pfsense.labf5.com      IN      TXT    "F9A<removed>fy-1A"</removed>

jimp

If you use DNS-manual you have to make the second request yourself, it is manual and not automatic. Wait a couple minutes after manually entering the TXT record and then click the button the issue the certificate again.

slacker9876

Thanks Jim! I did a renew and it picked it up straight away! I am now running on the "prod" cert with my handy green padlock. Great work to the pfsense team!