ACME Package Updates 0.1.31-0.1.34

michaelschefczyk

Dear Jim,

Transporting the certificate files based on scripts outside pfsense appears to be relatively easy to me. As you wrote, daily cron jobs would be sufficient. A bigger hurdle is to upload the certificate to the target system. One would have to replace a given certificate by its successor without changing the name. Is there a good way to execute such job for example command line via SSH?

Regards,

Michael Schefczyk

maverick_slo

Hello!
Acme2 is out and wildcard certs (test) as well.
Acme.sh also supports new v2 protocol.
Can we expect package update before feb 27th?
Thanks!

jimp

v2 is not "out" yet, there is a staging server for it.

I just synchronized to the latest acme.sh code on the 5th but their v2 support is still in a separate branch.

We won't be adding support until at least they merge it into their master branch. It's still super early and there isn't any practical use for it yet, the v2 staging servers are not trusted by anyone either.

tl;dr: We'll support it when it's ready, and it isn't ready yet, but we are keeping a very close eye on it.

maverick_slo

Thanks, perfect answer

shan52

Hi, I am new to Pfsense. What is ACME?

Gertjan

@shan52:

Hi, I am new to Pfsense. What is ACME?

Checkout ACME.
It's also the name of a pfSense package.
I advise you also to start reading here https://letsencrypt.org/

edit : stupid me, I replied to a spammer ….

hakkers

Hi Jimp,

Just upgraded to version 0.1.34 (on pfSense 2.3.5_p1), on a manual 'Issue/Renew' i'm now getting:

[Thu Jan 11 20:32:39 CET 2018] Verifying:jetmix.nl
[Thu Jan 11 20:32:39 CET 2018] Standalone mode server
echo: write error on stdout
echo: write error on stdout
echo: write error on stdout
echo: write error on stdout
[Thu Jan 11 20:32:43 CET 2018] jetmix.nl:Verify error:Invalid response from ...

Edit: i revisited the config and saved it ones more, now the error is gone… solved.

jimp

Hmm, I'll have to setup a test for that. I have tested standalone mode (IPv4 and IPv6) on 2.4.x but I didn't test it on 2.3.x. I don't immediately see what would make a difference or cause that error, however.

hakkers

Hi Jimp,
Edited my original post: a revisit of the config and save solved the problem.

Thanks for the reply.

jimp

ok, thanks!

packetman_

I've been attempting to get this working for the past few days now.
At first I was trying on IPv4 and kept getting 400 timeouts. Now I am attempting on my IPv6 address, and can confim that the packets are not blocked by the firewall due to my permit statment having hits.
I am getting the error```
Error, can not get domain token fw.pardigital.net

jimp

@packetman_:

I've been attempting to get this working for the past few days now.
At first I was trying on IPv4 and kept getting 400 timeouts. Now I am attempting on my IPv6 address, and can confim that the packets are not blocked by the firewall due to my permit statment having hits.
I am getting the error```
Error, can not get domain token fw.pardigital.net

That's actually the script unable to parse a response back from ACME, and not something local failing. There must be something in the response they are sending that is different for that domain or unexpected in some way. The code around where that message is triggered hasn't changed in nearly a year or more. Please start a new thread to investigate that on its own since it doesn't appear to be related to this update.

packetman_

Of course this isn't a general discussion thread, my mistake .