ACME Package Updates 0.1.31-0.1.34

michaelschefczyk

Dear Jim,

Thank you very much! Being able to easily read and use the certificates from the LAN side is great!

There is just one more idea you might want to consider: One may run a cluster of webservers in different locations (I do that with two locations connected by VPN, webroot files shared via gluster and a galera cluster across locations). HAProxy and ACME on pfsense is a good frontend to that. Presently, one practically (i.e., without very substantial custom scripting) needs to generate one set of ACME certificates per location. It would be great if one could synchronize the certificates to the secondary location one way or the other. This might be accomplished by XMLRPC Sync like in freeradius or by a way to feed certificates into the certificate manager on the other side - running a script to regularly check /conf/acme/ and copy selected content to another pfsense device should be simple enough.

Regards,

Michael Schefczyk

jimp

Trying to xmlrpc sync them elsewhere is unlikely to be viable in that way.

Using the filesystem option and having another script copy them out (to or from) the firewall from that point is probably best. Given the wide range of time between renewals and expiration there isn't any time pressure for that to happen immediately like a sync would do.

michaelschefczyk

Dear Jim,

Transporting the certificate files based on scripts outside pfsense appears to be relatively easy to me. As you wrote, daily cron jobs would be sufficient. A bigger hurdle is to upload the certificate to the target system. One would have to replace a given certificate by its successor without changing the name. Is there a good way to execute such job for example command line via SSH?

Regards,

Michael Schefczyk

maverick_slo

Hello!
Acme2 is out and wildcard certs (test) as well.
Acme.sh also supports new v2 protocol.
Can we expect package update before feb 27th?
Thanks!

jimp

v2 is not "out" yet, there is a staging server for it.

I just synchronized to the latest acme.sh code on the 5th but their v2 support is still in a separate branch.

We won't be adding support until at least they merge it into their master branch. It's still super early and there isn't any practical use for it yet, the v2 staging servers are not trusted by anyone either.

tl;dr: We'll support it when it's ready, and it isn't ready yet, but we are keeping a very close eye on it.

maverick_slo

Thanks, perfect answer

shan52

Hi, I am new to Pfsense. What is ACME?

Gertjan

@shan52:

Hi, I am new to Pfsense. What is ACME?

Checkout ACME.
It's also the name of a pfSense package.
I advise you also to start reading here https://letsencrypt.org/

edit : stupid me, I replied to a spammer ….

hakkers

Hi Jimp,

Just upgraded to version 0.1.34 (on pfSense 2.3.5_p1), on a manual 'Issue/Renew' i'm now getting:

[Thu Jan 11 20:32:39 CET 2018] Verifying:jetmix.nl
[Thu Jan 11 20:32:39 CET 2018] Standalone mode server
echo: write error on stdout
echo: write error on stdout
echo: write error on stdout
echo: write error on stdout
[Thu Jan 11 20:32:43 CET 2018] jetmix.nl:Verify error:Invalid response from ...

Edit: i revisited the config and saved it ones more, now the error is gone… solved.

jimp

Hmm, I'll have to setup a test for that. I have tested standalone mode (IPv4 and IPv6) on 2.4.x but I didn't test it on 2.3.x. I don't immediately see what would make a difference or cause that error, however.

hakkers

Hi Jimp,
Edited my original post: a revisit of the config and save solved the problem.

Thanks for the reply.

jimp

ok, thanks!

packetman_

I've been attempting to get this working for the past few days now.
At first I was trying on IPv4 and kept getting 400 timeouts. Now I am attempting on my IPv6 address, and can confim that the packets are not blocked by the firewall due to my permit statment having hits.
I am getting the error```
Error, can not get domain token fw.pardigital.net

jimp

@packetman_:

I've been attempting to get this working for the past few days now.
At first I was trying on IPv4 and kept getting 400 timeouts. Now I am attempting on my IPv6 address, and can confim that the packets are not blocked by the firewall due to my permit statment having hits.
I am getting the error```
Error, can not get domain token fw.pardigital.net

That's actually the script unable to parse a response back from ACME, and not something local failing. There must be something in the response they are sending that is different for that domain or unexpected in some way. The code around where that message is triggered hasn't changed in nearly a year or more. Please start a new thread to investigate that on its own since it doesn't appear to be related to this update.

packetman_

Of course this isn't a general discussion thread, my mistake .