-
Okay, this is exactly how I tried this. The response from acme looked very alike yours including the –--BEGIN CERTIFICATE----- etc. part. But the last line is this:
[Mon Feb 5 17:06:04 CET 2018] Call hook error.
Something went wrong here, but what is it?
In the certificates there is no certificate, see attachment. When I selected this pfSense replaced it with a self signed certificate every time.
 -
Guess what: I manually imported the certificate from the files and this works now!
So it boils down to the question: Why did the acme package not finish the job?
-
Have a look here /tmp/acme/…... you will find several files directories and more files.
There is a log file that traces the entire procedure.
Hopefully with some more info.
Btw : log files are always usefull as soon as the word "error" pops up.I guess, what I can make from what you gave: "hook error", that all the cert files are there, somewhere in /tmp/acme/,and that they just needed to be integrated into pfSense.
Strange if that fails, works for me every time.Btw : latest pfSense and latest acme version, right ?
-
[…] /tmp/acme/…... […] There is a log file that traces the entire procedure.
Hopefully with some more info.No, nothing additional to the output in the GUI after the line "Call hook error."
Btw : latest pfSense and latest acme version, right ?
Well, no. I have pfSense 2.4, while the acme package is installed with the latest version. This may be the reason but the package claimed to be compatible. I will try this after an update to the latest 2.4 but I tend be stay behind the latest pfSense version.
I make a reminder to update this thread once I checked after an update.
-
The package is only kept up-to-date on the most recent x.y.z release branch and sometimes one behind for significant security issues.
So unless you're on 2.4.2 or 2.4.2-p1 you are using an outdated package and most likely your problem is from that.
If you can reproduce the problem on 2.4.2-p1 or a 2.4.3 snapshot then we can investigate more.
There is another large update coming for the ACME package as Let's Encrypt is rolling out ACME v2 this month with support for wildcard certificates. I have a working test version here that I may be pushing to 2.4.3 development snapshots this week.
-
[Mon Feb 5 17:06:04 CET 2018] Call hook error.
This is the place where the error is flagged :
https://github.com/pfsense/FreeBSD-ports/blob/730d06a104acfa87dd8e919e894aec275cfc3826/security/pfSense-pkg-acme/files/usr/local/pkg/acme/acme.sh#L3963That moment is pretty special, as 99 % of the work is done, and the only thing that rests to do is copying the cert info into the "pfSense GUI" (lines 3969 etc) - after that, all is ok.
As you said, you found the certs in /tmp/acme/….
You did by hand what does lines lines 3969 etcThe why part, I don't know. Maybe related to your method you chose. In my case $_post_hook" and $_pre_hook" are empty so
_on_issue_success "$_post_hook" " and "$_renew_hook" ```does not return "0" or false what triggers the error for you. -
Those hooks are empty in my case also: But anyway the code continues after the warning. "Something" gets added to the certificate after all but its only garbage …
I'll see after an update, checked into Release Notes of 2.4.1 and 2.4.2 today.
-
About 2.4.2 : it rocks (for me).
-
2.4.2_1 rocks here now also.
And the acme script actually works. So the problem I had is confirmed to be an incompatibility between versions.
Is there btw. any way to remove unused certificates from pfSense??
-
The package is only kept up-to-date on the most recent x.y.z release branch and sometimes one behind for significant security issues.
So unless you're on 2.4.2 or 2.4.2-p1 you are using an outdated package and most likely your problem is from that.
If you can reproduce the problem on 2.4.2-p1 or a 2.4.3 snapshot then we can investigate more.
I'm on 2.4.2-p1 and I'm having this exact issue. (lucky googlin' brought me here!) I, too, am getting the call hook error, and only the private key showing up in the certificate manager, with no way to delete it.
Happy to give you any logs you want, just don't know what would be useful. (I have very little experience with certificates and CAs, so bear with!)
-
Um, Google led me here for this too…
On a fresh 2.4.2-RELEASE-p1, acme package 0.1.34, DNS-Manual validation.
Same symptoms as above: renew goes ok, gives locations of certs, but then "Call Hook Error" with nothing more in the logs and only the private key in the cert manager.
Manually importing into cert manager works.
Anything I can try, to pin this down?
-
Since the OP in this thread is solved and working now, I'm locking this one. There is another open thread to use for similar symptoms here:
https://forum.pfsense.org/index.php?topic=144321.0
Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.