Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    ACMEv2 is live!

    Scheduled Pinned Locked Moved ACME
    17 Posts 9 Posters 7.3k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • jimpJ
      jimp Rebel Alliance Developer Netgate
      last edited by

      Yes, the fix in 0.2.4 should help there. It's also entirely possible the servers are a bit loaded due to the service just coming online, so retrying is a good idea as well if it fails. I had more than one attempt completely time out earlier just after the launch.

      Remember: Upvote with the đź‘Ť button for any user/post you find to be helpful, informative, or deserving of recognition!

      Need help fast? Netgate Global Support!

      Do not Chat/PM for help!

      1 Reply Last reply Reply Quote 0
      • jimpJ
        jimp Rebel Alliance Developer Netgate
        last edited by

        @Napsterbater:

        I have generated a few myself.

        I will note every once in a while I was getting an error "Le_OrderFinalize not found" and even posted a bug report here thinking I found a workaround, turns out simply retrying after a min or so would let it work.

        EdIt: I will note the errors were with 0.2.3 I see there was a small change in 0.2.4 that may have resolved it.

        I pushed a fix in 0.2.5 that might address this as well, there was another way that sort of error could happen.

        Remember: Upvote with the đź‘Ť button for any user/post you find to be helpful, informative, or deserving of recognition!

        Need help fast? Netgate Global Support!

        Do not Chat/PM for help!

        1 Reply Last reply Reply Quote 0
        • S
          sowil
          last edited by

          What wonderful news ! Yesterday, I just wondered when this package would be updated… but it was already ready ! :)

          So i tried this morning, first by generating a new certificate, but i had a (justified) error :

          "A wildcard 'Domainname' is present but the ACME Account key is not registered to an ACME v2 server."

          So i clicked on "Account keys" > "Add" to generate a new one… and then i had a (unexpected) php error :

          PHP ERROR: Type: 4096, File: /usr/local/www/classes/Form/Input.class.php, Line: 145, Message: Argument 2 passed to Form_Input::setHelp() must be of the type array, string given, called in /usr/local/www/acme/acme_accountkeys_edit.php on line 218 and defined

          Is that a direct error from pfSense or from the new ACME package ?

          Information : pfSense 2.3.5-RELEASE (i386)

          If you need more infos, i'm available.

          Thanks for your work !

          1 Reply Last reply Reply Quote 0
          • jimpJ
            jimp Rebel Alliance Developer Netgate
            last edited by

            Appears to be a bug, I'll check it out and fix it up ASAP. Looks like it's a quirk in how the help text is processed on 2.3.x compared to 2.4.x

            Remember: Upvote with the đź‘Ť button for any user/post you find to be helpful, informative, or deserving of recognition!

            Need help fast? Netgate Global Support!

            Do not Chat/PM for help!

            1 Reply Last reply Reply Quote 0
            • jimpJ
              jimp Rebel Alliance Developer Netgate
              last edited by

              @sowil:

              Is that a direct error from pfSense or from the new ACME package ?

              Information : pfSense 2.3.5-RELEASE (i386)

              You should see ACME package version 0.2.5_1 show up shortly, it contains a fix for this for 2.3.x users.

              Users on 2.4.x will see the update but it doesn't really matter for them, I bumped the version to keep it in line so my next batch of enhancements will be easier to merge across all branches.

              Remember: Upvote with the đź‘Ť button for any user/post you find to be helpful, informative, or deserving of recognition!

              Need help fast? Netgate Global Support!

              Do not Chat/PM for help!

              1 Reply Last reply Reply Quote 0
              • S
                sowil
                last edited by

                Already available… Wuw, thank you !

                New account key created, new wildcard certificate generated... Per-fect ;)

                Thanks for the fast, good service !

                1 Reply Last reply Reply Quote 0
                • J
                  jeffc
                  last edited by

                  The original topic for this said:

                  If you have the latest version of the ACME package on pfSense, 0.2.4, …

                  Sorry for the unfamiliarity! How do I get the latest ACME package on a 0.2.4 pfSense installation?

                  Thanks!

                  /Jeff

                  1 Reply Last reply Reply Quote 0
                  • jimpJ
                    jimp Rebel Alliance Developer Netgate
                    last edited by

                    @jeffc:

                    Sorry for the unfamiliarity! How do I get the latest ACME package on a 0.2.4 pfSense installation?

                    The latest version of pfSense is 2.4.2-p1 (or 2.3.5-p1).  The latest version of the ACME package is 0.2.5_1 (there were some changes after 0.2.4). You get it by visiting System > Packages. If the package is already installed, click the little upgrade icon next to the package name to update it. If the package is not installed, visit the Available Packages tab and install it from there.

                    Remember: Upvote with the đź‘Ť button for any user/post you find to be helpful, informative, or deserving of recognition!

                    Need help fast? Netgate Global Support!

                    Do not Chat/PM for help!

                    1 Reply Last reply Reply Quote 0
                    • GertjanG
                      Gertjan
                      last edited by

                      @jimp : my first wildcard … I'm impressed. Great work !

                      Btw : I guess it's time to open a child forum into the Packages forum for the acme package.

                      No "help me" PM's please. Use the forum, the community will thank you.
                      Edit : and where are the logs ??

                      1 Reply Last reply Reply Quote 0
                      • M
                        michaelschefczyk
                        last edited by

                        Dear All,

                        Unfortunately, this does not work for everyone, yet.

                        Two weeks ago, I did set up everything required to use the DNS-NSupdate / RFC 2136 method. I also tried with Let's Encrypt Staging ACME v2 and everything did work with and without wildcard certificates.

                        Now, I does not work anymore, unfortunately. I always get the following error when requesting a v2 certificate (even for a domain not used before on that particular pfSense machine) with staging and production v2 (while it does work when changing to v1):

                        [Sat Mar 17 23:10:46 CET 2018] Getting domain auth token for each domain
                        [Sat Mar 17 23:10:49 CET 2018] Create new order error. Le_OrderFinalize not found. {"type":"urn:ietf:params:acme:error:malformed","detail":"Parse error reading JWS","status": 400}
                        [Sat Mar 17 23:10:49 CET 2018] Please check log file for more details: /tmp/acme/…/acme_issuecert.log

                        After that, the cert manager does contain "private key only" but no certificate.

                        Does someone have advice on how to proceed?

                        Regards,

                        Michael

                        1 Reply Last reply Reply Quote 0
                        • N
                          Napsterbater
                          last edited by

                          @michaelschefczyk:

                          Dear All,

                          Unfortunately, this does not work for everyone, yet.

                          Two weeks ago, I did set up everything required to use the DNS-NSupdate / RFC 2136 method. I also tried with Let's Encrypt Staging ACME v2 and everything did work with and without wildcard certificates.

                          Now, I does not work anymore, unfortunately. I always get the following error when requesting a v2 certificate (even for a domain not used before on that particular pfSense machine) with staging and production v2 (while it does work when changing to v1):

                          [Sat Mar 17 23:10:46 CET 2018] Getting domain auth token for each domain
                          [Sat Mar 17 23:10:49 CET 2018] Create new order error. Le_OrderFinalize not found. {"type":"urn:ietf:params:acme:error:malformed","detail":"Parse error reading JWS","status": 400}
                          [Sat Mar 17 23:10:49 CET 2018] Please check log file for more details: /tmp/acme/…/acme_issuecert.log

                          After that, the cert manager does contain "private key only" but no certificate.

                          Does someone have advice on how to proceed?

                          Regards,

                          Michael

                          That was the error I was getting, and retrying 2 or 3 times with a few minutes in between was all it took for it to work for me.

                          1 Reply Last reply Reply Quote 0
                          • Y
                            yon
                            last edited by

                            v0.2.5_1 still not work

                            [Sat Mar 17 16:47:38 CST 2018] readlink exists=0
                            [Sat Mar 17 16:47:38 CST 2018] dirname exists=0
                            [Sat Mar 17 16:47:38 CST 2018] Lets find script dir.
                            [Sat Mar 17 16:47:38 CST 2018] SCRIPT='/usr/local/pkg/acme/acme.sh'
                            [Sat Mar 17 16:47:38 CST 2018] _script='/usr/local/pkg/acme/acme.sh'
                            [Sat Mar 17 16:47:38 CST 2018] _script_home='/usr/local/pkg/acme'
                            [Sat Mar 17 16:47:38 CST 2018] Using config home:/tmp/acme/xiao.net/
                            [Sat Mar 17 16:47:38 CST 2018] APP
                            [Sat Mar 17 16:47:38 CST 2018] 2:LOG_FILE='/tmp/acme/xiao.net/acme_issuecert.log'
                            [Sat Mar 17 16:47:38 CST 2018] APP
                            [Sat Mar 17 16:47:38 CST 2018] 3:LOG_LEVEL='3'
                            [Sat Mar 17 16:47:38 CST 2018] LE_WORKING_DIR='/tmp/acme/xiao.net/'
                            [Sat Mar 17 16:47:38 CST 2018] _main_domain='xiao.net'
                            [Sat Mar 17 16:47:38 CST 2018] _alt_domains='.xiao.net'
                            [Sat Mar 17 16:47:38 CST 2018] Using config home:/tmp/acme/xiao.net/
                            [Sat Mar 17 16:47:38 CST 2018] ACME_DIRECTORY='https://acme-v02.api.letsencrypt.org/directory'
                            [Sat Mar 17 16:47:38 CST 2018] _ACME_SERVER_HOST='acme-v02.api.letsencrypt.org'
                            [Sat Mar 17 16:47:38 CST 2018] CA_CONF='/tmp/acme/xiao.net//ca/acme-v02.api.letsencrypt.org/ca.conf'
                            [Sat Mar 17 16:47:38 CST 2018] DOMAIN_PATH='/tmp/acme/xiao.net//xiao.net'
                            [Sat Mar 17 16:47:38 CST 2018] Using ACME_DIRECTORY: https://acme-v02.api.letsencrypt.org/directory
                            [Sat Mar 17 16:47:38 CST 2018] _init api for server: https://acme-v02.api.letsencrypt.org/directory
                            [Sat Mar 17 16:47:38 CST 2018] GET
                            [Sat Mar 17 16:47:38 CST 2018] url='https://acme-v02.api.letsencrypt.org/directory'
                            [Sat Mar 17 16:47:38 CST 2018] timeout=
                            [Sat Mar 17 16:47:38 CST 2018] curl exists=0
                            [Sat Mar 17 16:47:38 CST 2018] wget exists=127
                            [Sat Mar 17 16:47:38 CST 2018] _CURL='curl -L –silent --dump-header /tmp/acme/xiao.net//http.header  -g '
                            [Sat Mar 17 16:50:11 CST 2018] Please refer to https://curl.haxx.se/libcurl/c/libcurl-errors.html for error code: 7
                            [Sat Mar 17 16:50:11 CST 2018] ret='7'
                            [Sat Mar 17 16:50:11 CST 2018] response
                            [Sat Mar 17 16:50:11 CST 2018] Can not init api.
                            [Sat Mar 17 16:50:11 CST 2018] APP
                            [Sat Mar 17 16:50:11 CST 2018] 1:Le_Domain='xiao.net'
                            [Sat Mar 17 16:50:11 CST 2018] APP
                            [Sat Mar 17 16:50:11 CST 2018] 2:Le_Alt='                            .xiao.net'
                            [Sat Mar 17 16:50:11 CST 2018] APP
                            [Sat Mar 17 16:50:11 CST 2018] 3:Le_Webroot='dns_nsupdate'
                            [Sat Mar 17 16:50:11 CST 2018] APP
                            [Sat Mar 17 16:50:11 CST 2018] 4:Le_PreHook=''
                            [Sat Mar 17 16:50:11 CST 2018] APP
                            [Sat Mar 17 16:50:11 CST 2018] 5:Le_PostHook=''
                            [Sat Mar 17 16:50:11 CST 2018] APP
                            [Sat Mar 17 16:50:11 CST 2018] 6:Le_RenewHook=''
                            [Sat Mar 17 16:50:11 CST 2018] APP
                            [Sat Mar 17 16:50:11 CST 2018] 7:Le_API='https://acme-v02.api.letsencrypt.org/directory'
                            [Sat Mar 17 16:50:11 CST 2018] _on_before_issue
                            [Sat Mar 17 16:50:11 CST 2018] _chk_main_domain='xiao.net'
                            [Sat Mar 17 16:50:11 CST 2018] _chk_alt_domains='.xiao.net'
                            [Sat Mar 17 16:50:11 CST 2018] 'dns_nsupdate' does not contain 'no'
                            [Sat Mar 17 16:50:11 CST 2018] Le_LocalAddress
                            [Sat Mar 17 16:50:11 CST 2018] d='xiao.net'
                            [Sat Mar 17 16:50:11 CST 2018] Check for domain='xiao.net'
                            [Sat Mar 17 16:50:11 CST 2018] _currentRoot='dns_nsupdate'
                            [Sat Mar 17 16:50:11 CST 2018] d='                            .xiao.net'
                            [Sat Mar 17 16:50:11 CST 2018] Check for domain='*.xiao.net'
                            [Sat Mar 17 16:50:11 CST 2018] _currentRoot='dns_nsupdate'
                            [Sat Mar 17 16:50:11 CST 2018] d
                            [Sat Mar 17 16:50:11 CST 2018] 'dns_nsupdate' does not contain 'apache'
                            [Sat Mar 17 16:50:11 CST 2018] config file is empty, can not read CA_KEY_HASH
                            [Sat Mar 17 16:50:11 CST 2018] _saved_account_key_hash
                            [Sat Mar 17 16:50:11 CST 2018] Using config home:/tmp/acme/xiao.net/
                            [Sat Mar 17 16:50:11 CST 2018] ACME_DIRECTORY='https://acme-v02.api.letsencrypt.org/directory'
                            [Sat Mar 17 16:50:11 CST 2018] _ACME_SERVER_HOST='acme-v02.api.letsencrypt.org'
                            [Sat Mar 17 16:50:11 CST 2018] CA_CONF='/tmp/acme/xiao.net//ca/acme-v02.api.letsencrypt.org/ca.conf'
                            [Sat Mar 17 16:50:11 CST 2018] _regAccount
                            [Sat Mar 17 16:50:11 CST 2018] _init api for server: https://acme-v02.api.letsencrypt.org/directory
                            [Sat Mar 17 16:50:11 CST 2018] GET
                            [Sat Mar 17 16:50:11 CST 2018] url='https://acme-v02.api.letsencrypt.org/directory'
                            [Sat Mar 17 16:50:11 CST 2018] timeout=
                            [Sat Mar 17 16:50:11 CST 2018] curl exists=0
                            [Sat Mar 17 16:50:11 CST 2018] wget exists=127
                            [Sat Mar 17 16:50:11 CST 2018] _CURL='curl -L –silent --dump-header /tmp/acme/xiao.net//http.header  -g '
                            [Sat Mar 17 16:50:26 CST 2018] ret='0'
                            [Sat Mar 17 16:50:26 CST 2018] response='{
                              "jRY5HULISn4": "https://community.letsencrypt.org/t/adding-random-entries-to-the-directory/33417",
                              "keyChange": "https://acme-v02.api.letsencrypt.org/acme/key-change",
                              "meta": {
                                "termsOfService": "https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf"
                              },
                              "newAccount": "https://acme-v02.api.letsencrypt.org/acme/new-acct",
                              "newNonce": "https://acme-v02.api.letsencrypt.org/acme/new-nonce",
                              "newOrder": "https://acme-v02.api.letsencrypt.org/acme/new-order",
                              "revokeCert": "https://acme-v02.api.letsencrypt.org/acme/revoke-cert"
                            }'
                            [Sat Mar 17 16:50:26 CST 2018] ACME_KEY_CHANGE='https://acme-v02.api.letsencrypt.org/acme/key-change'
                            [Sat Mar 17 16:50:26 CST 2018] ACME_NEW_AUTHZ
                            [Sat Mar 17 16:50:26 CST 2018] ACME_NEW_ORDER='https://acme-v02.api.letsencrypt.org/acme/new-order'
                            [Sat Mar 17 16:50:26 CST 2018] ACME_NEW_ACCOUNT='https://acme-v02.api.letsencrypt.org/acme/new-acct'
                            [Sat Mar 17 16:50:26 CST 2018] ACME_REVOKE_CERT='https://acme-v02.api.letsencrypt.org/acme/revoke-cert'
                            [Sat Mar 17 16:50:26 CST 2018] ACME_AGREEMENT='https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf'
                            [Sat Mar 17 16:50:26 CST 2018] ACME_NEW_NONCE='https://acme-v02.api.letsencrypt.org/acme/new-nonce'
                            [Sat Mar 17 16:50:26 CST 2018] ACME_VERSION='2'
                            [Sat Mar 17 16:50:26 CST 2018] RSA key
                            [Sat Mar 17 16:50:26 CST 2018] pub_exp='010001'
                            [Sat Mar 17 16:50:26 CST 2018] [Sat Mar 17 16:50:26 CST 2018] xxd exists=127base64 single line.

                            [Sat Mar 17 16:50:26 CST 2018] _URGLY_PRINTF='1'
                            [Sat Mar 17 16:50:26 CST 2018] e='AQAB'
                            [Sat Mar 17 16:50:26 CST 2018] modulus='EAC24EE861DF7201F4517C9CCDEB57E419809E9A04096A4E7C4591D96E0F572CA0CB028D300FE4EEFD192688376610EA18099EF01FC7F6F5E7919EC316D609F227179F02560CEC651D1513F556EAE40714373742952DC8F080EF0131AD5E8AF9304FBB015A44FDCC68CC8090A032F95E5816B0937D6FF9BE62FD06B49DC02350828C4FF5EF5FFB908D2419AC50418E3FFF0645CED3CD7B04E683DAF4A81DE0B68504BDBDF738A6F7AAC70BE0BAC7B1E428CDE0DE62F7CFEF7A4F448E29CD2591C6D76CD15D0F690D192251C37DB18E43A8124E5CD3829E9A82F8B1CF79B11E65655CC01AE7359FA896F82DB72B205530055A86C705CD0C40D73D7313922B2C8A62AEDC0817F4978C762C208DE61A6A852A92D12EE76A1DA63AAD974EA46173B6BFBFE61B60AA3839A46809D24AACA4872653CB24C7F8EE669E038BDFB0CBE1135A22100E19C36DA423E1DB196D10F1E1DFE42C6DEE68582ECBA21E3C39F25EC7F5857651911DD09A6909030F01AAD15FD6369F'
                            [Sat Mar 17 16:50:26 CST 2018] base64 single line.
                            [Sat Mar 17 16:50:26 CST 2018] xxd exists=127
                            [Sat Mar 17 16:50:26 CST 2018] _URGLY_PRINTF='1'
                            [Sat Mar 17 16:50:26 CST 2018] n='6sJO6GHfcgH0UXyczetX5BmAnpoECWpOfEWR2W4PVyygywKNMA_k7v0ZJog3ZhDqGAme8B_H9vXnkZ7DFtYJ8icXnwJWDOxlHRUT9Vbq5AcUNzdClS3I8IDvATGtXor5ME-7AVpE_cxozICQoDL5XlgWsJN9b_m-Yv0GtJ3AI1CCjE_171_7kI0kGaxQQY4__wZFztPNewTmg9r0qB3gtoUEvb33OKb3qscP6g84vITwHDfIl4ocj-PzSJhroD87AdfC7iLjy9ueI-vmgkvI-t34XNqCMwD_oTrd_diMEf5zSSBjULH7hh4n74E6227L4LrHseQozeDeYvfP73pPRI4pzSWRxtds0V0PaQ0ZIlHDfbGOQ6gSTlzTgp6agvixz3mxHmVlXMAa5zWfqJb4LbcrIFUwBVqGxwXNDEDXPXMTkissimKu3AgX9JeMdiwgjeYaaoUqktEu52odpjqtl06kYXO2v7_mG2CqODmkaAnSSqykhyZTyyTH-O5mngOL37DL4RNaIhAOGcNtpCPh2xltEPHh3-Qsbe5oWC7Loh48OfJex_WFdlGRHdCaaQkDDwGq0V_WNp8'
                            [Sat Mar 17 16:50:26 CST 2018] jwk='{"e": "AQAB", "kty": "RSA", "n": "6sJO6GHfcgH0UXyczetX5BmAnpoECWpOfEWR2W4PVyygywKNMA_k7v0ZJog3ZhDqGAme8B_H9vXnkZ7DFtYJ8icXnwJWDOxlHRUT9Vbq5AcUNzdClS3I8IDvATGtXor5ME-7AVpE_cxozICQoDL5XlgWsJN9b_m-Yv0GtJ3AI1CCjE_17133OKb3qscP6g84vITwHDfIl4ocj-qJM_M6awjeWTV82BP9JEg1lOosGYLef0QRhlJC48fL937l2DrYpDXs7VekOVMBl_MkNomCM6xu58_wwPL9v_RROx0bId4EIGPzSJhroD87AdfC7iLjy9ueI-vmgkvI-t34XNqCMwD_oTrd_diMEf5zSSBjULH7hh4n74E6227L4LrHseQozeDeYvfP73pPRI4pzSWRxtds0V0PaQ0ZIlHDfbGOQ6gSTlzTgp6agvixz3mxHmVlXMAa5zWfqJb4LbcrIFUwBVqGxwXNDEDXPXMTkissimKu3AgX9JeMdiwgjeYaaoUqktEu52odpjqtl06kYXO2v7_mG2CqODmkaAnSSqykhyZTyyTH-O5mngOL37DL4RNaIhAOGcNtpCPh2xltEPHh3-Qsbe5oWC7Loh48OfJex_WFdlGRHdCaaQkDDwGq0V_WNp8"}'
                            [Sat Mar 17 16:50:26 CST 2018] JWK_HEADER='{"alg": "RS256", "jwk": {"e": "AQAB", "kty": "RSA", "n": "6sJO6GHfcgH0UXyczetX5BmAnpoECWpOfEWR2W4PVyygywKNMA_k7v0ZJog3ZhDqGAme8B_H9vXnkZ7DFtYJ8icXnwJWDOxlHRUT9Vbq5AcUNzdClS3I8IDvATGtXor5ME-7AVpE_cxozICQoDL5XlgWsJN9b_m-Yv0GtJ3AI1CCjE_17TwHDfIl4ocj-qJM_M6awjeWTV82BP9JEg1lOosGYLef0QRhlJC48fL937l2DrYpDXs7VekOVMBl_MkNomCM6xu58_wwPL9v_RROx0bId4EIGPzSJhroD87AdfC7iLjy9ueI-vmgkvI-t34XNqCMwD_oTrd_diMEf5zSSBjULH7hh4n74E6227L4LrHseQozeDeYvfP73pPRI4pzSWRxtds0V0PaQ0ZIlHDfbGOQ6gSTlzTgp6agvixz3mxHmVlXMAa5zWfqJb4LbcrIFUwBVqGxwXNDEDXPXMTkissimKu3AgX9JeMdiwgjeYaaoUqktEu52odpjqtl06kYXO2v7_mG2CqODmkaAnSSqykhyZTyyTH-O5mngOL37DL4RNaIhAOGcNtpCPh2xltEPHh3-Qsbe5oWC7Loh48OfJex_WFdlGRHdCaaQkDDwGq0V_WNp8"}}'
                            [Sat Mar 17 16:50:26 CST 2018] Registering account
                            [Sat Mar 17 16:50:26 CST 2018] url='https://acme-v02.api.letsencrypt.org/acme/new-acct'
                            [Sat Mar 17 16:50:26 CST 2018] payload='{"termsOfServiceAgreed": true}'
                            [Sat Mar 17 16:50:26 CST 2018] Use cached jwk for file: /tmp/acme/xiao.net//ca/acme-v02.api.letsencrypt.org/account.key
                            [Sat Mar 17 16:50:26 CST 2018] base64 single line.
                            [Sat Mar 17 16:50:26 CST 2018] payload64='eyJ0ZXJtc09mU2VydmljZUFncmVlZCI6IHRydWV9'
                            [Sat Mar 17 16:50:26 CST 2018] _request_retry_times='0'
                            [Sat Mar 17 16:50:26 CST 2018] Get nonce. ACME_NEW_NONCE='https://acme-v02.api.letsencrypt.org/acme/new-nonce'
                            [Sat Mar 17 16:50:26 CST 2018] HEAD
                            [Sat Mar 17 16:50:26 CST 2018] _post_url='https://acme-v02.api.letsencrypt.org/acme/new-nonce'
                            [Sat Mar 17 16:50:26 CST 2018] body
                            [Sat Mar 17 16:50:26 CST 2018] curl exists=0
                            [Sat Mar 17 16:50:26 CST 2018] wget exists=127
                            [Sat Mar 17 16:50:26 CST 2018] _CURL='curl -L –silent --dump-header /tmp/acme/xiao.net//http.header  -g  -H "Content-Type: application/jose+json" '
                            [Sat Mar 17 16:51:44 CST 2018] _ret='0'
                            [Sat Mar 17 16:51:44 CST 2018] _headers='HTTP/1.1 204 No Content
                            Server: nginx
                            Replay-Nonce: MxB-Epz9-0zC8EJKa970oigQcoNAGJfK6MzgM2ksMtg
                            X-Frame-Options: DENY
                            Strict-Transport-Security: max-age=604800
                            Expires: Sat, 17 Mar 2018 08:51:44 GMT
                            Cache-Control: max-age=0, no-cache, no-store
                            Pragma: no-cache
                            Date: Sat, 17 Mar 2018 08:51:44 GMT
                            Connection: keep-alive

                            '
                            [Sat Mar 17 16:51:44 CST 2018] _CACHED_NONCE='MxB-Epz9-0zC8EJKa970oigQcoNAGJfK6MzgM2ksMtg'
                            [Sat Mar 17 16:51:44 CST 2018] nonce='MxB-Epz9-0zC8EJKa970oigQcoNAGJfK6MzgM2ksMtg'
                            [Sat Mar 17 16:51:44 CST 2018] protected='{"nonce": "MxB-Epz9-0zC8EJKa970oigQcoNAGJfK6MzgM2ksMtg", "url": "https://acme-v02.api.letsencrypt.org/acme/new-acct", "alg": "RS256", "jwk": {"e": "AQAB", "kty": "RSA", "n": "6sJO6GHfcgH0UXyczetX5BmAnpoECWpOfEWR2W4PVyygywKNMA_k7v0ZJog3ZhDqGAme8B_H9vXnkZ7DFtYJ8icXnwJWDOxlHRUT9Vbq5AcUNzdClS3I8IDvATGtXor5ME-7AVpE_cxozICQoDL5XlgWsJN9b_m-Yv0GtJ3AI1CCjE_171_7kI0kGaxQQY4__wZFztPNewTmg9r0qB3gtoUEvb33OKb3qscP6g84vITwHDfIl4ocj-qJM_M6awjeWTV82BP9JEg1lOosGYLef0QRhl0V0PaQ0ZIlHDfbGOQ6gSTlzTgp6agvixz3mxHmVlXMAa5zWfqJb4LbcrIFUwBVqGxwXNDEDXPXMTkissimKu3AgX9JeMdiwgjeYaaoUqktEu52odpjqtl06kYXO2v7_mG2CqODmkaAnSSqykhyZTyyTH-O5mngOL37DL4RNaIhAOGcNtpCPh2xltEPHh3-Qsbe5oWC7Loh48OfJex_WFdlGRHdCaaQkDDwGq0V_WNp8"}}'
                            [Sat Mar 17 16:51:44 CST 2018] base64 single line.
                            [Sat Mar 17 16:51:45 CST 2018] protected64='eyJub25jZSI6ICJNeEItRXB6OS0wekM4RUpLYTk3MG9pZ1Fjb05BR0pmSzZNemdNMmtzTXRnIiwgInVybCI6ICJodHRwczovL2FjbWUtdjAyLmFwaS5sZXRzZW5jcnlwdC5vcmcvYWNtZS9uZXctYWNjdCIsICJhbGciOiAiUlMyNTYiLCAiandrIjogeyJlIjogIkFRQUIiLCAia3R5IjogIlJTQSIsICJuIjogIjZzSk82R0hmY2dIMFVYeWN6ZXRYNUJtQW5wb0VDV3BPZkVXUjJXNFBWeXlneXdLTk1BX2s3djBaSm9nM1poRHFHQW1lOEJfSDl2WG5rWjdERnRZSjhpY1hud0pXRE94bEhSVVQ5VmJxNUFjVU56ZENsUzNJOElEdkFUR3RYb3I1TUUtN0FWcEVfY3hveklDUW9ETDVYbGdXc0pOOWJfbS1ZdjBHdEozQUkxQ0NqRV8xNzFfN2tJMGtHYXhRUVk0X193WkZ6dFBOZXdUbWc5cjBxQjNndG9VRXZiMzNPS2IzcXNjelNTQmpVTEg3aGg0bjc0RTYyMjdMNExySHNlUW96ZURlWXZmUDczcFBSSTRwelNXUnh0ZHMwVjBQYVEwWklsSERmYkdPUTZnU1RselRncDZhZ3ZpeHozbXhIbVZsWE1BYTV6V2ZxSmI0TGJjcklGVXdCVnFHeHdYTkRFRFhQWE1Ua2lzc2ltS3UzQWdYOUplTWRpd2dqZVlhYW9VcWt0RXU1Mm9kcGpxdGwwNmtZWE8ydjdfbUcyQ3FPRG1rYUFuU1NxeWtoeVpUeXlUSC1PNW1uZ09MMzdETDRSTmFJaEFPR2NOdHBDUGgyeGx0RVBIaDMtUXNiZTVvV0M3TG9oNDhPZkpleF9XRmRsR1JIZENhYVFrRER3R3EwVl9XTnA4In19'
                            [Sat Mar 17 16:51:45 CST 2018] base64 single line.
                            [Sat Mar 17 16:51:45 CST 2018] _sig_t='j07O97S0F4ASNHhZgdWd5KOQ6MsoKGNn6uI0knA/NDcQa0g12jNk97ZvrYWfHC9fzgxGj8dYCJF6zkxqihxjtB+VkyLx11LwscMK3o8KyceyagapWXvTJOCVyZgI6xqFQIKKK0m7sg09pR/47mbEecLq9t+Flmu/8uJFU8BcuR6pn5urFajR2mHjkyAa29h6cRbnOFlBl0euU8iH9KTcoE4FWW3HTgUNEOyH5fmqUasoVMfmVuv22MF4Q+vhTJrCQNQI0h9DQZp12W2i4LG2NyB48SxOSKMIZRY054KWinFZoCqhhdFquFAnPXT2b17cb3+UI323M5bRRShCxs43blYLzfE8muAqL+dh1nePdBIWJDoSp7epkFWiKPC9m/LSjTeQzBDEI56EuOCIS01uOSxx/SJEtKjwfqW7Z/Y3iBWDXW0LKtfm/xitvZAotdKFoqe7p67HxJMCrjlzEyAyp2h/VBmeLK+Whin6UG8IgH+IioB3SWXgtDOCUmwFuCaxx69bYwZGClu9PdmBbiokwqMfHYedZWlDyzLxteNLcQSs/03S79jnB0wlL9/7sPlaq2+R3x+cdVqy8r1u/QKk063yirdrKofYBvHyEod3F4rgLnKN1t0='
                            [Sat Mar 17 16:51:45 CST 2018] sig='j07O97S0F4ASNHhZgdWd5KOQ6MsoKGNn6uI0knA_NDcQa0g12jNk97ZvrYWfHC9fzgxGj8dYCJF6zkxqihxjtB-VkyLx11LwscMK3o8KyceyagapWXvTJOCVyZgI6xqFQIKSKMIZRY054KWinFZoCqhhdFquFAnPXT2b17cb3-UI323M5bRRShCxs43blYLzfE8muAqL-dh1nePdBIWJDoSp7epkFWiKPC9m_LSjTeQzBDEI56EuOCIS01uOSxx_SJEtKjwfqW7Z_Y3iBWDXW0LKtfm_xitvZAotdKFoqe7p67HxJMCrjlzEyAyp2h_VBmeLK-Whin6UG8IgH-IioB3SWXgtDOCUmwFuCaxx69bYwZGClu9PdmBbiokwqMfHYedZWlDyzLxteNLcQSs_03S79jnB0wlL9_7sPlaq2-R3x-cdVqy8r1u_QKk063yirdrKofYBvHyEod3F4rgLnKN1t0'
                            [Sat Mar 17 16:51:45 CST 2018] body='{"protected": "eyJub25jZSI6ICJNeEItRXB6OS0wekM4RUpLYTk3MG9pZ1Fjb05BR0pmSzZNemdNMmtzTXRnIiwgInVybCI6ICJodHRwczovL2FjbWUtdjAyLmFwaS5sZXRzZW5jcnlwdC5vcmcvYWNtZS9uZXctYWNjdCIsICJhbGciOiAiUlMyNTYiLCAiandrIjogeyJlIjogIkFRQUIiLCAia3R5IjogIlJTQSIsICJuIjogIjZzSk82R0hmY2dIMFVYeWN6ZXRYNUJtQW5wb0VDV3BPZkVXUjJXNFBWeXlneXdLTk1BX2s3djBaSm9nM1poRHFHQW1lOEJfSDl2WG5rWjdERnRZSjhpY1hud0pXRE94bEhSVVQ5VmJxNU0RTYyMjdMNExySHNlUW96ZURlWXZmUDczcFBSSTRwelNXUnh0ZHMwVjBQYVEwWklsSERmYkdPUTZnU1RselRncDZhZ3ZpeHozbXhIbVZsWE1BYTV6V2ZxSmI0TGJjcklGVXdCVnFHeHdYTkRFRFhQWE1Ua2lzc2ltS3UzQWdYOUplTWRpd2dqZVlhYW9VcWt0RXU1Mm9kcGpxdGwwNmtZWE8ydjdfbUcyQ3FPRG1rYUFuU1NxeWtoeVpUeXlUSC1PNW1uZ09MMzdETDRSTmFJaEFPR2NOdHBDUGgyeGx0RVBIaDMtUXNiZTVvV0M3TG9oNDhPZkpleF9XRmRsR1JIZENhYVFrRER3R3EwVl9XTnA4In19", "payload": "eyJ0ZXJtc09mU2VydmljZUFncmVlZCI6IHRydWV9", "signature": "j07O97S0F4ASNHhZgdWd5KOQ6MsoKGNn6uI0knA_NDcQa0g12jNk97ZvrYWfHC9fzgxGj8dYCJF6zkxqihxjtB-VkyLx11LwscMK3o8KyceyagapWXvTJOCVyZgI6xqFQIKKK0m7sg09pR_47mbEecLq9t-Flmu_8uJFU8BcuR6pn5urFajR2mHjkyAa29h6cRbnOFlBl0euU8iH9KTcoE4FWW3HTgUNEOyH5fmqUasoVMfmVuv22MF4Q-vhTJrCQNQI0h9Dqxqu90W1Eb5Nwp4KDOkMNV9R5fJoPZkzedA7coUaN5nadQZR46HtH9nNQZp12W2i4LG2NyB48SxOSKMIZRY054KWinFZoCqhhdFquFAnPXT2b17cb3-UI323M5bRRShCxs43blYLzfE8muAqL-dh1nePdBIWJDoSp7epkFWiKPC9m_LSjTeQzBDEI56EuOCIS01uOSxx_SJEtKjwfqW7Z_Y3iBWDXW0LKtfm_xitvZAotdKFoqe7p67HxJMCrjlzEyAyp2h_VBmeLK-Whin6UG8IgH-IioB3SWXgtDOCUmwFuCaxx69bYwZGClu9PdmBbiokwqMfHYedZWlDyzLxteNLcQSs_03S79jnB0wlL9_7sPlaq2-R3x-cdVqy8r1u_QKk063yirdrKofYBvHyEod3F4rgLnKN1t0"}'
                            [Sat Mar 17 16:51:45 CST 2018] POST
                            [Sat Mar 17 16:51:45 CST 2018] _post_url='https://acme-v02.api.letsencrypt.org/acme/new-acct'
                            [Sat Mar 17 16:51:45 CST 2018] body='{"protected": "eyJub25jZSI6ICJNeEItRXB6OS0wekM4RUpLYTk3MG9pZ1Fjb05BR0pmSzZNemdNMmtzTXRnIiwgInVybCI6ICJodHRwczovL2FjbWUtdjAyLmFwaS5sZXRzZW5jcnlwdC5vcmcvYWNtZS9uZXctYWNjdCIsICJhbGciOiAiUlMyNTYiLCAiandrIjogeyJlIjogIkFRQUIiLCAia3R5IjogIlJTQSIsICJuIjogIjZzSk82R0hmY2dIMFVYeWN6ZXRYNUJtQW5wb0VDV3BPZkVXUjJXNFBWeXlneXdLTk1BX2s3djBaSm9nM1poRHFHQW1lOEJfSDl2WG5rWjdERnRZSjhpY1hud0pXRE94bEaGg0bjc0RTYyMjdMNExySHNlUW96ZURlWXZmUDczcFBSSTRwelNXUnh0ZHMwVjBQYVEwWklsSERmYkdPUTZnU1RselRncDZhZ3ZpeHozbXhIbVZsWE1BYTV6V2ZxSmI0TGJjcklGVXdCVnFHeHdYTkRFRFhQWE1Ua2lzc2ltS3UzQWdYOUplTWRpd2dqZVlhYW9VcWt0RXU1Mm9kcGpxdGwwNmtZWE8ydjdfbUcyQ3FPRG1rYUFuU1NxeWtoeVpUeXlUSC1PNW1uZ09MMzdETDRSTmFJaEFPR2NOdHBDUGgyeGx0RVBIaDMtUXNiZTVvV0M3TG9oNDhPZkpleF9XRmRsR1JIZENhYVFrRER3R3EwVl9XTnA4In19", "payload": "eyJ0ZXJtc09mU2VydmljZUFncmVlZCI6IHRydWV9", "signature": "j07O97S0F4ASNHhZgdWd5KOQ6MsoKGNn6uI0knA_NDcQa0g12jNk97ZvrYWfHC9fzgxGj8dYCJF6zkxqihxjtB-VkyLx11LwscMK3o8KyceyagapWXvTJOCVyZgI6xqFQIKKK0m7sg09pR_47mbEecLq9t-Flmu_8uJFU8BcuR6pn5urFajR2mHjkyAa29h6cRbnOFlBl0euU8iH9KTcoE4FWW3HTgUNEOyH5fmqUasoVMfmVuv22MF4Q-vhTJrCQNQI0h9Dqxqu90W1Eb5Nwp4KDOkMNV9R5fJoPZkzedA7coUaN5nadQZR46HtH9nNQZp12W2i4LG2NyB48SxOSKMIZRY054KWinFZoCqhhdFquFAnPXT2b17cb3-UI323M5bRRShCxs43blYLzfE8muAqL-dh1nePdBIWJDoSp7epkFWiKPC9m_LSjTeQzBDEI56EuOCIS01uOSxx_SJEtKjwfqW7Z_Y3iBWDXW0LKtfm_xitvZAotdKFoqe7p67HxJMCrjlzEyAyp2h_VBmeLK-Whin6UG8IgH-IioB3SWXgtDOCUmwFuCaxx69bYwZGClu9PdmBbiokwqMfHYedZWlDyzLxteNLcQSs_03S79jnB0wlL9_7sPlaq2-R3x-cdVqy8r1u_QKk063yirdrKofYBvHyEod3F4rgLnKN1t0"}'
                            [Sat Mar 17 16:51:45 CST 2018] Http already initialized.
                            [Sat Mar 17 16:51:45 CST 2018] _CURL='curl -L –silent --dump-header /tmp/acme/xiao.net//http.header  -g  -H "Content-Type: application/jose+json" '
                            [Sat Mar 17 16:53:31 CST 2018] Please refer to https://curl.haxx.se/libcurl/c/libcurl-errors.html for error code: 52
                            [Sat Mar 17 16:53:31 CST 2018] _ret='52'
                            [Sat Mar 17 16:53:31 CST 2018] original
                            [Sat Mar 17 16:53:31 CST 2018] responseHeaders
                            [Sat Mar 17 16:53:31 CST 2018] response
                            [Sat Mar 17 16:53:31 CST 2018] code
                            [Sat Mar 17 16:53:31 CST 2018] Registered
                            [Sat Mar 17 16:53:31 CST 2018] _accUri
                            [Sat Mar 17 16:53:31 CST 2018] APP
                            [Sat Mar 17 16:53:31 CST 2018] 1:ACCOUNT_URL=''
                            [Sat Mar 17 16:53:31 CST 2018] base64 single line.
                            [Sat Mar 17 16:53:31 CST 2018] Calc CA_KEY_HASH='74GXJ5o2fPNBjEtcXrjwFCN4mWwOVoairbac='
                            [Sat Mar 17 16:53:31 CST 2018] APP
                            [Sat Mar 17 16:53:31 CST 2018] 2:CA_KEY_HASH='74GXJ5o2fPNBjEtcXrjwFCNVoairbac='
                            [Sat Mar 17 16:53:31 CST 2018] base64 single line.
                            [Sat Mar 17 16:53:31 CST 2018] ACCOUNT_THUMBPRINT='UC3ABjg7BqgM9JkZy3Wf3N0LXVnErJrh5Kyw'
                            [Sat Mar 17 16:53:31 CST 2018] Read key length:
                            [Sat Mar 17 16:53:31 CST 2018] _createcsr
                            [Sat Mar 17 16:53:31 CST 2018] domain='xiao.net'
                            [Sat Mar 17 16:53:31 CST 2018] domainlist='.xiao.net'
                            [Sat Mar 17 16:53:31 CST 2018] csrkey='/tmp/acme/xiao.net//xiao.net/xiao.net.key'
                            [Sat Mar 17 16:53:31 CST 2018] csr='/tmp/acme/xiao.net//xiao.net/xiao.net.csr'
                            [Sat Mar 17 16:53:31 CST 2018] csrconf='/tmp/acme/xiao.net//xiao.net/xiao.net.csr.conf'
                            [Sat Mar 17 16:53:31 CST 2018] _is_idn_d='                            .xiao.net'
                            [Sat Mar 17 16:53:31 CST 2018] _idn_temp
                            [Sat Mar 17 16:53:31 CST 2018] domainlist='.xiao.net'
                            [Sat Mar 17 16:53:31 CST 2018] Multi domain='DNS:xiao.net,DNS:                            .xiao.net'
                            [Sat Mar 17 16:53:31 CST 2018] _is_idn_d='xiao.net'
                            [Sat Mar 17 16:53:31 CST 2018] _idn_temp
                            [Sat Mar 17 16:53:31 CST 2018] _csr_cn='xiao.net'
                            [Sat Mar 17 16:53:31 CST 2018] APP
                            [Sat Mar 17 16:53:31 CST 2018] 8:Le_Keylength=''
                            [Sat Mar 17 16:53:31 CST 2018] Getting domain auth token for each domain
                            [Sat Mar 17 16:53:31 CST 2018] d='.xiao.net'
                            [Sat Mar 17 16:53:31 CST 2018] d
                            [Sat Mar 17 16:53:31 CST 2018] _identifiers='{"type":"dns","value":"xiao.net"},{"type":"dns","value":"                            .xiao.net"}'
                            [Sat Mar 17 16:53:31 CST 2018] url='https://acme-v02.api.letsencrypt.org/acme/new-order'
                            [Sat Mar 17 16:53:31 CST 2018] payload='{"identifiers": [{"type":"dns","value":"xiao.net"},{"type":"dns","value":"*.xiao.net"}]}'
                            [Sat Mar 17 16:53:31 CST 2018] Use cached jwk for file: /tmp/acme/xiao.net//ca/acme-v02.api.letsencrypt.org/account.key
                            [Sat Mar 17 16:53:31 CST 2018] base64 single line.
                            [Sat Mar 17 16:53:31 CST 2018] payload64='eyJpZGVudGlmaWVycyI6IFt7InR5cGUiOiJkbnMiLCJ2YWx1ZSI6InhpYW95dS5uZXQifSx7InR5cGUiOiJkbnMiLCJ2YWx1ZSI6IioueGlhb3l1Lm5ldCJ9XX0'
                            [Sat Mar 17 16:53:31 CST 2018] _request_retry_times='0'
                            [Sat Mar 17 16:53:31 CST 2018] Get nonce. ACME_NEW_NONCE='https://acme-v02.api.letsencrypt.org/acme/new-nonce'
                            [Sat Mar 17 16:53:31 CST 2018] HEAD
                            [Sat Mar 17 16:53:31 CST 2018] _post_url='https://acme-v02.api.letsencrypt.org/acme/new-nonce'
                            [Sat Mar 17 16:53:31 CST 2018] body
                            [Sat Mar 17 16:53:31 CST 2018] Http already initialized.
                            [Sat Mar 17 16:53:31 CST 2018] _CURL='curl -L –silent --dump-header /tmp/acme/xiao.net//http.header  -g  -H "Content-Type: application/jose+json" '
                            [Sat Mar 17 16:55:23 CST 2018] _ret='0'
                            [Sat Mar 17 16:55:23 CST 2018] _headers='HTTP/1.1 204 No Content
                            Server: nginx
                            Replay-Nonce: YQ0-Z9KX2zzeWcdRBrBEMck1sOLRpHxf4vpPwmo64RM
                            X-Frame-Options: DENY
                            Strict-Transport-Security: max-age=604800
                            Expires: Sat, 17 Mar 2018 08:55:23 GMT
                            Cache-Control: max-age=0, no-cache, no-store
                            Pragma: no-cache
                            Date: Sat, 17 Mar 2018 08:55:23 GMT
                            Connection: keep-alive

                            '
                            [Sat Mar 17 16:55:23 CST 2018] _CACHED_NONCE='YQ0-Z9KX2zzeWcdRBrRpHxf4vpPwmo64RM'
                            [Sat Mar 17 16:55:23 CST 2018] nonce='YQ0-Z9KX2zzeWcdRBrBEHxf4vpPwmo64RM'
                            [Sat Mar 17 16:55:23 CST 2018] Re-reading ACCOUNT_URL
                            [Sat Mar 17 16:55:23 CST 2018] ACCOUNT_URL was empty!
                            [Sat Mar 17 16:55:23 CST 2018] ACCOUNT_URL
                            [Sat Mar 17 16:55:23 CST 2018] Cannot locate account URL.
                            [Sat Mar 17 16:55:23 CST 2018] Create new order error.
                            [Sat Mar 17 16:55:23 CST 2018] pid
                            [Sat Mar 17 16:55:23 CST 2018] No need to restore nginx, skip.
                            [Sat Mar 17 16:55:23 CST 2018] _clearupdns
                            [Sat Mar 17 16:55:23 CST 2018] skip dns.
                            [Sat Mar 17 16:55:23 CST 2018] _on_issue_err
                            [Sat Mar 17 16:55:23 CST 2018] Please check log file for more details: /tmp/acme/xiao.net/acme_issuecert.log
                            [Sat Mar 17 16:55:23 CST 2018] _chk_vlist

                            If you are interested in free peering for clearnet and dn42,contact me !

                            1 Reply Last reply Reply Quote 0
                            • M
                              Mats
                              last edited by

                              Works well here.

                              Switched from a san cert generated from a web method to wildcard and dns txt validation.
                              Also meant that i could remove a lot of rules in my HA proxy config

                              1 Reply Last reply Reply Quote 0
                              • jimpJ
                                jimp Rebel Alliance Developer Netgate
                                last edited by

                                I updated acme.sh from upstream and pushed out package version 0.2.6. If you still have problems on 0.2.6, please start separate threads.

                                Remember: Upvote with the đź‘Ť button for any user/post you find to be helpful, informative, or deserving of recognition!

                                Need help fast? Netgate Global Support!

                                Do not Chat/PM for help!

                                1 Reply Last reply Reply Quote 0
                                • First post
                                  Last post
                                Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.