Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Let's Encypt problem on 2.4

    Scheduled Pinned Locked Moved Cache/Proxy
    9 Posts 5 Posters 5.8k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • D
      DD
      last edited by

      After upgrade to pfSense 2.4 I have same problem with requesting Let's Encrypt certificate.
      Verify error:Invalid response from http://xxx/.well-known/acme-challenge/5SZPMcDkKgav2DsRQT4lLi9vHk7bIzMYccf_Z5zlaCE [x.x.x.x]: 404
      On 2.3.x version there wasn't any problem with requesting certificates.

      1 Reply Last reply Reply Quote 0
      • dragoangelD
        dragoangel
        last edited by

        Have same issues!
        Copy from https://forum.pfsense.org/index.php?topic=101186.75 summa info:
        pfSense 2.4.0 , haproxy 0.52_14  (1.7.9), acme 0.1.20
        Firewall part:
        all 80 and 443 tcp port are allowed on all interfaces any to any
        HAProxy part:
        Created acme-webroot.lua in files tab, created one frontend to all WAN IPs on only 80 port, ACL: url_acme_http01 with value /.well-known/acme-challenge/ and Actions: http-request lua service with value METH_GET url_acme_http01 and function acme-http01

        ACME part:
        create issue cert to one domain with SAL list:
        method webroot local folder: /tmp/haproxy_chroot/.well-known/acme-challenge/, tried to /tmp/haproxy_chroot/haproxywebroot/.well-known/acme-challenge/

        I we created by hands folders (think it may can help, but no):
        even tried to change permission to folder to 777 /tmp/haproxy_chroot for test purpose.
        mkdir -p /tmp/haproxy_chroot/haproxywebroot/.well-known/acme-challenge/
        mkdir -p /tmp/haproxy_chroot/.well-known/acme-challenge/
        mkdir -p /tmp/haproxy_chroot/well-known/acme-challenge/

        Then i disable HAProxy and tried standalone ACME server, this not work too, but now it crash by timeout, tried NAT from custom port to WANs 80, and tried 80 directly, nothing not work.

        I use dns.he.net, and I have case to use ACME in DNS key mode, but this option not good for me because ACME package in pfSense saves password of he.net in cleantext in admin panel, config.xml and backups.xml.

        Latest stable pfSense on 2x XG-7100 and 1x Intel Xeon Server, running mutiWAN, he.net IPv6, pfBlockerNG-devel, HAProxy-devel, Syslog-ng, Zabbix-agent, OpenVPN, IPsec site-to-site, DNS-over-TLS...
        Unifi AP-AC-LR with EAP RADIUS, US-24

        1 Reply Last reply Reply Quote 0
        • R
          renegade
          last edited by

          HAProxy see attachment.

          RootFolder: /tmp/haproxy_chroot/.well-known/acme-challenge/
          , Key Type: Host Key
          , Key Algorithm: HMAC-MD5

          Firewall Ports 80/433 open! 80 is needed for ACME in my case. Other options did not work even if HAProxy was shut down.

          An be sure, that the lua file is copied without error/missing characters!

          Capture.PNG
          Capture.PNG_thumb
          Capture2.PNG
          Capture2.PNG_thumb

          1 Reply Last reply Reply Quote 0
          • dragoangelD
            dragoangel
            last edited by

            I do all like you did already day ago and it not work for me, look at attachments config. In there I added screenshot how it looks from WAN to other - code: 404, body: resource not found - and this is answer from LUA script.
            Firewall configured - its opened for all WANs 80, 443.
            WebConfigurator auto redirect rule is disabled for free 80 port.
            HAProxy works fine. Tested http and https works from all IPv4 and IPv6 WANs.
            ACME LUA script taken ftom post and then from git:
            https://raw.githubusercontent.com/janeczku/haproxy-acme-validation-plugin/master/acme-http01-webroot.lua
            ACME.SH webroot local folder pointing to: /tmp/haproxy_chroot/.well-known/acme-challenge/
            I have many domains, and tried 2 days with really many variants to do, with only 1 IPv4, and with multi 2xIPv4 2xIPv6 on HA and DNS every time correct, etc. Erased all (even folders with rm -rf /tmp/acme) and installed and configured again from zero, etc.

            ACME answer: (anonymized only sensitive to some.domain.com and IP)

            some.domain.com
Renewing certificateaccount: i@domain.com 
server: letsencrypt-staging 

/usr/local/pkg/acme/acme.sh --issue -d 'some.domain.com' --home '/tmp/acme/some.domain.com/' --accountconf '/tmp/acme/some.domain.com/accountconf.conf' --force --reloadCmd '/tmp/acme/some.domain.com/reloadcmd.sh' --webroot pfSenseacme --log-level 3 --log '/tmp/acme/some.domain.com/acme_issuecert.log'

Array
(
[path] => /etc:/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/bin/
[PATH] => /etc:/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/bin/
[folder] => /tmp/haproxy_chroot/.well-known/acme-challenge/
)
[Fri Oct 20 00:35:27 EEST 2017] Registering account
[Fri Oct 20 00:35:29 EEST 2017] Already registered
[Fri Oct 20 00:35:30 EEST 2017] Update account tos info success.
[Fri Oct 20 00:35:30 EEST 2017] ACCOUNT_THUMBPRINT='XXXXX'
[Fri Oct 20 00:35:30 EEST 2017] Single domain='some.domain.com'
[Fri Oct 20 00:35:30 EEST 2017] Getting domain auth token for each domain
[Fri Oct 20 00:35:30 EEST 2017] Getting webroot for domain='some.domain.com'
[Fri Oct 20 00:35:30 EEST 2017] Getting new-authz for domain='some.domain.com'
[Fri Oct 20 00:35:31 EEST 2017] The new-authz request is ok.
[Fri Oct 20 00:35:31 EEST 2017] Verifying:some.domain.com
[Fri Oct 20 00:35:35 EEST 2017] some.domain.com:Verify error:Invalid response from http://some.domain.com/.well-known/acme-challenge/XXXXX [IP]: 404
[Fri Oct 20 00:35:35 EEST 2017] Please check log file for more details: /tmp/acme/some.domain.com/acme_issuecert.log

            ACME_ISSUECERT.LOG (anonymized only sensitive to some.domain.com and IP, crypto-data to XXXXX)

            [Fri Oct 20 01:03:32 EEST 2017] readlink exists=0
[Fri Oct 20 01:03:32 EEST 2017] dirname exists=0
[Fri Oct 20 01:03:32 EEST 2017] Lets find script dir.
[Fri Oct 20 01:03:32 EEST 2017] _SCRIPT_='/usr/local/pkg/acme/acme.sh'
[Fri Oct 20 01:03:32 EEST 2017] _script='/usr/local/pkg/acme/acme.sh'
[Fri Oct 20 01:03:32 EEST 2017] _script_home='/usr/local/pkg/acme'
[Fri Oct 20 01:03:32 EEST 2017] Using config home:/tmp/acme/some.domain.com/
[Fri Oct 20 01:03:32 EEST 2017] APP
[Fri Oct 20 01:03:32 EEST 2017] 2:LOG_FILE='/tmp/acme/some.domain.com/acme_issuecert.log'
[Fri Oct 20 01:03:32 EEST 2017] APP
[Fri Oct 20 01:03:32 EEST 2017] 3:LOG_LEVEL='3'
[Fri Oct 20 01:03:32 EEST 2017] LE_WORKING_DIR='/tmp/acme/some.domain.com/'
[Fri Oct 20 01:03:32 EEST 2017] Using config home:/tmp/acme/some.domain.com/
[Fri Oct 20 01:03:32 EEST 2017] _ACME_SERVER_HOST='acme-staging.api.letsencrypt.org'
[Fri Oct 20 01:03:32 EEST 2017] CA_CONF='/tmp/acme/some.domain.com//ca/acme-staging.api.letsencrypt.org/ca.conf'
[Fri Oct 20 01:03:32 EEST 2017] DOMAIN_PATH='/tmp/acme/some.domain.com//some.domain.com'
[Fri Oct 20 01:03:32 EEST 2017] Using ACME_DIRECTORY: https://acme-staging.api.letsencrypt.org/directory
[Fri Oct 20 01:03:32 EEST 2017] _init api for server: https://acme-staging.api.letsencrypt.org/directory
[Fri Oct 20 01:03:32 EEST 2017] GET
[Fri Oct 20 01:03:32 EEST 2017] url='https://acme-staging.api.letsencrypt.org/directory'
[Fri Oct 20 01:03:32 EEST 2017] timeout
[Fri Oct 20 01:03:32 EEST 2017] curl exists=0
[Fri Oct 20 01:03:32 EEST 2017] wget exists=127
[Fri Oct 20 01:03:32 EEST 2017] _CURL='curl -L --silent --dump-header /tmp/acme/some.domain.com//http.header '
[Fri Oct 20 01:03:33 EEST 2017] ret='0'
[Fri Oct 20 01:03:33 EEST 2017] response='{
  "A5kiE-zljR8": "https://community.letsencrypt.org/t/adding-random-entries-to-the-directory/33417",
  "key-change": "https://acme-staging.api.letsencrypt.org/acme/key-change",
  "meta": {
    "terms-of-service": "https://letsencrypt.org/documents/LE-SA-v1.1.1-August-1-2016.pdf"
  },
  "new-authz": "https://acme-staging.api.letsencrypt.org/acme/new-authz",
  "new-cert": "https://acme-staging.api.letsencrypt.org/acme/new-cert",
  "new-reg": "https://acme-staging.api.letsencrypt.org/acme/new-reg",
  "revoke-cert": "https://acme-staging.api.letsencrypt.org/acme/revoke-cert"
}'
[Fri Oct 20 01:03:33 EEST 2017] ACME_KEY_CHANGE='https://acme-staging.api.letsencrypt.org/acme/key-change'
[Fri Oct 20 01:03:33 EEST 2017] ACME_NEW_AUTHZ='https://acme-staging.api.letsencrypt.org/acme/new-authz'
[Fri Oct 20 01:03:33 EEST 2017] ACME_NEW_ORDER='https://acme-staging.api.letsencrypt.org/acme/new-cert'
[Fri Oct 20 01:03:33 EEST 2017] ACME_NEW_ACCOUNT='https://acme-staging.api.letsencrypt.org/acme/new-reg'
[Fri Oct 20 01:03:33 EEST 2017] ACME_REVOKE_CERT='https://acme-staging.api.letsencrypt.org/acme/revoke-cert'
[Fri Oct 20 01:03:33 EEST 2017] Le_NextRenewTime
[Fri Oct 20 01:03:33 EEST 2017] OK
[Fri Oct 20 01:03:33 EEST 2017] 2:Le_Domain='some.domain.com'
[Fri Oct 20 01:03:33 EEST 2017] OK
[Fri Oct 20 01:03:33 EEST 2017] 3:Le_Alt='no'
[Fri Oct 20 01:03:33 EEST 2017] OK
[Fri Oct 20 01:03:33 EEST 2017] 4:Le_Webroot='pfSenseacme'
[Fri Oct 20 01:03:33 EEST 2017] OK
[Fri Oct 20 01:03:33 EEST 2017] 5:Le_PreHook=''
[Fri Oct 20 01:03:33 EEST 2017] OK
[Fri Oct 20 01:03:33 EEST 2017] 6:Le_PostHook=''
[Fri Oct 20 01:03:33 EEST 2017] OK
[Fri Oct 20 01:03:33 EEST 2017] 7:Le_RenewHook=''
[Fri Oct 20 01:03:33 EEST 2017] OK
[Fri Oct 20 01:03:33 EEST 2017] 8:Le_API='https://acme-staging.api.letsencrypt.org/directory'
[Fri Oct 20 01:03:33 EEST 2017] _on_before_issue
[Fri Oct 20 01:03:33 EEST 2017] 'pfSenseacme' does not contain 'no'
[Fri Oct 20 01:03:33 EEST 2017] Le_LocalAddress
[Fri Oct 20 01:03:33 EEST 2017] Check for domain='some.domain.com'
[Fri Oct 20 01:03:33 EEST 2017] _currentRoot='pfSenseacme'
[Fri Oct 20 01:03:33 EEST 2017] 'pfSenseacme' does not contain 'apache'
[Fri Oct 20 01:03:33 EEST 2017] _saved_account_key_hash='XXXXX'
[Fri Oct 20 01:03:33 EEST 2017] base64 single line.
[Fri Oct 20 01:03:33 EEST 2017] _saved_account_key_hash is not changed, skip register account.
[Fri Oct 20 01:03:33 EEST 2017] Read key length:
[Fri Oct 20 01:03:33 EEST 2017] _createcsr
[Fri Oct 20 01:03:33 EEST 2017] domain='some.domain.com'
[Fri Oct 20 01:03:33 EEST 2017] domainlist
[Fri Oct 20 01:03:33 EEST 2017] csrkey='/tmp/acme/some.domain.com//some.domain.com/some.domain.com.key'
[Fri Oct 20 01:03:33 EEST 2017] csr='/tmp/acme/some.domain.com//some.domain.com/some.domain.com.csr'
[Fri Oct 20 01:03:33 EEST 2017] csrconf='/tmp/acme/some.domain.com//some.domain.com/some.domain.com.csr.conf'
[Fri Oct 20 01:03:33 EEST 2017] Single domain='some.domain.com'
[Fri Oct 20 01:03:33 EEST 2017] _is_idn_d='some.domain.com'
[Fri Oct 20 01:03:33 EEST 2017] _idn_temp
[Fri Oct 20 01:03:33 EEST 2017] _csr_cn='some.domain.com'
[Fri Oct 20 01:03:33 EEST 2017] OK
[Fri Oct 20 01:03:33 EEST 2017] 1:Le_Keylength=''
[Fri Oct 20 01:03:33 EEST 2017] Getting domain auth token for each domain
[Fri Oct 20 01:03:33 EEST 2017] Getting webroot for domain='some.domain.com'
[Fri Oct 20 01:03:33 EEST 2017] _w='pfSenseacme'
[Fri Oct 20 01:03:33 EEST 2017] _currentRoot='pfSenseacme'
[Fri Oct 20 01:03:33 EEST 2017] Getting new-authz for domain='some.domain.com'
[Fri Oct 20 01:03:33 EEST 2017] _init api for server: https://acme-staging.api.letsencrypt.org/directory
[Fri Oct 20 01:03:33 EEST 2017] ACME_KEY_CHANGE='https://acme-staging.api.letsencrypt.org/acme/key-change'
[Fri Oct 20 01:03:33 EEST 2017] ACME_NEW_AUTHZ='https://acme-staging.api.letsencrypt.org/acme/new-authz'
[Fri Oct 20 01:03:33 EEST 2017] ACME_NEW_ORDER='https://acme-staging.api.letsencrypt.org/acme/new-cert'
[Fri Oct 20 01:03:33 EEST 2017] ACME_NEW_ACCOUNT='https://acme-staging.api.letsencrypt.org/acme/new-reg'
[Fri Oct 20 01:03:33 EEST 2017] ACME_REVOKE_CERT='https://acme-staging.api.letsencrypt.org/acme/revoke-cert'
[Fri Oct 20 01:03:33 EEST 2017] Try new-authz for the 0 time.
[Fri Oct 20 01:03:33 EEST 2017] _is_idn_d='some.domain.com'
[Fri Oct 20 01:03:33 EEST 2017] _idn_temp
[Fri Oct 20 01:03:33 EEST 2017] url='https://acme-staging.api.letsencrypt.org/acme/new-authz'
[Fri Oct 20 01:03:33 EEST 2017] payload='{"resource": "new-authz", "identifier": {"type": "dns", "value": "some.domain.com"}}'
[Fri Oct 20 01:03:33 EEST 2017] RSA key
[Fri Oct 20 01:03:33 EEST 2017] pub_exp='010001'
[Fri Oct 20 01:03:33 EEST 2017] base64 single line.
[Fri Oct 20 01:03:33 EEST 2017] xxd exists=127
[Fri Oct 20 01:03:33 EEST 2017] _URGLY_PRINTF='1'
[Fri Oct 20 01:03:33 EEST 2017] e='AQAB'
[Fri Oct 20 01:03:33 EEST 2017] modulus='XXXXX'
[Fri Oct 20 01:03:33 EEST 2017] xxd exists=127
[Fri Oct 20 01:03:33 EEST 2017] base64 single line.
[Fri Oct 20 01:03:33 EEST 2017] _URGLY_PRINTF='1'
[Fri Oct 20 01:03:33 EEST 2017] n='XXXXX'
[Fri Oct 20 01:03:33 EEST 2017] jwk='{"e": "AQAB", "kty": "RSA", "n": "XXXXX"}'
[Fri Oct 20 01:03:33 EEST 2017] JWK_HEADER='{"alg": "RS256", "jwk": {"e": "AQAB", "kty": "RSA", "n": "XXXXX"}}'
[Fri Oct 20 01:03:33 EEST 2017] base64 single line.
[Fri Oct 20 01:03:33 EEST 2017] payload64='XXXXX'
[Fri Oct 20 01:03:33 EEST 2017] _request_retry_times='0'
[Fri Oct 20 01:03:33 EEST 2017] Get nonce. ACME_DIRECTORY='https://acme-staging.api.letsencrypt.org/directory'
[Fri Oct 20 01:03:33 EEST 2017] GET
[Fri Oct 20 01:03:33 EEST 2017] url='https://acme-staging.api.letsencrypt.org/directory'
[Fri Oct 20 01:03:33 EEST 2017] timeout
[Fri Oct 20 01:03:33 EEST 2017] curl exists=0
[Fri Oct 20 01:03:33 EEST 2017] wget exists=127
[Fri Oct 20 01:03:33 EEST 2017] _CURL='curl -L --silent --dump-header /tmp/acme/some.domain.com//http.header '
[Fri Oct 20 01:03:34 EEST 2017] ret='0'
[Fri Oct 20 01:03:34 EEST 2017] _headers='HTTP/1.1 200 OK
Server: nginx
Content-Type: application/json
Content-Length: 581
Replay-Nonce: XXXXX
X-Frame-Options: DENY
Strict-Transport-Security: max-age=604800
Expires: Thu, 19 Oct 2017 22:03:34 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Thu, 19 Oct 2017 22:03:34 GMT
Connection: keep-alive

'
[Fri Oct 20 01:03:34 EEST 2017] _CACHED_NONCE='XXXXX'
[Fri Oct 20 01:03:34 EEST 2017] nonce='XXXXX'
[Fri Oct 20 01:03:34 EEST 2017] protected='{"nonce": "XXXXX", "url": "https://acme-staging.api.letsencrypt.org/acme/new-authz", "alg": "RS256", "jwk": {"e": "AQAB", "kty": "RSA", "n": "XXXXX"}}'
[Fri Oct 20 01:03:34 EEST 2017] base64 single line.
[Fri Oct 20 01:03:34 EEST 2017] protected64='XXXXX'
[Fri Oct 20 01:03:34 EEST 2017] base64 single line.
[Fri Oct 20 01:03:34 EEST 2017] _sig_t='XXXXX'
[Fri Oct 20 01:03:34 EEST 2017] sig='XXXXX'
[Fri Oct 20 01:03:34 EEST 2017] body='{"header": {"alg": "RS256", "jwk": {"e": "AQAB", "kty": "RSA", "n": "XXXXX", "payload": "XXXXX", "signature": "XXXXX"}'
[Fri Oct 20 01:03:34 EEST 2017] POST
[Fri Oct 20 01:03:34 EEST 2017] url='https://acme-staging.api.letsencrypt.org/acme/new-authz'
[Fri Oct 20 01:03:34 EEST 2017] body='{"header": {"alg": "RS256", "jwk": {"e": "AQAB", "kty": "RSA", "n": "XXXXX"}}, "protected": "XXXXX", "payload": "XXXXX", "signature": "XXXXX"}'
[Fri Oct 20 01:03:34 EEST 2017] curl exists=0
[Fri Oct 20 01:03:34 EEST 2017] wget exists=127
[Fri Oct 20 01:03:34 EEST 2017] _CURL='curl -L --silent --dump-header /tmp/acme/some.domain.com//http.header '
[Fri Oct 20 01:03:35 EEST 2017] _ret='0'
[Fri Oct 20 01:03:35 EEST 2017] original='{
  "identifier": {
    "type": "dns",
    "value": "some.domain.com"
  },
  "status": "pending",
  "expires": "2017-10-26T22:03:35.303794955Z",
  "challenges": [
    {
      "type": "dns-01",
      "status": "pending",
      "uri": "https://acme-staging.api.letsencrypt.org/acme/challenge/XXXXX/70042157",
      "token": "XXXXX"
    },
    {
      "type": "http-01",
      "status": "pending",
      "uri": "https://acme-staging.api.letsencrypt.org/acme/challenge/XXXXX/70042158",
      "token": "XXXXX"
    },
    {
      "type": "tls-sni-01",
      "status": "pending",
      "uri": "https://acme-staging.api.letsencrypt.org/acme/challenge/XXXXX/70042159",
      "token": "XXXXX"
    }
  ],
  "combinations": [
    [
      0
    ],
    [
      1
    ],
    [
      2
    ]
  ]
}'
[Fri Oct 20 01:03:35 EEST 2017] responseHeaders='HTTP/1.1 100 Continue
Expires: Thu, 19 Oct 2017 22:03:35 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache

HTTP/1.1 201 Created
Server: nginx
Content-Type: application/json
Content-Length: 1017
Boulder-Requester: 4937986
Link: <https: acme-staging.api.letsencrypt.org="" acme="" new-cert="">;rel="next"
Location: https://acme-staging.api.letsencrypt.org/acme/authz/XXXXX
Replay-Nonce: XXXXX
X-Frame-Options: DENY
Strict-Transport-Security: max-age=604800
Expires: Thu, 19 Oct 2017 22:03:35 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Thu, 19 Oct 2017 22:03:35 GMT
Connection: keep-alive

'
[Fri Oct 20 01:03:35 EEST 2017] response='{"identifier":{"type":"dns","value":"some.domain.com"},"status":"pending","expires":"2017-10-26T22:03:35.303794955Z","challenges":[{"type":"dns-01","status":"pending","uri":"https://acme-staging.api.letsencrypt.org/acme/challenge/XXXXX/70042157","token":"XXXXX"},{"type":"http-01","status":"pending","uri":"https://acme-staging.api.letsencrypt.org/acme/challenge/XXXXX","token":"XXXXX"},{"type":"tls-sni-01","status":"pending","uri":"https://acme-staging.api.letsencrypt.org/acme/challenge/XXXXX/70042159","token":"XXXXX"}],"combinations":[[0],[1],[2]]}'
[Fri Oct 20 01:03:35 EEST 2017] code='201'
[Fri Oct 20 01:03:35 EEST 2017] The new-authz request is ok.
[Fri Oct 20 01:03:35 EEST 2017] base64 single line.
[Fri Oct 20 01:03:35 EEST 2017] entry='"type":"http-01","status":"pending","uri":"https://acme-staging.api.letsencrypt.org/acme/challenge/XXXXX","token":"XXXXX"'
[Fri Oct 20 01:03:35 EEST 2017] token='XXXXX'
[Fri Oct 20 01:03:35 EEST 2017] uri='https://acme-staging.api.letsencrypt.org/acme/challenge/XXXXX'
[Fri Oct 20 01:03:35 EEST 2017] keyauthorization='XXXXX.XXXXX'
[Fri Oct 20 01:03:35 EEST 2017] dvlist='some.domain.com#XXXXX.XXXXX#https://acme-staging.api.letsencrypt.org/acme/challenge/XXXXX#http-01#pfSenseacme'
[Fri Oct 20 01:03:35 EEST 2017] vlist='some.domain.com#XXXXX.XXXXX#https://acme-staging.api.letsencrypt.org/acme/challenge/XXXXX#http-01#pfSenseacme,'
[Fri Oct 20 01:03:35 EEST 2017] ok, let's start to verify
[Fri Oct 20 01:03:35 EEST 2017] Verifying:some.domain.com
[Fri Oct 20 01:03:35 EEST 2017] d='some.domain.com'
[Fri Oct 20 01:03:35 EEST 2017] keyauthorization='XXXXX.XXXXX'
[Fri Oct 20 01:03:35 EEST 2017] uri='https://acme-staging.api.letsencrypt.org/acme/challenge/XXXXX'
[Fri Oct 20 01:03:35 EEST 2017] _currentRoot='pfSenseacme'
[Fri Oct 20 01:03:35 EEST 2017] wellknown_path='pfSenseacme/.well-known/acme-challenge'
[Fri Oct 20 01:03:35 EEST 2017] writing token:XXXXX to pfSenseacme/.well-known/acme-challenge/XXXXX
[Fri Oct 20 01:03:35 EEST 2017] Changing owner/group of .well-known to root:wheel
[Fri Oct 20 01:03:35 EEST 2017] mktemp exists=0
[Fri Oct 20 01:03:35 EEST 2017] tigger domain validation.
[Fri Oct 20 01:03:35 EEST 2017] _t_url='https://acme-staging.api.letsencrypt.org/acme/challenge/XXXXX'
[Fri Oct 20 01:03:35 EEST 2017] _t_key_authz='XXXXX.XXXXX'
[Fri Oct 20 01:03:35 EEST 2017] url='https://acme-staging.api.letsencrypt.org/acme/challenge/XXXXX'
[Fri Oct 20 01:03:35 EEST 2017] payload='{"resource": "challenge", "keyAuthorization": "XXXXX.XXXXX"}'
[Fri Oct 20 01:03:35 EEST 2017] Use cached jwk for file: /tmp/acme/some.domain.com//ca/acme-staging.api.letsencrypt.org/account.key
[Fri Oct 20 01:03:35 EEST 2017] base64 single line.
[Fri Oct 20 01:03:35 EEST 2017] payload64='XXXXX'
[Fri Oct 20 01:03:35 EEST 2017] _request_retry_times='0'
[Fri Oct 20 01:03:35 EEST 2017] Use _CACHED_NONCE='XXXXX'
[Fri Oct 20 01:03:35 EEST 2017] nonce='XXXXX'
[Fri Oct 20 01:03:35 EEST 2017] protected='{"nonce": "XXXXX", "url": "https://acme-staging.api.letsencrypt.org/acme/challenge/XXXXX", "alg": "RS256", "jwk": {"e": "AQAB", "kty": "RSA", "n": "XXXXX"}}'
[Fri Oct 20 01:03:35 EEST 2017] base64 single line.
[Fri Oct 20 01:03:35 EEST 2017] protected64='XXXXX'
[Fri Oct 20 01:03:35 EEST 2017] base64 single line.
[Fri Oct 20 01:03:35 EEST 2017] _sig_t='XXXXX'
[Fri Oct 20 01:03:35 EEST 2017] sig='XXXXX'
[Fri Oct 20 01:03:35 EEST 2017] body='{"header": {"alg": "RS256", "jwk": {"e": "AQAB", "kty": "RSA", "n": "XXXXX"}}, "protected": "XXXXX", "payload": "XXXXX", "signature": "XXXXX"}'
[Fri Oct 20 01:03:35 EEST 2017] POST
[Fri Oct 20 01:03:35 EEST 2017] url='https://acme-staging.api.letsencrypt.org/acme/challenge/XXXXX'
[Fri Oct 20 01:03:35 EEST 2017] body='{"header": {"alg": "RS256", "jwk": {"e": "AQAB", "kty": "RSA", "n": "XXXXX"}}, "protected": "XXXXX", "payload": "XXXXX", "signature": "XXXXX"}'
[Fri Oct 20 01:03:35 EEST 2017] curl exists=0
[Fri Oct 20 01:03:35 EEST 2017] wget exists=127
[Fri Oct 20 01:03:35 EEST 2017] _CURL='curl -L --silent --dump-header /tmp/acme/some.domain.com//http.header '
[Fri Oct 20 01:03:36 EEST 2017] _ret='0'
[Fri Oct 20 01:03:36 EEST 2017] original='{
  "type": "http-01",
  "status": "pending",
  "uri": "https://acme-staging.api.letsencrypt.org/acme/challenge/XXXXX",
  "token": "XXXXX",
  "keyAuthorization": "XXXXX.XXXXX"
}'
[Fri Oct 20 01:03:36 EEST 2017] responseHeaders='HTTP/1.1 100 Continue
Expires: Thu, 19 Oct 2017 22:03:36 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache

HTTP/1.1 202 Accepted
Server: nginx
Content-Type: application/json
Content-Length: 338
Boulder-Requester: 4937986
Link: <https: acme-staging.api.letsencrypt.org="" acme="" authz="" xxxxx="">;rel="up"
Location: https://acme-staging.api.letsencrypt.org/acme/challenge/XXXXX
Replay-Nonce: XXXXX
Expires: Thu, 19 Oct 2017 22:03:36 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Thu, 19 Oct 2017 22:03:36 GMT
Connection: keep-alive

'
[Fri Oct 20 01:03:36 EEST 2017] response='{"type":"http-01","status":"pending","uri":"https://acme-staging.api.letsencrypt.org/acme/challenge/XXXXX","token":"XXXXX","keyAuthorization":"XXXXX.XXXXX"}'
[Fri Oct 20 01:03:36 EEST 2017] code='202'
[Fri Oct 20 01:03:36 EEST 2017] sleep 2 secs to verify
[Fri Oct 20 01:03:38 EEST 2017] checking
[Fri Oct 20 01:03:38 EEST 2017] GET
[Fri Oct 20 01:03:38 EEST 2017] url='https://acme-staging.api.letsencrypt.org/acme/challenge/XXXXX'
[Fri Oct 20 01:03:38 EEST 2017] timeout
[Fri Oct 20 01:03:38 EEST 2017] curl exists=0
[Fri Oct 20 01:03:38 EEST 2017] wget exists=127
[Fri Oct 20 01:03:38 EEST 2017] _CURL='curl -L --silent --dump-header /tmp/acme/some.domain.com//http.header '
[Fri Oct 20 01:03:39 EEST 2017] ret='0'
[Fri Oct 20 01:03:39 EEST 2017] original='{
  "type": "http-01",
  "status": "invalid",
  "error": {
    "type": "urn:acme:error:unauthorized",
    "detail": "Invalid response from http://some.domain.com/.well-known/acme-challenge/XXXXX [IP]: 404",
    "status": 403
  },
  "uri": "https://acme-staging.api.letsencrypt.org/acme/challenge/XXXXX",
  "token": "XXXXX",
  "keyAuthorization": "XXXXX.XXXXX",
  "validationRecord": [
    {
      "url": "http://some.domain.com/.well-known/acme-challenge/XXXXX",
      "hostname": "some.domain.com",
      "port": "80",
      "addressesResolved": [
        "IP"
      ],
      "addressUsed": "IP",
      "addressesTried": []
    }
  ]
}'
[Fri Oct 20 01:03:39 EEST 2017] response='{"type":"http-01","status":"invalid","error":{"type":"urn:acme:error:unauthorized","detail":"Invalid response from http://some.domain.com/.well-known/acme-challenge/XXXXX [IP]: 404","status": 403},"uri":"https://acme-staging.api.letsencrypt.org/acme/challenge/XXXXX","token":"XXXXX","keyAuthorization":"XXXXX.XXXXX","validationRecord":[{"url":"http://some.domain.com/.well-known/acme-challenge/XXXXX","hostname":"some.domain.com","port":"80","addressesResolved":["IP"],"addressUsed":"IP","addressesTried":[]}]}'
[Fri Oct 20 01:03:39 EEST 2017] error='"error":{"type":"urn:acme:error:unauthorized","detail":"Invalid response from http://some.domain.com/.well-known/acme-challenge/XXXXX [IP]: 404","status": 403'
[Fri Oct 20 01:03:39 EEST 2017] errordetail='Invalid response from http://some.domain.com/.well-known/acme-challenge/XXXXX [IP]: 404'
[Fri Oct 20 01:03:39 EEST 2017] some.domain.com:Verify error:Invalid response from http://some.domain.com/.well-known/acme-challenge/XXXXX [IP]: 404
[Fri Oct 20 01:03:39 EEST 2017] pid
[Fri Oct 20 01:03:39 EEST 2017] No need to restore nginx, skip.
[Fri Oct 20 01:03:39 EEST 2017] _clearupdns
[Fri Oct 20 01:03:39 EEST 2017] skip dns.
[Fri Oct 20 01:03:39 EEST 2017] _on_issue_err
[Fri Oct 20 01:03:39 EEST 2017] Please check log file for more details: /tmp/acme/some.domain.com/acme_issuecert.log
[Fri Oct 20 01:03:39 EEST 2017] _chk_vlist='some.domain.com#XXXXX#https://acme-staging.api.letsencrypt.org/acme/challenge/XXXXX#http-01#pfSenseacme,'
[Fri Oct 20 01:03:39 EEST 2017] start to deactivate authz
[Fri Oct 20 01:03:39 EEST 2017] tigger domain validation.
[Fri Oct 20 01:03:39 EEST 2017] _t_url='https://acme-staging.api.letsencrypt.org/acme/challenge/XXXXX'
[Fri Oct 20 01:03:39 EEST 2017] _t_key_authz='XXXXX'
[Fri Oct 20 01:03:39 EEST 2017] url='https://acme-staging.api.letsencrypt.org/acme/challenge/XXXXX'
[Fri Oct 20 01:03:39 EEST 2017] payload='{"resource": "challenge", "keyAuthorization": "XXXXX"}'
[Fri Oct 20 01:03:39 EEST 2017] Use cached jwk for file: /tmp/acme/some.domain.com//ca/acme-staging.api.letsencrypt.org/account.key
[Fri Oct 20 01:03:39 EEST 2017] base64 single line.
[Fri Oct 20 01:03:39 EEST 2017] payload64='XXXXX'
[Fri Oct 20 01:03:39 EEST 2017] _request_retry_times='0'
[Fri Oct 20 01:03:39 EEST 2017] Use _CACHED_NONCE='XXXXX'
[Fri Oct 20 01:03:39 EEST 2017] nonce='XXXXX'
[Fri Oct 20 01:03:39 EEST 2017] protected='{"nonce": "XXXXX", "url": "https://acme-staging.api.letsencrypt.org/acme/challenge/XXXXX", "alg": "RS256", "jwk": {"e": "AQAB", "kty": "RSA", "n": "XXXXX"}}'
[Fri Oct 20 01:03:39 EEST 2017] base64 single line.
[Fri Oct 20 01:03:39 EEST 2017] protected64='XXXXX'
[Fri Oct 20 01:03:39 EEST 2017] base64 single line.
[Fri Oct 20 01:03:39 EEST 2017] _sig_t='XXXXX'
[Fri Oct 20 01:03:39 EEST 2017] sig='XXXXX"}'
[Fri Oct 20 01:03:39 EEST 2017] POST
[Fri Oct 20 01:03:39 EEST 2017] url='https://acme-staging.api.letsencrypt.org/acme/challenge/XXXXX'
[Fri Oct 20 01:03:39 EEST 2017] body='{"header": {"alg": "RS256", "jwk": {"e": "AQAB", "kty": "RSA", "n": "XXXXX"}'
[Fri Oct 20 01:03:39 EEST 2017] curl exists=0
[Fri Oct 20 01:03:39 EEST 2017] wget exists=127
[Fri Oct 20 01:03:39 EEST 2017] _CURL='curl -L --silent --dump-header /tmp/acme/some.domain.com//http.header '
[Fri Oct 20 01:03:40 EEST 2017] _ret='0'
[Fri Oct 20 01:03:40 EEST 2017] original='{
  "type": "urn:acme:error:malformed",
  "detail": "Unable to update challenge :: The challenge is not pending.",
  "status": 400
}'
[Fri Oct 20 01:03:40 EEST 2017] responseHeaders='HTTP/1.1 100 Continue
Expires: Thu, 19 Oct 2017 22:03:39 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache

HTTP/1.1 400 Bad Request
Server: nginx
Content-Type: application/problem+json
Content-Length: 132
Boulder-Requester: 4937986
Replay-Nonce: XXXXX
Expires: Thu, 19 Oct 2017 22:03:40 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Thu, 19 Oct 2017 22:03:40 GMT
Connection: close

'
[Fri Oct 20 01:03:40 EEST 2017] response='{"type":"urn:acme:error:malformed","detail":"Unable to update challenge :: The challenge is not pending.","status": 400}'
[Fri Oct 20 01:03:40 EEST 2017] code='400'</https:></https:>

            HAProxy+ACME.png
            HAProxy+ACME.png_thumb
            ![Result of not working ACME.png](/public/imported_attachments/1/Result of not working ACME.png)
            ![Result of not working ACME.png_thumb](/public/imported_attachments/1/Result of not working ACME.png_thumb)

            Latest stable pfSense on 2x XG-7100 and 1x Intel Xeon Server, running mutiWAN, he.net IPv6, pfBlockerNG-devel, HAProxy-devel, Syslog-ng, Zabbix-agent, OpenVPN, IPsec site-to-site, DNS-over-TLS...
            Unifi AP-AC-LR with EAP RADIUS, US-24

            1 Reply Last reply Reply Quote 0
            • dragoangelD
              dragoangel
              last edited by

              Bad part that Administrator of Forum move topic to Cahce/Proxy, but it ACME problems not HAProxy how I think…

              Today tried from another place with minimum configured fresh installed pfSense 2.3.4p1 and only 2 packages installed: acme 0.1.20, haproxy 0.52_14.
              Same result like in post above: HAproxy lua script answer: Code: 404, HTML body: resource not found.
              Again tried install crean system with only acme 0.1.20 and pure ACME standalone HTTP server on 80 - not work to, and standalone  HTTPS server on port 443 to:

              some.domain.com
Renewing certificateaccount: i@some.domain.com 
server: letsencrypt-staging 

/usr/local/pkg/acme/acme.sh --issue -d 'some.domain.com' --home '/tmp/acme/some.domain.com/' --accountconf '/tmp/acme/some.domain.com/accountconf.conf' --force --reloadCmd '/tmp/acme/some.domain.com/reloadcmd.sh' --tls --tlsport '443' --log-level 3 --log '/tmp/acme/some.domain.com/acme_issuecert.log'

Array
(
[path] => /etc:/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/bin/
[PATH] => /etc:/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/bin/
[port] => 443
)
[Fri Oct 20 14:21:45 EEST 2017] Standalone tls mode.
[Fri Oct 20 14:21:45 EEST 2017] Single domain='some.domain.com'
[Fri Oct 20 14:21:45 EEST 2017] Getting domain auth token for each domain
[Fri Oct 20 14:21:45 EEST 2017] Getting webroot for domain='some.domain.com'
[Fri Oct 20 14:21:45 EEST 2017] Getting new-authz for domain='some.domain.com'
[Fri Oct 20 14:21:48 EEST 2017] The new-authz request is ok.
[Fri Oct 20 14:21:48 EEST 2017] Verifying:some.domain.com
[Fri Oct 20 14:21:48 EEST 2017] Starting tls server.
[Fri Oct 20 14:21:48 EEST 2017] Multi domain='DNS:93be3fdba632d9a19e3e09e501ead865.4834279ed8ba2cbefa4c6c87099b5de3.acme.invalid'
[Fri Oct 20 14:21:53 EEST 2017] Pending
[Fri Oct 20 14:21:55 EEST 2017] Pending
[Fri Oct 20 14:21:58 EEST 2017] some.domain.com:Verify error:Timeout
[Fri Oct 20 14:21:59 EEST 2017] Please check log file for more details: /tmp/acme/some.domain.com/acme_issuecert.log

              Tried dns.he.net - it works, but it really not secure - it pass login\pass in many places (logs on filesystem, webconfigurator, etc.) with plaintext, and have access to all DNS systems that I don't want to give - to high risk. And I understand that it can't be upgraded without cooperating with HE.net - thay do not allow create DDNS to TXT records, only to A and AAAA. But if somebody ask them - maybe thay add this function to API, and then we can use secure key that can renew only one TXT record and don't have access to account.
              But after i have successfully received certificate by dns.he.net, I tested one by one:
              standalone http
              standalone https(tls)
              webroot folder with HAproxy and lua script
              to renew that cert that i already have and he successful renew cert! :o
              Because of it I understood that broken part is creating new cert from ANY type of HTTP in ACME.SH, but not renewing part. The version of pfSense, or any proxy has no relation to this bug.
              Really odd that in logs i see my pfsense IPv6 but my domain not pointing to IPv6, and even firewall not open to accept IPv6 in this configuration:

              [Fri Oct 20 14:35:54 EEST 2017] readlink exists=0
[Fri Oct 20 14:35:54 EEST 2017] dirname exists=0
[Fri Oct 20 14:35:54 EEST 2017] Lets find script dir.
[Fri Oct 20 14:35:54 EEST 2017] _SCRIPT_='/usr/local/pkg/acme/acme.sh'
[Fri Oct 20 14:35:54 EEST 2017] _script='/usr/local/pkg/acme/acme.sh'
[Fri Oct 20 14:35:54 EEST 2017] _script_home='/usr/local/pkg/acme'
[Fri Oct 20 14:35:54 EEST 2017] Using config home:/tmp/acme/some.domain.com/
[Fri Oct 20 14:35:54 EEST 2017] APP
[Fri Oct 20 14:35:54 EEST 2017] 2:LOG_FILE='/tmp/acme/some.domain.com/acme_issuecert.log'
[Fri Oct 20 14:35:54 EEST 2017] APP
[Fri Oct 20 14:35:54 EEST 2017] 3:LOG_LEVEL='3'
[Fri Oct 20 14:35:54 EEST 2017] LE_WORKING_DIR='/tmp/acme/some.domain.com/'
[Fri Oct 20 14:35:54 EEST 2017] Using config home:/tmp/acme/some.domain.com/
[Fri Oct 20 14:35:54 EEST 2017] _ACME_SERVER_HOST='acme-staging.api.letsencrypt.org'
[Fri Oct 20 14:35:54 EEST 2017] CA_CONF='/tmp/acme/some.domain.com//ca/acme-staging.api.letsencrypt.org/ca.conf'
[Fri Oct 20 14:35:54 EEST 2017] DOMAIN_PATH='/tmp/acme/some.domain.com//some.domain.com'
[Fri Oct 20 14:35:54 EEST 2017] Using ACME_DIRECTORY: https://acme-staging.api.letsencrypt.org/directory
[Fri Oct 20 14:35:54 EEST 2017] _init api for server: https://acme-staging.api.letsencrypt.org/directory
[Fri Oct 20 14:35:54 EEST 2017] GET
[Fri Oct 20 14:35:54 EEST 2017] url='https://acme-staging.api.letsencrypt.org/directory'
[Fri Oct 20 14:35:54 EEST 2017] timeout
[Fri Oct 20 14:35:54 EEST 2017] curl exists=0
[Fri Oct 20 14:35:54 EEST 2017] wget exists=127
[Fri Oct 20 14:35:54 EEST 2017] _CURL='curl -L --silent --dump-header /tmp/acme/some.domain.com//http.header '
[Fri Oct 20 14:35:55 EEST 2017] ret='0'
[Fri Oct 20 14:35:55 EEST 2017] response='{
  "OG7j8ypmhts": "https://community.letsencrypt.org/t/adding-random-entries-to-the-directory/33417",
  "key-change": "https://acme-staging.api.letsencrypt.org/acme/key-change",
  "meta": {
    "terms-of-service": "https://letsencrypt.org/documents/LE-SA-v1.1.1-August-1-2016.pdf"
  },
  "new-authz": "https://acme-staging.api.letsencrypt.org/acme/new-authz",
  "new-cert": "https://acme-staging.api.letsencrypt.org/acme/new-cert",
  "new-reg": "https://acme-staging.api.letsencrypt.org/acme/new-reg",
  "revoke-cert": "https://acme-staging.api.letsencrypt.org/acme/revoke-cert"
}'
[Fri Oct 20 14:35:55 EEST 2017] ACME_KEY_CHANGE='https://acme-staging.api.letsencrypt.org/acme/key-change'
[Fri Oct 20 14:35:55 EEST 2017] ACME_NEW_AUTHZ='https://acme-staging.api.letsencrypt.org/acme/new-authz'
[Fri Oct 20 14:35:55 EEST 2017] ACME_NEW_ORDER='https://acme-staging.api.letsencrypt.org/acme/new-cert'
[Fri Oct 20 14:35:55 EEST 2017] ACME_NEW_ACCOUNT='https://acme-staging.api.letsencrypt.org/acme/new-reg'
[Fri Oct 20 14:35:55 EEST 2017] ACME_REVOKE_CERT='https://acme-staging.api.letsencrypt.org/acme/revoke-cert'
[Fri Oct 20 14:35:55 EEST 2017] APP
[Fri Oct 20 14:35:55 EEST 2017] 1:Le_Domain='some.domain.com'
[Fri Oct 20 14:35:55 EEST 2017] APP
[Fri Oct 20 14:35:55 EEST 2017] 2:Le_Alt='no'
[Fri Oct 20 14:35:55 EEST 2017] APP
[Fri Oct 20 14:35:55 EEST 2017] 3:Le_Webroot='no'
[Fri Oct 20 14:35:55 EEST 2017] APP
[Fri Oct 20 14:35:55 EEST 2017] 4:Le_PreHook=''
[Fri Oct 20 14:35:55 EEST 2017] APP
[Fri Oct 20 14:35:55 EEST 2017] 5:Le_PostHook=''
[Fri Oct 20 14:35:55 EEST 2017] APP
[Fri Oct 20 14:35:55 EEST 2017] 6:Le_RenewHook=''
[Fri Oct 20 14:35:55 EEST 2017] APP
[Fri Oct 20 14:35:55 EEST 2017] 7:Le_API='https://acme-staging.api.letsencrypt.org/directory'
[Fri Oct 20 14:35:55 EEST 2017] _on_before_issue
[Fri Oct 20 14:35:55 EEST 2017] 'no' contains 'no'
[Fri Oct 20 14:35:55 EEST 2017] nc exists=0
[Fri Oct 20 14:35:55 EEST 2017] Le_LocalAddress
[Fri Oct 20 14:35:55 EEST 2017] Check for domain='some.domain.com'
[Fri Oct 20 14:35:55 EEST 2017] _currentRoot='no'
[Fri Oct 20 14:35:55 EEST 2017] Standalone mode.
[Fri Oct 20 14:35:55 EEST 2017] APP
[Fri Oct 20 14:35:55 EEST 2017] 8:Le_HTTPPort='80'
[Fri Oct 20 14:35:55 EEST 2017] _checkport='80'
[Fri Oct 20 14:35:55 EEST 2017] _checkaddr
[Fri Oct 20 14:35:55 EEST 2017] ss exists=127
[Fri Oct 20 14:35:55 EEST 2017] netstat exists=0
[Fri Oct 20 14:35:55 EEST 2017] Using: netstat
[Fri Oct 20 14:35:55 EEST 2017] 'no' does not contain 'apache'
[Fri Oct 20 14:35:55 EEST 2017] config file is empty, can not read CA_KEY_HASH
[Fri Oct 20 14:35:55 EEST 2017] _saved_account_key_hash
[Fri Oct 20 14:35:55 EEST 2017] Using config home:/tmp/acme/some.domain.com/
[Fri Oct 20 14:35:55 EEST 2017] _ACME_SERVER_HOST='acme-staging.api.letsencrypt.org'
[Fri Oct 20 14:35:55 EEST 2017] CA_CONF='/tmp/acme/some.domain.com//ca/acme-staging.api.letsencrypt.org/ca.conf'
[Fri Oct 20 14:35:55 EEST 2017] RSA key
[Fri Oct 20 14:35:55 EEST 2017] pub_exp='010001'
[Fri Oct 20 14:35:55 EEST 2017] base64 single line.
[Fri Oct 20 14:35:55 EEST 2017] xxd exists=127
[Fri Oct 20 14:35:55 EEST 2017] _URGLY_PRINTF='1'
[Fri Oct 20 14:35:55 EEST 2017] e='AQAB'
[Fri Oct 20 14:35:55 EEST 2017] modulus='XXXXX'
[Fri Oct 20 14:35:55 EEST 2017] base64 single line.
[Fri Oct 20 14:35:55 EEST 2017] xxd exists=127
[Fri Oct 20 14:35:55 EEST 2017] _URGLY_PRINTF='1'
[Fri Oct 20 14:35:56 EEST 2017] n='XXXXX'
[Fri Oct 20 14:35:56 EEST 2017] jwk='{"e": "AQAB", "kty": "RSA", "n": "XXXXX"}'
[Fri Oct 20 14:35:56 EEST 2017] JWK_HEADER='{"alg": "RS256", "jwk": {"e": "AQAB", "kty": "RSA", "n": "XXXXX"}}'
[Fri Oct 20 14:35:56 EEST 2017] _init api for server: https://acme-staging.api.letsencrypt.org/directory
[Fri Oct 20 14:35:56 EEST 2017] ACME_KEY_CHANGE='https://acme-staging.api.letsencrypt.org/acme/key-change'
[Fri Oct 20 14:35:56 EEST 2017] ACME_NEW_AUTHZ='https://acme-staging.api.letsencrypt.org/acme/new-authz'
[Fri Oct 20 14:35:56 EEST 2017] ACME_NEW_ORDER='https://acme-staging.api.letsencrypt.org/acme/new-cert'
[Fri Oct 20 14:35:56 EEST 2017] ACME_NEW_ACCOUNT='https://acme-staging.api.letsencrypt.org/acme/new-reg'
[Fri Oct 20 14:35:56 EEST 2017] ACME_REVOKE_CERT='https://acme-staging.api.letsencrypt.org/acme/revoke-cert'
[Fri Oct 20 14:35:56 EEST 2017] AGREEMENT
[Fri Oct 20 14:35:56 EEST 2017] Registering account
[Fri Oct 20 14:35:56 EEST 2017] url='https://acme-staging.api.letsencrypt.org/acme/new-reg'
[Fri Oct 20 14:35:56 EEST 2017] payload='{"resource": "new-reg", "agreement": ""}'
[Fri Oct 20 14:35:56 EEST 2017] Use cached jwk for file: /tmp/acme/some.domain.com//ca/acme-staging.api.letsencrypt.org/account.key
[Fri Oct 20 14:35:56 EEST 2017] base64 single line.
[Fri Oct 20 14:35:56 EEST 2017] payload64='XXXXX'
[Fri Oct 20 14:35:56 EEST 2017] _request_retry_times='0'
[Fri Oct 20 14:35:56 EEST 2017] Get nonce. ACME_DIRECTORY='https://acme-staging.api.letsencrypt.org/directory'
[Fri Oct 20 14:35:56 EEST 2017] GET
[Fri Oct 20 14:35:56 EEST 2017] url='https://acme-staging.api.letsencrypt.org/directory'
[Fri Oct 20 14:35:56 EEST 2017] timeout
[Fri Oct 20 14:35:56 EEST 2017] curl exists=0
[Fri Oct 20 14:35:56 EEST 2017] wget exists=127
[Fri Oct 20 14:35:56 EEST 2017] _CURL='curl -L --silent --dump-header /tmp/acme/some.domain.com//http.header '
[Fri Oct 20 14:35:56 EEST 2017] ret='0'
[Fri Oct 20 14:35:56 EEST 2017] _headers='HTTP/1.1 200 OK
Server: nginx
Content-Type: application/json
Content-Length: 581
Replay-Nonce: XXXXX
X-Frame-Options: DENY
Strict-Transport-Security: max-age=604800
Expires: Fri, 20 Oct 2017 11:35:58 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Fri, 20 Oct 2017 11:35:58 GMT
Connection: keep-alive

'
[Fri Oct 20 14:35:56 EEST 2017] _CACHED_NONCE='XXXXX'
[Fri Oct 20 14:35:56 EEST 2017] nonce='XXXXX'
[Fri Oct 20 14:35:56 EEST 2017] protected='{"nonce": "XXXXX", "url": "https://acme-staging.api.letsencrypt.org/acme/new-reg", "alg": "RS256", "jwk": {"e": "AQAB", "kty": "RSA", "n": "XXXXX"}}'
[Fri Oct 20 14:35:56 EEST 2017] base64 single line.
[Fri Oct 20 14:35:56 EEST 2017] protected64='XXXXX'
[Fri Oct 20 14:35:56 EEST 2017] base64 single line.
[Fri Oct 20 14:35:56 EEST 2017] _sig_t='XXXXX+XXXXX+XXXXX'
[Fri Oct 20 14:35:56 EEST 2017] sig='XXXXX-XXXXX-XXXXX-XXXXX-XXXXX-XXXXX-XXXXX'
[Fri Oct 20 14:35:56 EEST 2017] body='{"header": {"alg": "RS256", "jwk": {"e": "AQAB", "kty": "RSA", "n": "XXXXX"}}, "protected": "XXXXX", "payload": "XXXXX", "signature": "XXXXX-XXXXX-XXXXX-XXXXX-XXXXX-XXXXX-XXXXX"}'
[Fri Oct 20 14:35:56 EEST 2017] POST
[Fri Oct 20 14:35:56 EEST 2017] url='https://acme-staging.api.letsencrypt.org/acme/new-reg'
[Fri Oct 20 14:35:56 EEST 2017] body='{"header": {"alg": "RS256", "jwk": {"e": "AQAB", "kty": "RSA", "n": "XXXXX"}}, "protected": "XXXXX", "payload": "XXXXX", "signature": "XXXXX-XXXXX-XXXXX-XXXXX-XXXXX-XXXXX-XXXXX"}'
[Fri Oct 20 14:35:56 EEST 2017] curl exists=0
[Fri Oct 20 14:35:56 EEST 2017] wget exists=127
[Fri Oct 20 14:35:56 EEST 2017] _CURL='curl -L --silent --dump-header /tmp/acme/some.domain.com//http.header '
[Fri Oct 20 14:35:57 EEST 2017] _ret='0'
[Fri Oct 20 14:35:57 EEST 2017] original='{
  "type": "urn:acme:error:malformed",
  "detail": "Registration key is already in use",
  "status": 409
}'
[Fri Oct 20 14:35:57 EEST 2017] responseHeaders='HTTP/1.1 100 Continue
Expires: Fri, 20 Oct 2017 11:35:59 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache

HTTP/1.1 409 Conflict
Server: nginx
Content-Type: application/problem+json
Content-Length: 107
Boulder-Requester: 4940498
Location: https://acme-staging.api.letsencrypt.org/acme/reg/4940498
Replay-Nonce: XXXXX
Expires: Fri, 20 Oct 2017 11:35:59 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Fri, 20 Oct 2017 11:35:59 GMT
Connection: close

'
[Fri Oct 20 14:35:57 EEST 2017] response='{"type":"urn:acme:error:malformed","detail":"Registration key is already in use","status": 409}'
[Fri Oct 20 14:35:57 EEST 2017] code='409'
[Fri Oct 20 14:35:57 EEST 2017] Already registered
[Fri Oct 20 14:35:57 EEST 2017] _accUri='https://acme-staging.api.letsencrypt.org/acme/reg/4940498'
[Fri Oct 20 14:35:57 EEST 2017] APP
[Fri Oct 20 14:35:57 EEST 2017] 1:ACCOUNT_URL='https://acme-staging.api.letsencrypt.org/acme/reg/4940498'
[Fri Oct 20 14:35:57 EEST 2017] _tos
[Fri Oct 20 14:35:57 EEST 2017] Use default tos: https://letsencrypt.org/documents/LE-SA-v1.1.1-August-1-2016.pdf
[Fri Oct 20 14:35:57 EEST 2017] AGREEMENT='https://letsencrypt.org/documents/LE-SA-v1.1.1-August-1-2016.pdf'
[Fri Oct 20 14:35:57 EEST 2017] Update tos: https://letsencrypt.org/documents/LE-SA-v1.1.1-August-1-2016.pdf
[Fri Oct 20 14:35:57 EEST 2017] url='https://acme-staging.api.letsencrypt.org/acme/reg/4940498'
[Fri Oct 20 14:35:57 EEST 2017] payload='{"resource": "reg", "agreement": "https://letsencrypt.org/documents/LE-SA-v1.1.1-August-1-2016.pdf"}'
[Fri Oct 20 14:35:57 EEST 2017] Use cached jwk for file: /tmp/acme/some.domain.com//ca/acme-staging.api.letsencrypt.org/account.key
[Fri Oct 20 14:35:57 EEST 2017] base64 single line.
[Fri Oct 20 14:35:57 EEST 2017] payload64='XXXXX'
[Fri Oct 20 14:35:57 EEST 2017] _request_retry_times='0'
[Fri Oct 20 14:35:57 EEST 2017] Use _CACHED_NONCE='XXXXX'
[Fri Oct 20 14:35:57 EEST 2017] nonce='XXXXX'
[Fri Oct 20 14:35:57 EEST 2017] protected='{"nonce": "XXXXX", "url": "https://acme-staging.api.letsencrypt.org/acme/reg/4940498", "alg": "RS256", "jwk": {"e": "AQAB", "kty": "RSA", "n": "XXXXX"}}'
[Fri Oct 20 14:35:57 EEST 2017] base64 single line.
[Fri Oct 20 14:35:57 EEST 2017] protected64='XXXXX'
[Fri Oct 20 14:35:57 EEST 2017] base64 single line.
[Fri Oct 20 14:35:57 EEST 2017] _sig_t='XXXXX+XXXXX+XXXXX+XXXXX/XXXXX/XXXXX+XXXXX+XXXXX+XXXXX/XXXXX+XXXXX+XXXXX+XXXXX/XXXXX+XXXXX+XXXXX/XXXXX+XXXXX+XXXXX+XXXXX+XXXXX/XXXXX+XXXXX+XXXXX+XXXXX='
[Fri Oct 20 14:35:57 EEST 2017] sig='XXXXX-XXXXX-XXXXX-XXXXX_XXXXX_XXXXX-XXXXX-XXXXX-XXXXX_XXXXX-XXXXX-XXXXX-XXXXX_XXXXX-XXXXX-XXXXX_XXXXX-XXXXX-XXXXX-XXXXX-XXXXX_XXXXX-XXXXX-XXXXX-XXXXX'
[Fri Oct 20 14:35:57 EEST 2017] body='{"header": {"alg": "RS256", "jwk": {"e": "AQAB", "kty": "RSA", "n": "XXXXX"}}, "protected": "XXXXX", "payload": "XXXXX", "signature": "XXXXX-XXXXX-XXXXX-XXXXX_XXXXX_XXXXX-XXXXX-XXXXX-XXXXX_XXXXX-XXXXX-XXXXX-XXXXX_XXXXX-XXXXX-XXXXX_XXXXX-XXXXX-XXXXX-XXXXX-XXXXX_XXXXX-XXXXX-XXXXX-XXXXX"}'
[Fri Oct 20 14:35:57 EEST 2017] POST
[Fri Oct 20 14:35:57 EEST 2017] url='https://acme-staging.api.letsencrypt.org/acme/reg/4940498'
[Fri Oct 20 14:35:57 EEST 2017] body='{"header": {"alg": "RS256", "jwk": {"e": "AQAB", "kty": "RSA", "n": "XXXXX"}}, "protected": "XXXXX", "payload": "XXXXX", "signature": "XXXXX-XXXXX-XXXXX-XXXXX_XXXXX_XXXXX-XXXXX-XXXXX-XXXXX_XXXXX-XXXXX-XXXXX-XXXXX_XXXXX-XXXXX-XXXXX_XXXXX-XXXXX-XXXXX-XXXXX-XXXXX_XXXXX-XXXXX-XXXXX-XXXXX"}'
[Fri Oct 20 14:35:57 EEST 2017] curl exists=0
[Fri Oct 20 14:35:57 EEST 2017] wget exists=127
[Fri Oct 20 14:35:57 EEST 2017] _CURL='curl -L --silent --dump-header /tmp/acme/some.domain.com//http.header '
[Fri Oct 20 14:35:58 EEST 2017] _ret='0'
[Fri Oct 20 14:35:58 EEST 2017] original='{
  "id": 4940498,
  "key": {
    "kty": "RSA",
    "n": "XXXXX",
    "e": "AQAB"
  },
  "contact": [],
  "agreement": "https://letsencrypt.org/documents/LE-SA-v1.1.1-August-1-2016.pdf",
  "initialIp": "some mine IPv6",
  "createdAt": "2017-10-20T10:46:18Z",
  "Status": "valid"
}'
[Fri Oct 20 14:35:58 EEST 2017] responseHeaders='HTTP/1.1 100 Continue
Expires: Fri, 20 Oct 2017 11:36:00 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache

HTTP/1.1 202 Accepted
Server: nginx
Content-Type: application/json
Content-Length: 978
Boulder-Requester: 4940498
Link: <https: acme-staging.api.letsencrypt.org="" acme="" new-authz="">;rel="next"
Link: <https: letsencrypt.org="" documents="" le-sa-v1.1.1-august-1-2016.pdf="">;rel="terms-of-service"
Replay-Nonce: r-XXXXX
Expires: Fri, 20 Oct 2017 11:36:00 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Fri, 20 Oct 2017 11:36:00 GMT
Connection: keep-alive

'
[Fri Oct 20 14:35:58 EEST 2017] response='{"id": 4940498,"key":{"kty":"RSA","n":"XXXXX","e":"AQAB"},"contact":[],"agreement":"https://letsencrypt.org/documents/LE-SA-v1.1.1-August-1-2016.pdf","initialIp":"some mine IPv6","createdAt":"2017-10-20T10:46:18Z","Status":"valid"}'
[Fri Oct 20 14:35:58 EEST 2017] code='202'
[Fri Oct 20 14:35:58 EEST 2017] Update account tos info success.
[Fri Oct 20 14:35:58 EEST 2017] base64 single line.
[Fri Oct 20 14:35:58 EEST 2017] Calc CA_KEY_HASH='XXXXX'
[Fri Oct 20 14:35:58 EEST 2017] APP
[Fri Oct 20 14:35:58 EEST 2017] 2:CA_KEY_HASH='XXXXX'
[Fri Oct 20 14:35:58 EEST 2017] base64 single line.
[Fri Oct 20 14:35:58 EEST 2017] ACCOUNT_THUMBPRINT='XXXXX'
[Fri Oct 20 14:35:58 EEST 2017] Read key length:
[Fri Oct 20 14:35:58 EEST 2017] _createcsr
[Fri Oct 20 14:35:58 EEST 2017] domain='some.domain.com'
[Fri Oct 20 14:35:58 EEST 2017] domainlist
[Fri Oct 20 14:35:58 EEST 2017] csrkey='/tmp/acme/some.domain.com//some.domain.com/some.domain.com.key'
[Fri Oct 20 14:35:58 EEST 2017] csr='/tmp/acme/some.domain.com//some.domain.com/some.domain.com.csr'
[Fri Oct 20 14:35:58 EEST 2017] csrconf='/tmp/acme/some.domain.com//some.domain.com/some.domain.com.csr.conf'
[Fri Oct 20 14:35:58 EEST 2017] Single domain='some.domain.com'
[Fri Oct 20 14:35:58 EEST 2017] _is_idn_d='some.domain.com'
[Fri Oct 20 14:35:58 EEST 2017] _idn_temp
[Fri Oct 20 14:35:58 EEST 2017] _csr_cn='some.domain.com'
[Fri Oct 20 14:35:58 EEST 2017] APP
[Fri Oct 20 14:35:58 EEST 2017] 9:Le_Keylength=''
[Fri Oct 20 14:35:58 EEST 2017] Getting domain auth token for each domain
[Fri Oct 20 14:35:58 EEST 2017] Getting webroot for domain='some.domain.com'
[Fri Oct 20 14:35:58 EEST 2017] _w='no'
[Fri Oct 20 14:35:58 EEST 2017] _currentRoot='no'
[Fri Oct 20 14:35:58 EEST 2017] Getting new-authz for domain='some.domain.com'
[Fri Oct 20 14:35:58 EEST 2017] _init api for server: https://acme-staging.api.letsencrypt.org/directory
[Fri Oct 20 14:35:58 EEST 2017] ACME_KEY_CHANGE='https://acme-staging.api.letsencrypt.org/acme/key-change'
[Fri Oct 20 14:35:58 EEST 2017] ACME_NEW_AUTHZ='https://acme-staging.api.letsencrypt.org/acme/new-authz'
[Fri Oct 20 14:35:58 EEST 2017] ACME_NEW_ORDER='https://acme-staging.api.letsencrypt.org/acme/new-cert'
[Fri Oct 20 14:35:58 EEST 2017] ACME_NEW_ACCOUNT='https://acme-staging.api.letsencrypt.org/acme/new-reg'
[Fri Oct 20 14:35:58 EEST 2017] ACME_REVOKE_CERT='https://acme-staging.api.letsencrypt.org/acme/revoke-cert'
[Fri Oct 20 14:35:58 EEST 2017] Try new-authz for the 0 time.
[Fri Oct 20 14:35:58 EEST 2017] _is_idn_d='some.domain.com'
[Fri Oct 20 14:35:58 EEST 2017] _idn_temp
[Fri Oct 20 14:35:58 EEST 2017] url='https://acme-staging.api.letsencrypt.org/acme/new-authz'
[Fri Oct 20 14:35:58 EEST 2017] payload='{"resource": "new-authz", "identifier": {"type": "dns", "value": "some.domain.com"}}'
[Fri Oct 20 14:35:58 EEST 2017] Use cached jwk for file: /tmp/acme/some.domain.com//ca/acme-staging.api.letsencrypt.org/account.key
[Fri Oct 20 14:35:58 EEST 2017] base64 single line.
[Fri Oct 20 14:35:58 EEST 2017] payload64='XXXXX'
[Fri Oct 20 14:35:58 EEST 2017] _request_retry_times='0'
[Fri Oct 20 14:35:58 EEST 2017] Use _CACHED_NONCE='r-XXXXX'
[Fri Oct 20 14:35:58 EEST 2017] nonce='r-XXXXX'
[Fri Oct 20 14:35:58 EEST 2017] protected='{"nonce": "r-XXXXX", "url": "https://acme-staging.api.letsencrypt.org/acme/new-authz", "alg": "RS256", "jwk": {"e": "AQAB", "kty": "RSA", "n": "XXXXX"}}'
[Fri Oct 20 14:35:58 EEST 2017] base64 single line.
[Fri Oct 20 14:35:58 EEST 2017] protected64='XXXXX'
[Fri Oct 20 14:35:58 EEST 2017] base64 single line.
[Fri Oct 20 14:35:58 EEST 2017] _sig_t='XXXXX/XXXXX/XXXXX/XXXXX+XXXXX+XXXXX+XXXXX++XXXXX+XXXXX/XXXXX+XXXXX+XXXXX+XXXXX+XXXXX/XXXXX/XXXXX/XXXXX/XXXXX'
[Fri Oct 20 14:35:58 EEST 2017] sig='XXXXX-XXXXX-XXXXX-XXXXX--XXXXX-XXXXX-XXXXX-XXXXX-XXXXX-XXXXX'
[Fri Oct 20 14:35:58 EEST 2017] body='{"header": {"alg": "RS256", "jwk": {"e": "AQAB", "kty": "RSA", "n": "XXXXX"}}, "protected": "XXXXX", "payload": "XXXXX", "signature": "XXXXX-XXXXX-XXXXX-XXXXX--XXXXX-XXXXX-XXXXX-XXXXX-XXXXX-XXXXX"}'
[Fri Oct 20 14:35:58 EEST 2017] POST
[Fri Oct 20 14:35:58 EEST 2017] url='https://acme-staging.api.letsencrypt.org/acme/new-authz'
[Fri Oct 20 14:35:58 EEST 2017] body='{"header": {"alg": "RS256", "jwk": {"e": "AQAB", "kty": "RSA", "n": "XXXXX"}}, "protected": "XXXXX", "payload": "XXXXX", "signature": "XXXXX-XXXXX-XXXXX-XXXXX--XXXXX-XXXXX-XXXXX-XXXXX-XXXXX-XXXXX"}'
[Fri Oct 20 14:35:58 EEST 2017] curl exists=0
[Fri Oct 20 14:35:58 EEST 2017] wget exists=127
[Fri Oct 20 14:35:58 EEST 2017] _CURL='curl -L --silent --dump-header /tmp/acme/some.domain.com//http.header '
[Fri Oct 20 14:36:00 EEST 2017] _ret='0'
[Fri Oct 20 14:36:00 EEST 2017] original='{
  "identifier": {
    "type": "dns",
    "value": "some.domain.com"
  },
  "status": "valid",
  "expires": "2017-11-19T11:27:38Z",
  "challenges": [
    {
      "type": "tls-sni-01",
      "status": "pending",
      "uri": "https://acme-staging.api.letsencrypt.org/acme/challenge/XXXXX/70195865",
      "token": "XXXXX"
    },
    {
      "type": "dns-01",
      "status": "valid",
      "uri": "https://acme-staging.api.letsencrypt.org/acme/challenge/XXXXX/70195866",
      "token": "XXXXX",
      "keyAuthorization": "XXXXX.XXXXX",
      "validationRecord": [
        {
          "hostname": "some.domain.com",
          "port": "",
          "addressesResolved": [],
          "addressUsed": "",
          "addressesTried": []
        }
      ]
    },
    {
      "type": "http-01",
      "status": "pending",
      "uri": "https://acme-staging.api.letsencrypt.org/acme/challenge/XXXXX/70195867",
      "token": "XXXXX"
    }
  ],
  "combinations": [
    [
      0
    ],
    [
      2
    ],
    [
      1
    ]
  ]
}'
[Fri Oct 20 14:36:00 EEST 2017] responseHeaders='HTTP/1.1 100 Continue
Expires: Fri, 20 Oct 2017 11:36:01 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache

HTTP/1.1 201 Created
Server: nginx
Content-Type: application/json
Content-Length: 1327
Boulder-Requester: 4940498
Link: <https: acme-staging.api.letsencrypt.org="" acme="" new-cert="">;rel="next"
Location: https://acme-staging.api.letsencrypt.org/acme/authz/XXXXX
Replay-Nonce: XXXXX
X-Frame-Options: DENY
Strict-Transport-Security: max-age=604800
Expires: Fri, 20 Oct 2017 11:36:01 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Fri, 20 Oct 2017 11:36:01 GMT
Connection: keep-alive

'
[Fri Oct 20 14:36:00 EEST 2017] response='{"identifier":{"type":"dns","value":"some.domain.com"},"status":"valid","expires":"2017-11-19T11:27:38Z","challenges":[{"type":"tls-sni-01","status":"pending","uri":"https://acme-staging.api.letsencrypt.org/acme/challenge/XXXXX/70195865","token":"XXXXX"},{"type":"dns-01","status":"valid","uri":"https://acme-staging.api.letsencrypt.org/acme/challenge/XXXXX/70195866","token":"XXXXX","keyAuthorization":"XXXXX.XXXXX","validationRecord":[{"hostname":"some.domain.com","port":"","addressesResolved":[],"addressUsed":"","addressesTried":[]}]},{"type":"http-01","status":"pending","uri":"https://acme-staging.api.letsencrypt.org/acme/challenge/XXXXX/70195867","token":"XXXXX"}],"combinations":[[0],[2],[1]]}'
[Fri Oct 20 14:36:00 EEST 2017] code='201'
[Fri Oct 20 14:36:00 EEST 2017] The new-authz request is ok.
[Fri Oct 20 14:36:00 EEST 2017] base64 single line.
[Fri Oct 20 14:36:00 EEST 2017] entry='"type":"http-01","status":"pending","uri":"https://acme-staging.api.letsencrypt.org/acme/challenge/XXXXX/70195867","token":"XXXXX"'
[Fri Oct 20 14:36:00 EEST 2017] token='XXXXX'
[Fri Oct 20 14:36:00 EEST 2017] uri='https://acme-staging.api.letsencrypt.org/acme/challenge/XXXXX/70195867'
[Fri Oct 20 14:36:00 EEST 2017] keyauthorization='XXXXX.XXXXX'
[Fri Oct 20 14:36:00 EEST 2017] some.domain.com is already verified, skip.
[Fri Oct 20 14:36:00 EEST 2017] keyauthorization='verified_ok'
[Fri Oct 20 14:36:00 EEST 2017] dvlist='some.domain.com#verified_ok#https://acme-staging.api.letsencrypt.org/acme/challenge/XXXXX/70195867#http-01#no'
[Fri Oct 20 14:36:00 EEST 2017] vlist='some.domain.com#verified_ok#https://acme-staging.api.letsencrypt.org/acme/challenge/XXXXX/70195867#http-01#no,'
[Fri Oct 20 14:36:00 EEST 2017] some.domain.com is already verified, skip http-01.
[Fri Oct 20 14:36:00 EEST 2017] ok, let's start to verify
[Fri Oct 20 14:36:00 EEST 2017] some.domain.com is already verified, skip http-01.
[Fri Oct 20 14:36:00 EEST 2017] pid
[Fri Oct 20 14:36:00 EEST 2017] No need to restore nginx, skip.
[Fri Oct 20 14:36:00 EEST 2017] _clearupdns
[Fri Oct 20 14:36:00 EEST 2017] skip dns.
[Fri Oct 20 14:36:00 EEST 2017] Verify finished, start to sign.
[Fri Oct 20 14:36:00 EEST 2017] i='2'
[Fri Oct 20 14:36:00 EEST 2017] j='15'
[Fri Oct 20 14:36:00 EEST 2017] url='https://acme-staging.api.letsencrypt.org/acme/new-cert'
[Fri Oct 20 14:36:00 EEST 2017] payload='{"resource": "new-cert", "csr": "XXXXX"}'
[Fri Oct 20 14:36:00 EEST 2017] Use cached jwk for file: /tmp/acme/some.domain.com//ca/acme-staging.api.letsencrypt.org/account.key
[Fri Oct 20 14:36:00 EEST 2017] base64 single line.
[Fri Oct 20 14:36:00 EEST 2017] payload64='XXXXX'
[Fri Oct 20 14:36:00 EEST 2017] _request_retry_times='0'
[Fri Oct 20 14:36:00 EEST 2017] Use _CACHED_NONCE='XXXXX'
[Fri Oct 20 14:36:00 EEST 2017] nonce='XXXXX'
[Fri Oct 20 14:36:00 EEST 2017] protected='{"nonce": "XXXXX", "url": "https://acme-staging.api.letsencrypt.org/acme/new-cert", "alg": "RS256", "jwk": {"e": "AQAB", "kty": "RSA", "n": "XXXXX"}}'
[Fri Oct 20 14:36:00 EEST 2017] base64 single line.
[Fri Oct 20 14:36:00 EEST 2017] protected64='XXXXX'
[Fri Oct 20 14:36:00 EEST 2017] base64 single line.
[Fri Oct 20 14:36:00 EEST 2017] _sig_t='XXXXX+XXXXX+XXXXX+XXXXX/XXXXX/XXXXX+XXXXX+XXXXX+XXXXX/XXXXX+XXXXX+XXXXX+XXXXX/XXXXX+XXXXX+XXXXX/XXXXX+XXXXX+XXXXX+XXXXX+XXXXX/XXXXX+XXXXX+XXXXX+XXXXX='
[Fri Oct 20 14:36:00 EEST 2017] sig='XXXXX'
[Fri Oct 20 14:36:00 EEST 2017] body='{"header": {"alg": "RS256", "jwk": {"e": "AQAB", "kty": "RSA", "n": "XXXXX"}}, "protected": "XXXXX", "payload": "XXXXX", "signature": "XXXXX"}'
[Fri Oct 20 14:36:00 EEST 2017] POST
[Fri Oct 20 14:36:00 EEST 2017] url='https://acme-staging.api.letsencrypt.org/acme/new-cert'
[Fri Oct 20 14:36:00 EEST 2017] body='{"header": {"alg": "RS256", "jwk": {"e": "AQAB", "kty": "RSA", "n": "XXXXX"}}, "protected": "XXXXX", "payload": "XXXXX", "signature": "XXXXX"}'
[Fri Oct 20 14:36:00 EEST 2017] curl exists=0
[Fri Oct 20 14:36:00 EEST 2017] wget exists=127
[Fri Oct 20 14:36:00 EEST 2017] _CURL='curl -L --silent --dump-header /tmp/acme/some.domain.com//http.header '
[Fri Oct 20 14:36:00 EEST 2017] base64 single line.
[Fri Oct 20 14:36:01 EEST 2017] _ret='0'
[Fri Oct 20 14:36:01 EEST 2017] original='XXXXX'
[Fri Oct 20 14:36:01 EEST 2017] responseHeaders='HTTP/1.1 100 Continue
Expires: Fri, 20 Oct 2017 11:36:02 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache

HTTP/1.1 201 Created
Server: nginx
Content-Type: application/pkix-cert
Content-Length: 1254
Boulder-Requester: 4940498
Link: <https: acme-staging.api.letsencrypt.org="" acme="" issuer-cert="">;rel="up"
Location: https://acme-staging.api.letsencrypt.org/acme/cert/XXXXX
Replay-Nonce: XXXXX
X-Frame-Options: DENY
Strict-Transport-Security: max-age=604800
Expires: Fri, 20 Oct 2017 11:36:03 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Fri, 20 Oct 2017 11:36:03 GMT
Connection: keep-alive

'
[Fri Oct 20 14:36:01 EEST 2017] response='XXXXX'
[Fri Oct 20 14:36:01 EEST 2017] code='201'
[Fri Oct 20 14:36:01 EEST 2017] Le_LinkCert='https://acme-staging.api.letsencrypt.org/acme/cert/XXXXX'
[Fri Oct 20 14:36:01 EEST 2017] APP
[Fri Oct 20 14:36:01 EEST 2017] 10:Le_LinkCert='https://acme-staging.api.letsencrypt.org/acme/cert/XXXXX'
[Fri Oct 20 14:36:01 EEST 2017] base64 multiline:'multiline'
[Fri Oct 20 14:36:01 EEST 2017] Cert success.
[Fri Oct 20 14:36:01 EEST 2017] Your cert is in  /tmp/acme/some.domain.com//some.domain.com/some.domain.com.cer
[Fri Oct 20 14:36:01 EEST 2017] Your cert key is in  /tmp/acme/some.domain.com//some.domain.com/some.domain.com.key
[Fri Oct 20 14:36:01 EEST 2017] APP
[Fri Oct 20 14:36:01 EEST 2017] 4:USER_PATH='/etc:/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/bin/'
[Fri Oct 20 14:36:01 EEST 2017] Le_LinkIssuer='https://acme-staging.api.letsencrypt.org/acme/issuer-cert'
[Fri Oct 20 14:36:01 EEST 2017] APP
[Fri Oct 20 14:36:01 EEST 2017] 11:Le_LinkIssuer='https://acme-staging.api.letsencrypt.org/acme/issuer-cert'
[Fri Oct 20 14:36:01 EEST 2017] _link_issuer_retry='0'
[Fri Oct 20 14:36:01 EEST 2017] GET
[Fri Oct 20 14:36:01 EEST 2017] url='https://acme-staging.api.letsencrypt.org/acme/issuer-cert'
[Fri Oct 20 14:36:01 EEST 2017] timeout
[Fri Oct 20 14:36:01 EEST 2017] curl exists=0
[Fri Oct 20 14:36:01 EEST 2017] wget exists=127
[Fri Oct 20 14:36:01 EEST 2017] _CURL='curl -L --silent --dump-header /tmp/acme/some.domain.com//http.header '
[Fri Oct 20 14:36:01 EEST 2017] ret='0'
[Fri Oct 20 14:36:01 EEST 2017] base64 multiline:'multiline'
[Fri Oct 20 14:36:01 EEST 2017] The intermediate CA cert is in  /tmp/acme/some.domain.com//some.domain.com/ca.cer
[Fri Oct 20 14:36:01 EEST 2017] And the full chain certs is there:  /tmp/acme/some.domain.com//some.domain.com/fullchain.cer
[Fri Oct 20 14:36:01 EEST 2017] APP
[Fri Oct 20 14:36:01 EEST 2017] 12:Le_CertCreateTime='1508499361'
[Fri Oct 20 14:36:01 EEST 2017] APP
[Fri Oct 20 14:36:01 EEST 2017] 13:Le_CertCreateTimeStr='Fri Oct 20 11:36:01 UTC 2017'
[Fri Oct 20 14:36:01 EEST 2017] APP
[Fri Oct 20 14:36:01 EEST 2017] 14:Le_NextRenewTimeStr='Tue Dec 19 11:36:01 UTC 2017'
[Fri Oct 20 14:36:01 EEST 2017] APP
[Fri Oct 20 14:36:01 EEST 2017] 15:Le_NextRenewTime='1513596961'
[Fri Oct 20 14:36:01 EEST 2017] _on_issue_success
[Fri Oct 20 14:36:01 EEST 2017] '' does not contain 'dns'
[Fri Oct 20 14:36:01 EEST 2017] APP
[Fri Oct 20 14:36:01 EEST 2017] 16:Le_RealCertPath=''
[Fri Oct 20 14:36:01 EEST 2017] APP
[Fri Oct 20 14:36:01 EEST 2017] 17:Le_RealCACertPath=''
[Fri Oct 20 14:36:01 EEST 2017] APP
[Fri Oct 20 14:36:01 EEST 2017] 18:Le_RealKeyPath=''
[Fri Oct 20 14:36:01 EEST 2017] APP
[Fri Oct 20 14:36:01 EEST 2017] 19:Le_ReloadCmd='/tmp/acme/some.domain.com/reloadcmd.sh'
[Fri Oct 20 14:36:01 EEST 2017] APP
[Fri Oct 20 14:36:01 EEST 2017] 20:Le_RealFullChainPath=''
[Fri Oct 20 14:36:01 EEST 2017] Run reload cmd: /tmp/acme/some.domain.com/reloadcmd.sh
[Fri Oct 20 14:36:02 EEST 2017] Reload success</https:></https:></https:></https:>

              Latest stable pfSense on 2x XG-7100 and 1x Intel Xeon Server, running mutiWAN, he.net IPv6, pfBlockerNG-devel, HAProxy-devel, Syslog-ng, Zabbix-agent, OpenVPN, IPsec site-to-site, DNS-over-TLS...
              Unifi AP-AC-LR with EAP RADIUS, US-24

              1 Reply Last reply Reply Quote 0
              • O
                oki
                last edited by

                I'm using ACME 0.1.20 and HAProxy 0.52_14. This works for me, with some performance issues:

                • HAProxy Frontend *.80 doese the redirect to my https backend 127.0.0.1:12345 (pfsense WebUI), with acl for beginning path "/.well-known".

                • ACME uses Domain SAN List Method "webroot local folder". I use this setup for two different domains (two certificates)

                • HAProxy Frontend *443 does SNI to their backends, using issued ACME certificates

                • HAProxy redirect Backend for Cert A does a redirect to a Dummy Frontend 127.0.0.1:2300

                • HAProxy Dummy Frontend 127.0.0.1:2300 does SSL Offloading (with cert A) and directs to my real Backend A

                • HAProxy Backend A does some ACLs and points to my backend Serverfrarm  A

                • HAProxy Backend for Cert B does a redirect to a Dummy Frontend 127.0.0.1:2301

                • HAProxy Dummy Frontend 127.0.0.1:2301 does SSL Offloading (with cert B) and directs to my real Backend B

                • HAProxy Backend B does some ACLs and points to my backend Serverfrarm B

                • repeatingly the last three points does the magic for every hosted https Webpage/-application in DMZ

                1 Reply Last reply Reply Quote 0
                • dragoangelD
                  dragoangel
                  last edited by

                  Try to issue new certificate for domain (not renew existing), and you see about what I'am saying. I'm posted issue on github, maube Neilpang fix the issue.
                  https://github.com/Neilpang/acme.sh/issues/1078

                  Latest stable pfSense on 2x XG-7100 and 1x Intel Xeon Server, running mutiWAN, he.net IPv6, pfBlockerNG-devel, HAProxy-devel, Syslog-ng, Zabbix-agent, OpenVPN, IPsec site-to-site, DNS-over-TLS...
                  Unifi AP-AC-LR with EAP RADIUS, US-24

                  1 Reply Last reply Reply Quote 0
                  • dragoangelD
                    dragoangel
                    last edited by

                    Find problem, described bug here:
                    https://forum.pfsense.org/index.php?topic=138617.0

                    Latest stable pfSense on 2x XG-7100 and 1x Intel Xeon Server, running mutiWAN, he.net IPv6, pfBlockerNG-devel, HAProxy-devel, Syslog-ng, Zabbix-agent, OpenVPN, IPsec site-to-site, DNS-over-TLS...
                    Unifi AP-AC-LR with EAP RADIUS, US-24

                    1 Reply Last reply Reply Quote 0
                    • jimpJ
                      jimp Rebel Alliance Developer Netgate
                      last edited by

                      A new version of the ACME package will be available later today which should correct this.

                      Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

                      Need help fast? Netgate Global Support!

                      Do not Chat/PM for help!

                      1 Reply Last reply Reply Quote 0
                      • First post
                        Last post
                      Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.