Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Acme/letsencrypt renewed certificates not saved in certmanager, Call hook error

    Scheduled Pinned Locked Moved ACME
    11 Posts 5 Posters 3.2k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • K
      keson
      last edited by

      Team,
      I am vary happy long time user of pfsense. In november 2017 I installed acme, created a profile, requested a certificate and used it. Now in 7 days it will expire. I use DNS manual as I did not have time to play with the port 80/443 redirection, they are used for other purposes. So I did issue a new TXT challenge, updated teh TXT DNS entry and hit renew. The certificate seemed to renew and I got a new certificate and an info that they were saved in tmp folder… however, the newly issued certificate was NOT saved in certificate manager and also the LAST RENEWED stays as it was in november 2017.

      So my question is, where did it went wrong? I can see only last line saying: Call hook error.
      This is the result of the renew:

      NalzoviceRDP
      Renewing certificateaccount: LetsEncryptNalzovice
      server: letsencrypt-production
      /usr/local/pkg/acme/acme.sh --renew -d 'rdp.domov-nalzovice.cz' --home '/tmp/acme/NalzoviceRDP/' --accountconf '/tmp/acme/NalzoviceRDP/accountconf.conf' --force --reloadCmd '/tmp/acme/NalzoviceRDP/reloadcmd.sh' --dns --log-level 3 --log '/tmp/acme/NalzoviceRDP/acme_issuecert.log'
      Array
      (
      [path] => /etc:/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/bin/
      [PATH] => /etc:/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/bin/
      )
      [Thu Feb 22 09:17:25 CET 2018] Renew: 'rdp.domov-nalzovice.cz'
      [Thu Feb 22 09:17:27 CET 2018] Single domain='rdp.domov-nalzovice.cz'
      [Thu Feb 22 09:17:27 CET 2018] Getting domain auth token for each domain
      [Thu Feb 22 09:17:27 CET 2018] Verifying:rdp.domov-nalzovice.cz
      [Thu Feb 22 09:17:35 CET 2018] Success
      [Thu Feb 22 09:17:35 CET 2018] Verify finished, start to sign.
      [Thu Feb 22 09:17:37 CET 2018] Cert success.
      –---BEGIN CERTIFICATE-----
      MIIFDzCCA/egAwIBAgISA7TOCIYAdNQeYJ4QYSwycndpMA0GCSqGSIb3DQEBCwUA
      ---edited----
      TzyoqXofdIk7cmTHR+1N2lSnB7jjpv/3VPzWpjvHLxkN9CrMtwTBuYF8gX1EpdZK
      QDCP
      -----END CERTIFICATE-----
      [Thu Feb 22 09:17:37 CET 2018] Your cert is in /tmp/acme/NalzoviceRDP//rdp.domov-nalzovice.cz/rdp.domov-nalzovice.cz.cer
      [Thu Feb 22 09:17:37 CET 2018] Your cert key is in /tmp/acme/NalzoviceRDP//rdp.domov-nalzovice.cz/rdp.domov-nalzovice.cz.key
      [Thu Feb 22 09:17:38 CET 2018] The intermediate CA cert is in /tmp/acme/NalzoviceRDP//rdp.domov-nalzovice.cz/ca.cer
      [Thu Feb 22 09:17:38 CET 2018] And the full chain certs is there: /tmp/acme/NalzoviceRDP//rdp.domov-nalzovice.cz/fullchain.cer
      [Thu Feb 22 09:17:38 CET 2018] It seems that you are using dns manual mode. please take care: The dns manual mode can not renew automatically, you must issue it again manually. You'd better use the other modes instead.
      [Thu Feb 22 09:17:38 CET 2018] Call hook error.

      Any idea?

      I saw this post, but that did not really gives any solution:
      https://forum.pfsense.org/index.php?topic=143663.msg785030#msg785030

      …and I am on latest versions of everything.

      1 Reply Last reply Reply Quote 0
      • jimpJ
        jimp Rebel Alliance Developer Netgate
        last edited by

        Do you still have two buttons there on that cert entry: One for Issue, one for Renew?

        With DNS-Manual you have to hit issue, then find/update the TXT, then renew after the DNS entries are in place.

        Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

        Need help fast? Netgate Global Support!

        Do not Chat/PM for help!

        1 Reply Last reply Reply Quote 0
        • K
          keson
          last edited by

          Yes, I do both options.
          And I use them as described in the documentation…
          The issue generates the TXT record for my DNS and the RENEW then generates the certificates, which I can download from /tmp/acme/NalzoviceRDP//rdp.domov-nalzovice.cz/rdp.domov-nalzovice.cz.key and /tmp/acme/NalzoviceRDP//rdp.domov-nalzovice.cz/rdp.domov-nalzovice.cz.cer

          When I do this and when I upload the key and certificate manually to the cert. manager, the certificate shows up there...
          But it is quite some work as I need to first set the admin interface back to self signed certificate, then I get the "delete" icon on my current LetsEncrypt certificate, then I import it and then I set the admin interface back to the new certificate.

          I understand from the documentation, that this should not be necessary and it should all happen automatically...

          P.S. i have freed my port 80 so that next time (in 30 or 60 days) I will try to use the automated process as this DNS-manual way is kind of time consuming :)

          So to recap the answer - the process of getting the certificate renewed works until the last point - it does not get automatically uploaded to the cert. manager and the "status" of the certificate does not update with new "valid to" date.

          1 Reply Last reply Reply Quote 0
          • jimpJ
            jimp Rebel Alliance Developer Netgate
            last edited by

            Hmm, ok. I don't have any set to manual at the moment but I'll try to get one setup. It should populate that automatically when the renewal action happens.

            Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

            Need help fast? Netgate Global Support!

            Do not Chat/PM for help!

            1 Reply Last reply Reply Quote 0
            • K
              keson
              last edited by

              Well, it is not a burning issue for me, I just spotted this misbehaviour and as you can read on the thread I mentioned, I am not the only one. Perhaps using the standalone http server will be the way to go next time. I just do want to share my experience with others and perhaps help with getting this resolved - I can do whatever is needed when someone has an idea to test. Ready to help :)

              1 Reply Last reply Reply Quote 0
              • jimpJ
                jimp Rebel Alliance Developer Netgate
                last edited by

                There is an updated ACME package on 2.4.3, you could upgrade to a 2.4.3 snapshot and try it there.

                Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

                Need help fast? Netgate Global Support!

                Do not Chat/PM for help!

                1 Reply Last reply Reply Quote 0
                • X
                  xpatriot
                  last edited by

                  I ran into the same issue Creating a manual cert for my internal web sites but found a circumvention that worked for me.

                  1. Use Method webroot local folder so that you can add a root folder of " /tmp/haproxy_chroot/.well-known/acme-challenge/"
                  2. Change the method to DNS-Manual and save.
                  3. Issue the cert and update DNS with correct TXT fields provided from issue
                  4. Hit renew and verify that everything went well but fails with the Call hook error.
                  5. Change the method back to webroot local folder again and save.
                  6. Issue/Renew

                  I then had a valid cert to use.

                  1 Reply Last reply Reply Quote 0
                  • jimpJ
                    jimp Rebel Alliance Developer Netgate
                    last edited by

                    I'm able to reproduce this here but there is an even easier workaround (at least on 2.4.3):

                    • Click Issue
                    • Fix your DNS with the new TXT record
                    • Click Renew
                    • Click Issue again

                    The auth is still valid so the second renew goes through and you get the cert imported as expected.

                    I found the source of the call hook error but even getting rid of that it still isn't importing. I'm still digging at why, but in the meantime it's easy to get around.

                    Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

                    Need help fast? Netgate Global Support!

                    Do not Chat/PM for help!

                    1 Reply Last reply Reply Quote 0
                    • jimpJ
                      jimp Rebel Alliance Developer Netgate
                      last edited by

                      ok I figured out why, somewhere along the way the "renew" action in acme.sh stopped running the reloadcmd.sh script which imports the cert back into pfSense. That particular "renew" action is only invoked for DNS-Manual entries, so I added a check to run it in just that case if it successfully obtained a certificate. It works for me.

                      I only pushed that change to ACME on 2.4.3 at the moment, it will come to the other branches as soon as I push out this pending major update for ACME v2. I was waiting for Let's Encrypt's ACME v2 servers to go online this week but they pushed back that date so shrug

                      So for now, if you upgrade to 2.4.3 and get ACME package version 0.2.0.4 which will go up with the next snapshot run, it will be fixed. You can try manually applying the changes yourself in the meantime as a quick fix:  https://github.com/pfsense/FreeBSD-ports/commit/a6f630edae775ad4b3619858baa910809297c2d0

                      Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

                      Need help fast? Netgate Global Support!

                      Do not Chat/PM for help!

                      1 Reply Last reply Reply Quote 0
                      • maverickwsM
                        maverickws
                        last edited by

                        Hi there,

                        I'm sorry I know this topic is quite old but I am using the ACME package on my pfSense and I came across this error today.
                        pfSense v2.4.4-RELEASE-p3
                        ACME Package v.0.5.8

                        Steps to reproduce:

                        • Click Issue
                        • Edit your DNS TXT record accordingly
                        • Click Renew

                        Expected results:
                        Certificate renewal completed successfully

                        Observed results:
                        An error "Call hook error" is thrown, without any further info on the logs.
                        You must hit renew a second time for the certificate to be updated.

                        Logs:

                        [Thu Jul 11 19:22:13 WEST 2019] readlink exists=0
[Thu Jul 11 19:22:13 WEST 2019] dirname exists=0
[Thu Jul 11 19:22:13 WEST 2019] Lets find script dir.
[Thu Jul 11 19:22:13 WEST 2019] _SCRIPT_='/usr/local/pkg/acme/acme.sh'
[Thu Jul 11 19:22:13 WEST 2019] _script='/usr/local/pkg/acme/acme.sh'
[Thu Jul 11 19:22:13 WEST 2019] _script_home='/usr/local/pkg/acme'
[Thu Jul 11 19:22:13 WEST 2019] Using config home:/tmp/acme/fw-cert/
[Thu Jul 11 19:22:13 WEST 2019] APP
[Thu Jul 11 19:22:13 WEST 2019] 3:LOG_FILE='/tmp/acme/fw-cert/acme_issuecert.log'
[Thu Jul 11 19:22:13 WEST 2019] APP
[Thu Jul 11 19:22:13 WEST 2019] 4:LOG_LEVEL='3'
[Thu Jul 11 19:22:13 WEST 2019] LE_WORKING_DIR='/tmp/acme/fw-cert/'
[Thu Jul 11 19:22:13 WEST 2019] Using config home:/tmp/acme/fw-cert/
[Thu Jul 11 19:22:13 WEST 2019] ACME_DIRECTORY='https://acme-v02.api.letsencrypt.org/directory'
[Thu Jul 11 19:22:13 WEST 2019] _ACME_SERVER_HOST='acme-v02.api.letsencrypt.org'
[Thu Jul 11 19:22:13 WEST 2019] CA_CONF='/tmp/acme/fw-cert//ca/acme-v02.api.letsencrypt.org/ca.conf'
[Thu Jul 11 19:22:13 WEST 2019] DOMAIN_PATH='/tmp/acme/fw-cert//fw.mydomain.com'
[Thu Jul 11 19:22:13 WEST 2019] Renew: 'fw.mydomain.com'
[Thu Jul 11 19:22:13 WEST 2019] Le_API
[Thu Jul 11 19:22:13 WEST 2019] _main_domain='fw.mydomain.com'
[Thu Jul 11 19:22:13 WEST 2019] _alt_domains='no'
[Thu Jul 11 19:22:13 WEST 2019] 'dns' contains 'dns'
[Thu Jul 11 19:22:13 WEST 2019] Using ACME_DIRECTORY: https://acme-v02.api.letsencrypt.org/directory
[Thu Jul 11 19:22:13 WEST 2019] _init api for server: https://acme-v02.api.letsencrypt.org/directory
[Thu Jul 11 19:22:13 WEST 2019] GET
[Thu Jul 11 19:22:13 WEST 2019] url='https://acme-v02.api.letsencrypt.org/directory'
[Thu Jul 11 19:22:13 WEST 2019] timeout=
[Thu Jul 11 19:22:13 WEST 2019] curl exists=0
[Thu Jul 11 19:22:13 WEST 2019] wget exists=127
[Thu Jul 11 19:22:13 WEST 2019] _CURL='curl -L --silent --dump-header /tmp/acme/fw-cert//http.header  -g '
[Thu Jul 11 19:22:15 WEST 2019] ret='0'
[Thu Jul 11 19:22:15 WEST 2019] response='{
  "XXeBADlFCPs": "https://community.letsencrypt.org/t/adding-random-entries-to-the-directory/33417",
  "keyChange": "https://acme-v02.api.letsencrypt.org/acme/key-change",
  "meta": {
    "caaIdentities": [
      "letsencrypt.org"
    ],
    "termsOfService": "https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf",
    "website": "https://letsencrypt.org"
  },
  "newAccount": "https://acme-v02.api.letsencrypt.org/acme/new-acct",
  "newNonce": "https://acme-v02.api.letsencrypt.org/acme/new-nonce",
  "newOrder": "https://acme-v02.api.letsencrypt.org/acme/new-order",
  "revokeCert": "https://acme-v02.api.letsencrypt.org/acme/revoke-cert"
}'
[Thu Jul 11 19:22:15 WEST 2019] ACME_KEY_CHANGE='https://acme-v02.api.letsencrypt.org/acme/key-change'
[Thu Jul 11 19:22:15 WEST 2019] ACME_NEW_AUTHZ
[Thu Jul 11 19:22:15 WEST 2019] ACME_NEW_ORDER='https://acme-v02.api.letsencrypt.org/acme/new-order'
[Thu Jul 11 19:22:15 WEST 2019] ACME_NEW_ACCOUNT='https://acme-v02.api.letsencrypt.org/acme/new-acct'
[Thu Jul 11 19:22:15 WEST 2019] ACME_REVOKE_CERT='https://acme-v02.api.letsencrypt.org/acme/revoke-cert'
[Thu Jul 11 19:22:15 WEST 2019] ACME_AGREEMENT='https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf'
[Thu Jul 11 19:22:15 WEST 2019] ACME_NEW_NONCE='https://acme-v02.api.letsencrypt.org/acme/new-nonce'
[Thu Jul 11 19:22:15 WEST 2019] ACME_VERSION='2'
[Thu Jul 11 19:22:15 WEST 2019] Le_NextRenewTime='1567962357'
[Thu Jul 11 19:22:15 WEST 2019] OK
[Thu Jul 11 19:22:15 WEST 2019] 1:Le_Domain='fw.mydomain.com'
[Thu Jul 11 19:22:15 WEST 2019] OK
[Thu Jul 11 19:22:15 WEST 2019] 2:Le_Alt='no'
[Thu Jul 11 19:22:15 WEST 2019] OK
[Thu Jul 11 19:22:15 WEST 2019] 3:Le_Webroot='dns'
[Thu Jul 11 19:22:15 WEST 2019] OK
[Thu Jul 11 19:22:15 WEST 2019] 4:Le_PreHook=''
[Thu Jul 11 19:22:15 WEST 2019] OK
[Thu Jul 11 19:22:15 WEST 2019] 5:Le_PostHook=''
[Thu Jul 11 19:22:15 WEST 2019] OK
[Thu Jul 11 19:22:15 WEST 2019] 6:Le_RenewHook=''
[Thu Jul 11 19:22:15 WEST 2019] _on_before_issue
[Thu Jul 11 19:22:15 WEST 2019] _chk_main_domain='fw.mydomain.com'
[Thu Jul 11 19:22:15 WEST 2019] _chk_alt_domains
[Thu Jul 11 19:22:15 WEST 2019] 'dns' does not contain 'no'
[Thu Jul 11 19:22:15 WEST 2019] Le_LocalAddress
[Thu Jul 11 19:22:15 WEST 2019] d='fw.mydomain.com'
[Thu Jul 11 19:22:15 WEST 2019] Check for domain='fw.mydomain.com'
[Thu Jul 11 19:22:15 WEST 2019] _currentRoot='dns'
[Thu Jul 11 19:22:15 WEST 2019] d
[Thu Jul 11 19:22:15 WEST 2019] 'dns' does not contain 'apache'
[Thu Jul 11 19:22:15 WEST 2019] _saved_account_key_hash='jR06iKbCw94E0U9X2mveGPwhxNAF7yBSUrUj7bS8jmk='
[Thu Jul 11 19:22:15 WEST 2019] base64 single line.
[Thu Jul 11 19:22:15 WEST 2019] _saved_account_key_hash is not changed, skip register account.
[Thu Jul 11 19:22:15 WEST 2019] Read key length:
[Thu Jul 11 19:22:15 WEST 2019] _createcsr
[Thu Jul 11 19:22:15 WEST 2019] domain='fw.mydomain.com'
[Thu Jul 11 19:22:15 WEST 2019] domainlist
[Thu Jul 11 19:22:15 WEST 2019] csrkey='/tmp/acme/fw-cert//fw.mydomain.com/fw.mydomain.com.key'
[Thu Jul 11 19:22:15 WEST 2019] csr='/tmp/acme/fw-cert//fw.mydomain.com/fw.mydomain.com.csr'
[Thu Jul 11 19:22:15 WEST 2019] csrconf='/tmp/acme/fw-cert//fw.mydomain.com/fw.mydomain.com.csr.conf'
[Thu Jul 11 19:22:15 WEST 2019] Single domain='fw.mydomain.com'
[Thu Jul 11 19:22:15 WEST 2019] _is_idn_d='fw.mydomain.com'
[Thu Jul 11 19:22:15 WEST 2019] _idn_temp
[Thu Jul 11 19:22:15 WEST 2019] _is_idn_d='fw.mydomain.com'
[Thu Jul 11 19:22:15 WEST 2019] _idn_temp
[Thu Jul 11 19:22:15 WEST 2019] _csr_cn='fw.mydomain.com'
[Thu Jul 11 19:22:15 WEST 2019] OK
[Thu Jul 11 19:22:15 WEST 2019] 7:Le_Keylength=''
[Thu Jul 11 19:22:15 WEST 2019] Getting domain auth token for each domain
[Thu Jul 11 19:22:15 WEST 2019] _is_idn_d='fw.mydomain.com'
[Thu Jul 11 19:22:15 WEST 2019] _idn_temp
[Thu Jul 11 19:22:15 WEST 2019] d
[Thu Jul 11 19:22:15 WEST 2019] _identifiers='{"type":"dns","value":"fw.mydomain.com"}'
[Thu Jul 11 19:22:15 WEST 2019] url='https://acme-v02.api.letsencrypt.org/acme/new-order'
[Thu Jul 11 19:22:15 WEST 2019] payload='{"identifiers": [{"type":"dns","value":"fw.mydomain.com"}]}'
[Thu Jul 11 19:22:15 WEST 2019] RSA key
[Thu Jul 11 19:22:15 WEST 2019] pub_exp='010001'
[Thu Jul 11 19:22:15 WEST 2019] base64 single line.[Thu Jul 11 19:22:15 WEST 2019] 
xxd exists=127
[Thu Jul 11 19:22:15 WEST 2019] _URGLY_PRINTF='1'
[Thu Jul 11 19:22:15 WEST 2019] e='AQAB'
[Thu Jul 11 19:22:15 WEST 2019] modulus=''
[Thu Jul 11 19:22:15 WEST 2019] xxd exists=127
[Thu Jul 11 19:22:15 WEST 2019] base64 single line.
[Thu Jul 11 19:22:15 WEST 2019] _URGLY_PRINTF='1'
[Thu Jul 11 19:22:16 WEST 2019] n=''
[Thu Jul 11 19:22:16 WEST 2019] jwk='{"e": "AQAB", "kty": "RSA", "n": ""}'
[Thu Jul 11 19:22:16 WEST 2019] JWK_HEADER='{"alg": "RS256", "jwk": {"e": "AQAB", "kty": "RSA", "n": ""}}'
[Thu Jul 11 19:22:16 WEST 2019] base64 single line.
[Thu Jul 11 19:22:16 WEST 2019] payload64=''
[Thu Jul 11 19:22:16 WEST 2019] _request_retry_times='1'
[Thu Jul 11 19:22:16 WEST 2019] Get nonce with HEAD. ACME_NEW_NONCE='https://acme-v02.api.letsencrypt.org/acme/new-nonce'
[Thu Jul 11 19:22:16 WEST 2019] HEAD
[Thu Jul 11 19:22:16 WEST 2019] _post_url='https://acme-v02.api.letsencrypt.org/acme/new-nonce'
[Thu Jul 11 19:22:16 WEST 2019] body
[Thu Jul 11 19:22:16 WEST 2019] _postContentType='application/jose+json'
[Thu Jul 11 19:22:16 WEST 2019] curl exists=0
[Thu Jul 11 19:22:16 WEST 2019] wget exists=127
[Thu Jul 11 19:22:16 WEST 2019] _CURL='curl -L --silent --dump-header /tmp/acme/fw-cert//http.header  -g '
[Thu Jul 11 19:22:17 WEST 2019] _ret='0'
[Thu Jul 11 19:22:17 WEST 2019] _headers='HTTP/1.1 200 OK
Server: nginx
Link: <https://acme-v02.api.letsencrypt.org/directory>;rel="index"
Replay-Nonce: 
X-Frame-Options: DENY
Strict-Transport-Security: max-age=604800
Content-Length: 0
Expires: Thu, 11 Jul 2019 18:22:17 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Thu, 11 Jul 2019 18:22:17 GMT
Connection: keep-alive
^M'
[Thu Jul 11 19:22:17 WEST 2019] _CACHED_NONCE=''
[Thu Jul 11 19:22:17 WEST 2019] nonce=''
[Thu Jul 11 19:22:17 WEST 2019] protected='{"nonce": "", "url": "https://acme-v02.api.letsencrypt.org/acme/new-order", "alg": "RS256", "kid": "https://acme-v02.api.letsencrypt.org/acme/acct/00131007"}'
[Thu Jul 11 19:22:17 WEST 2019] base64 single line.
[Thu Jul 11 19:22:17 WEST 2019] protected64=''
[Thu Jul 11 19:22:17 WEST 2019] base64 single line.
[Thu Jul 11 19:22:17 WEST 2019] _sig_t=''
[Thu Jul 11 19:22:17 WEST 2019] sig=''
[Thu Jul 11 19:22:17 WEST 2019] body='{"protected": "", "payload": "", "signature": ""}'
[Thu Jul 11 19:22:17 WEST 2019] POST
[Thu Jul 11 19:22:17 WEST 2019] _post_url='https://acme-v02.api.letsencrypt.org/acme/new-order'
[Thu Jul 11 19:22:17 WEST 2019] body='{"protected": "", "payload": "", "signature": ""}'
[Thu Jul 11 19:22:17 WEST 2019] _postContentType='application/jose+json'
[Thu Jul 11 19:22:17 WEST 2019] Http already initialized.
[Thu Jul 11 19:22:17 WEST 2019] _CURL='curl -L --silent --dump-header /tmp/acme/fw-cert//http.header  -g '
[Thu Jul 11 19:22:18 WEST 2019] _ret='0'
[Thu Jul 11 19:22:18 WEST 2019] responseHeaders='HTTP/1.1 100 Continue
Expires: Thu, 11 Jul 2019 18:22:18 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache

HTTP/1.1 201 Created
Server: nginx
Content-Type: application/json
Content-Length: 376
Boulder-Requester: 00131007
Link: <https://acme-v02.api.letsencrypt.org/directory>;rel="index"
Location: https://acme-v02.api.letsencrypt.org/acme/order/00131007/700001337
Replay-Nonce:
X-Frame-Options: DENY
Strict-Transport-Security: max-age=604800
Expires: Thu, 11 Jul 2019 18:22:18 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Thu, 11 Jul 2019 18:22:18 GMT
Connection: keep-alive
^M'
[Thu Jul 11 19:22:18 WEST 2019] code='201'
[Thu Jul 11 19:22:18 WEST 2019] original='{
  "status": "ready",
  "expires": "2019-07-18T18:22:18.588852588Z",
  "identifiers": [
    {
      "type": "dns",
      "value": "fw.mydomain.com"
    }
  ],
  "authorizations": [
    "https://acme-v02.api.letsencrypt.org/acme/authz/minez"
  ],
  "finalize": "https://acme-v02.api.letsencrypt.org/acme/finalize/00131007/700001337"
}'
[Thu Jul 11 19:22:18 WEST 2019] response='{"status":"ready","expires":"2019-07-18T18:22:18.588852588Z","identifiers":[{"type":"dns","value":"fw.mydomain.com"}],"authorizations":["https://acme-v02.api.letsencrypt.org/acme/authz/minez"],"finalize":"https://acme-v02.api.letsencrypt.org/acme/finalize/00131007/700001337"}'
[Thu Jul 11 19:22:18 WEST 2019] Le_LinkOrder='https://acme-v02.api.letsencrypt.org/acme/order/00131007/700001337'
[Thu Jul 11 19:22:18 WEST 2019] Le_OrderFinalize='https://acme-v02.api.letsencrypt.org/acme/finalize/00131007/700001337'
[Thu Jul 11 19:22:18 WEST 2019] OK
[Thu Jul 11 19:22:18 WEST 2019] 8:Le_OrderFinalize='https://acme-v02.api.letsencrypt.org/acme/finalize/00131007/700001337'
[Thu Jul 11 19:22:18 WEST 2019] _authorizations_seg='https://acme-v02.api.letsencrypt.org/acme/authz/minez'
[Thu Jul 11 19:22:18 WEST 2019] _authz_url='https://acme-v02.api.letsencrypt.org/acme/authz/minez'
[Thu Jul 11 19:22:18 WEST 2019] url='https://acme-v02.api.letsencrypt.org/acme/authz/minez'
[Thu Jul 11 19:22:18 WEST 2019] payload
[Thu Jul 11 19:22:18 WEST 2019] Use cached jwk for file: /tmp/acme/fw-cert//ca/acme-v02.api.letsencrypt.org/account.key
[Thu Jul 11 19:22:18 WEST 2019] base64 single line.
[Thu Jul 11 19:22:18 WEST 2019] payload64
[Thu Jul 11 19:22:18 WEST 2019] _request_retry_times='1'
[Thu Jul 11 19:22:18 WEST 2019] Use _CACHED_NONCE=''
[Thu Jul 11 19:22:18 WEST 2019] nonce=''
[Thu Jul 11 19:22:18 WEST 2019] protected='{"nonce": "", "url": "https://acme-v02.api.letsencrypt.org/acme/authz/minez", "alg": "RS256", "kid": "https://acme-v02.api.letsencrypt.org/acme/acct/00131007"}'
[Thu Jul 11 19:22:18 WEST 2019] base64 single line.
[Thu Jul 11 19:22:18 WEST 2019] protected64=''
[Thu Jul 11 19:22:18 WEST 2019] base64 single line.
[Thu Jul 11 19:22:18 WEST 2019] _sig_t=''
[Thu Jul 11 19:22:18 WEST 2019] sig=''
[Thu Jul 11 19:22:18 WEST 2019] body='{"protected": "", "payload": "", "signature": ""}'
[Thu Jul 11 19:22:18 WEST 2019] POST
[Thu Jul 11 19:22:18 WEST 2019] _post_url='https://acme-v02.api.letsencrypt.org/acme/authz/minez'
[Thu Jul 11 19:22:18 WEST 2019] body='{"protected": "", "payload": "", "signature": ""}'
[Thu Jul 11 19:22:18 WEST 2019] _postContentType='application/jose+json'
[Thu Jul 11 19:22:18 WEST 2019] Http already initialized.
[Thu Jul 11 19:22:18 WEST 2019] _CURL='curl -L --silent --dump-header /tmp/acme/fw-cert//http.header  -g '
[Thu Jul 11 19:22:20 WEST 2019] _ret='0'
[Thu Jul 11 19:22:20 WEST 2019] responseHeaders='HTTP/1.1 100 Continue
Expires: Thu, 11 Jul 2019 18:22:19 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache

HTTP/1.1 200 OK
Server: nginx
Content-Type: application/json
Content-Length: 1011
Boulder-Requester: 00131007
Link: <https://acme-v02.api.letsencrypt.org/directory>;rel="index"
Replay-Nonce:
X-Frame-Options: DENY
Strict-Transport-Security: max-age=604800
Expires: Thu, 11 Jul 2019 18:22:20 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Thu, 11 Jul 2019 18:22:20 GMT
Connection: keep-alive
^M'
[Thu Jul 11 19:22:20 WEST 2019] code='200'
[Thu Jul 11 19:22:20 WEST 2019] original='{
  "identifier": {
    "type": "dns",
    "value": "fw.mydomain.com"
  },
  "status": "valid",
  "expires": "2019-08-10T17:05:51Z",
  "challenges": [
    {
      "type": "http-01",
      "status": "pending",
      "url": "https://acme-v02.api.letsencrypt.org/acme/challenge/minez/18142621372",
      "token": ""
    },
    {
      "type": "tls-alpn-01",
      "status": "pending",
      "url": "https://acme-v02.api.letsencrypt.org/acme/challenge/minez/18142621374",
      "token": ""
    },
    {
      "type": "dns-01",
      "status": "valid",
      "url": "https://acme-v02.api.letsencrypt.org/acme/challenge/minez/18142621394",
      "token": "",
      "validationRecord": [
        {
          "hostname": "fw.mydomain.com"
        }
      ]
    }
  ]
}'
[Thu Jul 11 19:22:20 WEST 2019] response='{"identifier":{"type":"dns","value":"fw.mydomain.com"},"status":"valid","expires":"2019-08-10T17:05:51Z","challenges":[{"type":"http-01","status":"pending","url":"https://acme-v02.api.letsencrypt.org/acme/challenge/minez/18142621372","token":""},{"type":"tls-alpn-01","status":"pending","url":"https://acme-v02.api.letsencrypt.org/acme/challenge/minez/18142621374","token":""},{"type":"dns-01","status":"valid","url":"https://acme-v02.api.letsencrypt.org/acme/challenge/minez/18142621394","token":"","validationRecord":[{"hostname":"fw.mydomain.com"}]}]}'
[Thu Jul 11 19:22:20 WEST 2019] response='{"identifier":{"type":"dns","value":"fw.mydomain.com"},"status":"valid","expires":"2019-08-10T17:05:51Z","challenges":[{"type":"http-01","status":"pending","url":"https://acme-v02.api.letsencrypt.org/acme/challenge/minez/18142621372","token":""},{"type":"tls-alpn-01","status":"pending","url":"https://acme-v02.api.letsencrypt.org/acme/challenge/minez/18142621374","token":""},{"type":"dns-01","status":"valid","url":"https://acme-v02.api.letsencrypt.org/acme/challenge/minez/18142621394","token":"","validationRecord":[{"hostname":"fw.mydomain.com"}]}]}'
[Thu Jul 11 19:22:20 WEST 2019] _d='fw.mydomain.com'
[Thu Jul 11 19:22:20 WEST 2019] _authorizations_map='fw.mydomain.com,{"identifier":{"type":"dns","value":"fw.mydomain.com"},"status":"valid","expires":"2019-08-10T17:05:51Z","challenges":[{"type":"http-01","status":"pending","url":"https://acme-v02.api.letsencrypt.org/acme/challenge/minez/18142621372","token":""},{"type":"tls-alpn-01","status":"pending","url":"https://acme-v02.api.letsencrypt.org/acme/challenge/minez/18142621374","token":""},{"type":"dns-01","status":"valid","url":"https://acme-v02.api.letsencrypt.org/acme/challenge/minez/18142621394","token":"","validationRecord":[{"hostname":"fw.mydomain.com"}]}]}
'
[Thu Jul 11 19:22:20 WEST 2019] d='fw.mydomain.com'
[Thu Jul 11 19:22:20 WEST 2019] Getting webroot for domain='fw.mydomain.com'
[Thu Jul 11 19:22:20 WEST 2019] _w='dns'
[Thu Jul 11 19:22:20 WEST 2019] _currentRoot='dns'
[Thu Jul 11 19:22:20 WEST 2019] _is_idn_d='fw.mydomain.com'
[Thu Jul 11 19:22:20 WEST 2019] _idn_temp
[Thu Jul 11 19:22:20 WEST 2019] response='{"identifier":{"type":"dns","value":"fw.mydomain.com"},"status":"valid","expires":"2019-08-10T17:05:51Z","challenges":[{"type":"http-01","status":"pending","url":"https://acme-v02.api.letsencrypt.org/acme/challenge/minez/18142621372","token":""},{"type":"tls-alpn-01","status":"pending","url":"https://acme-v02.api.letsencrypt.org/acme/challenge/minez/18142621374","token":""},{"type":"dns-01","status":"valid","url":"https://acme-v02.api.letsencrypt.org/acme/challenge/minez/18142621394","token":"","validationRecord":[{"hostname":"fw.mydomain.com"}]}]}'
[Thu Jul 11 19:22:20 WEST 2019] base64 single line.
[Thu Jul 11 19:22:20 WEST 2019] entry='"type":"dns-01","status":"valid","url":"https://acme-v02.api.letsencrypt.org/acme/challenge/minez/18142621394","token":"","validationRecord":[{"hostname":"fw.mydomain.com"'
[Thu Jul 11 19:22:20 WEST 2019] token=''
[Thu Jul 11 19:22:20 WEST 2019] uri='https://acme-v02.api.letsencrypt.org/acme/challenge/minez/18142621394'
[Thu Jul 11 19:22:20 WEST 2019] keyauthorization='.'
[Thu Jul 11 19:22:20 WEST 2019] fw.mydomain.com is already verified.
[Thu Jul 11 19:22:20 WEST 2019] keyauthorization='verified_ok'
[Thu Jul 11 19:22:20 WEST 2019] dvlist='fw.mydomain.com#verified_ok#https://acme-v02.api.letsencrypt.org/acme/challenge/minez/18142621394#dns-01#dns'
[Thu Jul 11 19:22:20 WEST 2019] d
[Thu Jul 11 19:22:20 WEST 2019] vlist='fw.mydomain.com#verified_ok#https://acme-v02.api.letsencrypt.org/acme/challenge/minez/18142621394#dns-01#dns,'
[Thu Jul 11 19:22:20 WEST 2019] d='fw.mydomain.com'
[Thu Jul 11 19:22:20 WEST 2019] fw.mydomain.com is already verified, skip dns-01.
[Thu Jul 11 19:22:20 WEST 2019] ok, let's start to verify
[Thu Jul 11 19:22:20 WEST 2019] fw.mydomain.com is already verified, skip dns-01.
[Thu Jul 11 19:22:20 WEST 2019] pid
[Thu Jul 11 19:22:20 WEST 2019] No need to restore nginx, skip.
[Thu Jul 11 19:22:20 WEST 2019] _clearupdns
[Thu Jul 11 19:22:20 WEST 2019] dns_entries
[Thu Jul 11 19:22:20 WEST 2019] skip dns.
[Thu Jul 11 19:22:20 WEST 2019] Verify finished, start to sign.
[Thu Jul 11 19:22:20 WEST 2019] i='2'
[Thu Jul 11 19:22:20 WEST 2019] j='16'
[Thu Jul 11 19:22:20 WEST 2019] Lets finalize the order, Le_OrderFinalize: https://acme-v02.api.letsencrypt.org/acme/finalize/00131007/700001337
[Thu Jul 11 19:22:20 WEST 2019] url='https://acme-v02.api.letsencrypt.org/acme/finalize/00131007/700001337'
[Thu Jul 11 19:22:20 WEST 2019] payload='{"csr": ""}'
[Thu Jul 11 19:22:20 WEST 2019] Use cached jwk for file: /tmp/acme/fw-cert//ca/acme-v02.api.letsencrypt.org/account.key
[Thu Jul 11 19:22:20 WEST 2019] base64 single line.
[Thu Jul 11 19:22:20 WEST 2019] payload64=''
[Thu Jul 11 19:22:20 WEST 2019] _request_retry_times='1'
[Thu Jul 11 19:22:20 WEST 2019] Use _CACHED_NONCE=''
[Thu Jul 11 19:22:20 WEST 2019] nonce=''
[Thu Jul 11 19:22:20 WEST 2019] protected='{"nonce": "", "url": "https://acme-v02.api.letsencrypt.org/acme/finalize/00131007/700001337", "alg": "RS256", "kid": "https://acme-v02.api.letsencrypt.org/acme/acct/00131007"}'
[Thu Jul 11 19:22:20 WEST 2019] base64 single line.
[Thu Jul 11 19:22:20 WEST 2019] protected64=''
[Thu Jul 11 19:22:20 WEST 2019] base64 single line.
[Thu Jul 11 19:22:20 WEST 2019] _sig_t=''
[Thu Jul 11 19:22:20 WEST 2019] sig=''
[Thu Jul 11 19:22:20 WEST 2019] body='{"protected": "", "payload": "", "signature": ""}'
[Thu Jul 11 19:22:20 WEST 2019] POST
[Thu Jul 11 19:22:20 WEST 2019] _post_url='https://acme-v02.api.letsencrypt.org/acme/finalize/00131007/700001337'
[Thu Jul 11 19:22:20 WEST 2019] body='{"protected": "", "payload": "", "signature": ""}'
[Thu Jul 11 19:22:20 WEST 2019] _postContentType='application/jose+json'
[Thu Jul 11 19:22:20 WEST 2019] Http already initialized.
[Thu Jul 11 19:22:20 WEST 2019] _CURL='curl -L --silent --dump-header /tmp/acme/fw-cert//http.header  -g '
[Thu Jul 11 19:22:22 WEST 2019] _ret='0'
[Thu Jul 11 19:22:22 WEST 2019] responseHeaders='HTTP/1.1 100 Continue
Expires: Thu, 11 Jul 2019 18:22:21 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache

HTTP/1.1 200 OK
Server: nginx
Content-Type: application/json
Content-Length: 470
Boulder-Requester: 00131007
Link: <https://acme-v02.api.letsencrypt.org/directory>;rel="index"
Location: https://acme-v02.api.letsencrypt.org/acme/order/00131007/700001337
Replay-Nonce:
X-Frame-Options: DENY
Strict-Transport-Security: max-age=604800
Expires: Thu, 11 Jul 2019 18:22:22 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Thu, 11 Jul 2019 18:22:22 GMT
Connection: keep-alive
^M'
[Thu Jul 11 19:22:22 WEST 2019] code='200'
[Thu Jul 11 19:22:22 WEST 2019] original='{
  "status": "valid",
  "expires": "2019-07-18T18:22:18Z",
  "identifiers": [
    {
      "type": "dns",
      "value": "fw.mydomain.com"
    }
  ],
  "authorizations": [
    "https://acme-v02.api.letsencrypt.org/acme/authz/minez"
  ],
  "finalize": "https://acme-v02.api.letsencrypt.org/acme/finalize/00131007/700001337",
  "certificate": "https://acme-v02.api.letsencrypt.org/acme/cert/01A02s03e04R05T06y07or08Qwe09Rt10Y11"
}'
[Thu Jul 11 19:22:22 WEST 2019] response='{"status":"valid","expires":"2019-07-18T18:22:18Z","identifiers":[{"type":"dns","value":"fw.mydomain.com"}],"authorizations":["https://acme-v02.api.letsencrypt.org/acme/authz/minez"],"finalize":"https://acme-v02.api.letsencrypt.org/acme/finalize/00131007/700001337","certificate":"https://acme-v02.api.letsencrypt.org/acme/cert/01A02s03e04R05T06y07or08Qwe09Rt10Y11"}'
[Thu Jul 11 19:22:22 WEST 2019] OK
[Thu Jul 11 19:22:22 WEST 2019] 10:Le_LinkOrder='https://acme-v02.api.letsencrypt.org/acme/order/00131007/700001337'
[Thu Jul 11 19:22:22 WEST 2019] Order status is valid.
[Thu Jul 11 19:22:22 WEST 2019] Le_LinkCert='https://acme-v02.api.letsencrypt.org/acme/cert/01A02s03e04R05T06y07or08Qwe09Rt10Y11'
[Thu Jul 11 19:22:22 WEST 2019] Download cert, Le_LinkCert: https://acme-v02.api.letsencrypt.org/acme/cert/01A02s03e04R05T06y07or08Qwe09Rt10Y11
[Thu Jul 11 19:22:22 WEST 2019] url='https://acme-v02.api.letsencrypt.org/acme/cert/01A02s03e04R05T06y07or08Qwe09Rt10Y11'
[Thu Jul 11 19:22:22 WEST 2019] payload
[Thu Jul 11 19:22:22 WEST 2019] Use cached jwk for file: /tmp/acme/fw-cert//ca/acme-v02.api.letsencrypt.org/account.key
[Thu Jul 11 19:22:22 WEST 2019] base64 single line.
[Thu Jul 11 19:22:22 WEST 2019] payload64
[Thu Jul 11 19:22:22 WEST 2019] _request_retry_times='1'
[Thu Jul 11 19:22:22 WEST 2019] Use _CACHED_NONCE=''
[Thu Jul 11 19:22:22 WEST 2019] nonce=''
[Thu Jul 11 19:22:22 WEST 2019] protected='{"nonce": "", "url": "https://acme-v02.api.letsencrypt.org/acme/cert/01A02s03e04R05T06y07or08Qwe09Rt10Y11", "alg": "RS256", "kid": "https://acme-v02.api.letsencrypt.org/acme/acct/00131007"}'
[Thu Jul 11 19:22:22 WEST 2019] base64 single line.
[Thu Jul 11 19:22:22 WEST 2019] protected64=''
[Thu Jul 11 19:22:22 WEST 2019] base64 single line.
[Thu Jul 11 19:22:22 WEST 2019] _sig_t=''
[Thu Jul 11 19:22:22 WEST 2019] sig=''
[Thu Jul 11 19:22:22 WEST 2019] body='{"protected": "", "payload": "", "signature": ""}'
[Thu Jul 11 19:22:22 WEST 2019] POST
[Thu Jul 11 19:22:22 WEST 2019] _post_url='https://acme-v02.api.letsencrypt.org/acme/cert/01A02s03e04R05T06y07or08Qwe09Rt10Y11'
[Thu Jul 11 19:22:22 WEST 2019] body='{"protected": "", "payload": "", "signature": ""}'
[Thu Jul 11 19:22:22 WEST 2019] _postContentType='application/jose+json'
[Thu Jul 11 19:22:22 WEST 2019] Http already initialized.
[Thu Jul 11 19:22:22 WEST 2019] _CURL='curl -L --silent --dump-header /tmp/acme/fw-cert//http.header  -g '
[Thu Jul 11 19:22:24 WEST 2019] _ret='0'
[Thu Jul 11 19:22:24 WEST 2019] responseHeaders='HTTP/1.1 100 Continue
Expires: Thu, 11 Jul 2019 18:22:23 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache

HTTP/1.1 200 OK
Server: nginx
Content-Type: application/pem-certificate-chain
Content-Length: 3571
Link: <https://acme-v02.api.letsencrypt.org/directory>;rel="index"
Replay-Nonce:
X-Frame-Options: DENY
Strict-Transport-Security: max-age=604800
Expires: Thu, 11 Jul 2019 18:22:24 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Thu, 11 Jul 2019 18:22:24 GMT
Connection: keep-alive
^M'
[Thu Jul 11 19:22:24 WEST 2019] code='200'
[Thu Jul 11 19:22:24 WEST 2019] original='-----BEGIN CERTIFICATE-----

-----END CERTIFICATE-----

-----BEGIN CERTIFICATE-----

-----END CERTIFICATE-----'
[Thu Jul 11 19:22:24 WEST 2019] response='-----BEGIN CERTIFICATE-----

-----END CERTIFICATE-----

-----BEGIN CERTIFICATE-----

-----END CERTIFICATE-----'
[Thu Jul 11 19:22:24 WEST 2019] Found cert chain
[Thu Jul 11 19:22:24 WEST 2019] _end_n='31'
[Thu Jul 11 19:22:24 WEST 2019] Le_LinkCert='https://acme-v02.api.letsencrypt.org/acme/cert/01A02s03e04R05T06y07or08Qwe09Rt10Y11'
[Thu Jul 11 19:22:24 WEST 2019] OK
[Thu Jul 11 19:22:24 WEST 2019] 11:Le_LinkCert='https://acme-v02.api.letsencrypt.org/acme/cert/01A02s03e04R05T06y07or08Qwe09Rt10Y11'
[Thu Jul 11 19:22:24 WEST 2019] Cert success.
[Thu Jul 11 19:22:24 WEST 2019] Your cert is in  /tmp/acme/fw-cert//fw.mydomain.com/fw.mydomain.com.cer 
[Thu Jul 11 19:22:24 WEST 2019] Your cert key is in  /tmp/acme/fw-cert//fw.mydomain.com/fw.mydomain.com.key 
[Thu Jul 11 19:22:24 WEST 2019] APP
[Thu Jul 11 19:22:24 WEST 2019] 5:USER_PATH='/etc:/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/bin/'
[Thu Jul 11 19:22:24 WEST 2019] v2 chain.
[Thu Jul 11 19:22:24 WEST 2019] The intermediate CA cert is in  /tmp/acme/fw-cert//fw.mydomain.com/ca.cer 
[Thu Jul 11 19:22:24 WEST 2019] And the full chain certs is there:  /tmp/acme/fw-cert//fw.mydomain.com/fullchain.cer 
[Thu Jul 11 19:22:24 WEST 2019] OK
[Thu Jul 11 19:22:24 WEST 2019] 12:Le_CertCreateTime='1562869344'
[Thu Jul 11 19:22:24 WEST 2019] OK
[Thu Jul 11 19:22:24 WEST 2019] 13:Le_CertCreateTimeStr='Thu Jul 11 18:22:24 UTC 2019'
[Thu Jul 11 19:22:24 WEST 2019] OK
[Thu Jul 11 19:22:24 WEST 2019] 14:Le_NextRenewTimeStr='Mon Sep  9 18:22:24 UTC 2019'
[Thu Jul 11 19:22:24 WEST 2019] OK
[Thu Jul 11 19:22:24 WEST 2019] 15:Le_NextRenewTime='1567966944'
[Thu Jul 11 19:22:24 WEST 2019] _on_issue_success
[Thu Jul 11 19:22:24 WEST 2019] 'dns' contains 'dns'
[Thu Jul 11 19:22:24 WEST 2019] It seems that you are using dns manual mode. please take care: The dns manual mode can not renew automatically, you must issue it again manually. You'd better use the other modes instead.
[Thu Jul 11 19:22:24 WEST 2019] Call hook error.

                        Obfuscated a few lines.
                        This actually caused my some hassle ... looking at this thread I figured this issue would be already fixed. Any thoughts?

                        1 Reply Last reply Reply Quote 0
                        • R
                          riahc3 Banned
                          last edited by

                          Im suffering a similar bug but I use the webroot FTP option.

                          Manually hit the renew button and I see the certificate is renewed BUT it isnt applied on the HTTPS side of my pfSense.

                          2.4.4-RELEASE-p1

                          acme security 0.5.8

                          1 Reply Last reply Reply Quote 0
                          • First post
                            Last post
                          Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.