Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Unable To Renew Certs Since last ACME package Update

    Scheduled Pinned Locked Moved ACME
    29 Posts 9 Posters 6.5k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • C
      cakewalk @jimp
      last edited by cakewalk

      @jimp Thanks for the quick turn around! Confirmed fixed for me.

      1 Reply Last reply Reply Quote 1
      • B
        bartkowski
        last edited by

        I'm seeing another issue, not sure if related to this. I'm using DNS-Hurricane Electric method.
        I think the referrer should be my external IP, but also when I query my FQDN of my pfsense box, it returns 192.168.2.1, so is it a DNS issue?

        2020/04/29 13:27:18 [error] 44990#100120: *3720 upstream timed out (60: Operation timed out) while reading response header from upstream, client: 192.168.2.25, server: , request: "POST /acme/acme_certificates.php HTTP/2.0", upstream: "fastcgi://unix:/var/run/php-fpm.socket", host: "192.168.2.1", referrer: "https://192.168.2.1/acme/acme_certificates.php"

        jimpJ 1 Reply Last reply Reply Quote 0
        • jimpJ
          jimp Rebel Alliance Developer Netgate @bartkowski
          last edited by

          @bartkowski Start a new thread for that. This one is only for CloudFlare. And make sure you have updated to the new ACME package (just put up an hour or two ago)

          Remember: Upvote with the πŸ‘ button for any user/post you find to be helpful, informative, or deserving of recognition!

          Need help fast? Netgate Global Support!

          Do not Chat/PM for help!

          1 Reply Last reply Reply Quote 0
          • R
            raiderj @jimp
            last edited by raiderj

            @jimp
            Updated to the latest package, but wildcard certs aren't coming down for my domain. Normal cert is coming in, properly signed with the Prod Let's Encrypt CA. Maybe because the second domain in the SAN list is the wildcard listing?

            EDIT: Yes, if I switch the SAN order to the wildcard first, it comes down. With this workaround using DNS-Manual, should I switch back to the DNS-Cloudflare option? Maybe the new ACME package fixes this?

            1 Reply Last reply Reply Quote 0
            • jimpJ
              jimp Rebel Alliance Developer Netgate
              last edited by

              If that's also on CloudFlare it may be a different issue.

              The one the update had a fix for is https://github.com/acmesh-official/acme.sh/issues/2888

              Remember: Upvote with the πŸ‘ button for any user/post you find to be helpful, informative, or deserving of recognition!

              Need help fast? Netgate Global Support!

              Do not Chat/PM for help!

              1 Reply Last reply Reply Quote 0
              • C
                costanzo @raiderj
                last edited by

                @raiderj said in Unable To Renew Certs Since last ACME package Update:

                One for the wildcard cert, one for the regular cert. But they're both looking for the same key valu

                Odd. Can you post a screen capture of the message show when issuing the cert. Be sure to blur out any sensitive data. I am not seeing this issue, but may be different for you.

                Also, keep in mind generating too many certs under production will cap you out and you will need to wait a week. Best to use the staging option.

                R 1 Reply Last reply Reply Quote 0
                • R
                  raiderj @costanzo
                  last edited by

                  @costanzo said in Unable To Renew Certs Since last ACME package Update:

                  @raiderj said in Unable To Renew Certs Since last ACME package Update:

                  One for the wildcard cert, one for the regular cert. But they're both looking for the same key valu

                  Odd. Can you post a screen capture of the message show when issuing the cert. Be sure to blur out any sensitive data. I am not seeing this issue, but may be different for you.

                  Also, keep in mind generating too many certs under production will cap you out and you will need to wait a week. Best to use the staging option.

                  I'll do that if I see it again. I can't replicate the issue at the moment. The only issue I have now, with both staging and production is that the second domain in the SAN list won't get an updated cert. Haven't tried switching to the DNS-Cloudflare option though.

                  R 1 Reply Last reply Reply Quote 0
                  • C
                    costanzo @jimp
                    last edited by

                    @jimp Thanks for the quick turn around! I can confirmed this also fixed it for me. I tested the cert gen using the staging.

                    1 Reply Last reply Reply Quote 0
                    • R
                      raiderj @raiderj
                      last edited by

                      @raiderj said in Unable To Renew Certs Since last ACME package Update:

                      @costanzo said in Unable To Renew Certs Since last ACME package Update:

                      @raiderj said in Unable To Renew Certs Since last ACME package Update:

                      One for the wildcard cert, one for the regular cert. But they're both looking for the same key valu

                      Odd. Can you post a screen capture of the message show when issuing the cert. Be sure to blur out any sensitive data. I am not seeing this issue, but may be different for you.

                      Also, keep in mind generating too many certs under production will cap you out and you will need to wait a week. Best to use the staging option.

                      I'll do that if I see it again. I can't replicate the issue at the moment. The only issue I have now, with both staging and production is that the second domain in the SAN list won't get an updated cert. Haven't tried switching to the DNS-Cloudflare option though.

                      Ok, I believe it's working now with the original "DNS-Cloudflare" option. I think I can also remove the new API token I created as well. So, if I'm understanding this properly, all I need for cert generation is the global API key from Cloudflare.

                      Wildcard plus normal cert generation in the same request seems to still not work. I still only get the first domain in the SAN list.

                      1 Reply Last reply Reply Quote 0
                      • A
                        asche
                        last edited by asche

                        I'll hitch onto this, but my error seems a bit different:

                        • running ACME with DNS challenge
                        • using Cloudflare
                        • DNS challenge seems to be working and certificate to be issued
                        • but automatic renewal fails (as per pfsense email notification)

                        Manual renewal runs into the following issues: XMLRPC errors

                        pfsense error message (my domain masked with FQDN):

                        [...]
[Sun Jun  7 10:48:57 CEST 2020] Your cert is in  /tmp/acme/FQDN//*.FQDN/*.FQDN.cer 
[Sun Jun  7 10:48:57 CEST 2020] Your cert key is in  /tmp/acme/FQDN//*.FQDN/*.FQDN.key 
[Sun Jun  7 10:48:57 CEST 2020] The intermediate CA cert is in  /tmp/acme/FQDN//*.FQDN/ca.cer 
[Sun Jun  7 10:48:57 CEST 2020] And the full chain certs is there:  /tmp/acme/FQDN//*.FQDN/fullchain.cer 
[Sun Jun  7 10:48:57 CEST 2020] Run reload cmd: /tmp/acme/FQDN/reloadcmd.sh

IMPORT CERT FQDN, /tmp/acme/FQDN/*.FQDN/*.FQDN.key, /tmp/acme/FQDN/*.FQDN/*.FQDN.cer
update cert!
Fatal error: Uncaught XML_RPC2_InvalidUriException: Client URI 'https://admin:@:444/xmlrpc.php' is not valid in /usr/local/share/pear/XML/RPC2/Client.php:167
Stack trace:
#0 /usr/local/share/pear/XML/RPC2/Backend/Php/Client.php(80): XML_RPC2_Client->__construct('https://admin:@...', Array)
#1 /usr/local/share/pear/XML/RPC2/Client.php(238): XML_RPC2_Backend_Php_Client->__construct('https://admin:@...', Array)
#2 /etc/inc/xmlrpc_client.inc(92): XML_RPC2_Client::create('https://admin:@...', Array)
#3 /etc/inc/xmlrpc_client.inc(148): pfsense_xmlrpc_client->xmlrpc_internal('exec_php', 'require_once('s...', 240)
#4 /usr/local/pkg/acme/acme.inc(107): pfsense_xmlrpc_client->xmlrpc_exec_php('require_once('s...')
#5 /usr/local/pkg/acme/acme_command.sh(76): acme_xmlrpc_restart_service('haproxy', 'array (\n)')
#6 {main}
  thrown in /usr/local/share/pear/XML/RPC2/Client.php on line 167
PHP ERROR: Type: 1, File: /usr/local/share/pear/XML/RPC2/Client.php, Line: 167, Message: Uncaught XML_RPC2_InvalidUriException: Client URI 'https://admin:@:444/xmlrpc.php' is not valid in /usr/local/share/pear/XML/RPC2/Client.php:167
Stack trace:
#0 /usr/local/share/pear/XML/RPC2/Backend/Php/Client.php(80): XML_RPC2_Client->__construct('https://admin:@...', Array)
#1 /usr/local/share/pear/XML/RPC2/Client.php(238): XML_RPC2_Backend_Php_Client->__construct('https://admin:@...', Array)
#2 /etc/inc/xmlrpc_client.inc(92): XML_RPC2_Client::create('https://admin:@...', Array)
#3 /etc/inc/xmlrpc_client.inc(148): pfsense_xmlrpc_client->xmlrpc_internal('exec_php', 'require_once('s...', 240)
#4 /usr/local/pkg/acme/acme.inc(107): pfsense_xmlrpc_client->xmlrpc_exec_php('require_once('s...')
#5 /usr/local/pkg/acme/acme_command.sh(76): acme_xmlrpc_restart_service('haproxy', 'array (\n)')
#6 {main}
  thrown[Sun Jun  7 10:49:07 CEST 2020] Reload error for :

                        Couple of things to note:

                        1. Yes, I currently employ HAproxy, and my pfsense port has been changed to :444
                        2. NO, I do not use CARP nor sync nor HAProxy Sync (all are off / disabled)
                        3. The same error occurs when I disable HAProxy.
                        4. it seems that a valid certificate is created and - partly - updated into pfsense, because I can see an updated certificate in the pfsense certificate manager.
                        5. pfsense still uses the old (soon-to-expire) certificate, not the renewed one shown in the certificate manager (??)
                        P 2 Replies Last reply Reply Quote 0
                        • P
                          PiBa @asche
                          last edited by

                          @asche
                          What 'actions' have you configured on the acme certificate configuration? Perhaps a "Restart Remote Service (XMLRPC)" action?

                          A 1 Reply Last reply Reply Quote 0
                          • A
                            asche @PiBa
                            last edited by

                            @PiBa

                            @PiBa said in Unable To Renew Certs Since last ACME package Update:

                            @asche
                            What 'actions' have you configured on the acme certificate configuration? Perhaps a "Restart Remote Service (XMLRPC)" action?

                            You nailed it -- "Enabled haproxy Restart Remote Service (XMLRPC)"

                            Should I delete this?

                            1 Reply Last reply Reply Quote 0
                            • P
                              PiBa @asche
                              last edited by

                              @asche said in Unable To Renew Certs Since last ACME package Update:

                              NO, I do not use CARP nor sync nor HAProxy Sync (all are off / disabled)

                              If you dont sync to anywhere, then you probably don't have anything to restart 'remotely', so yes delete that action. You might want to restart the local haproxy service and webgui though. Use the example "shell command" options for that.

                              1 Reply Last reply Reply Quote 0
                              • First post
                                Last post
                              Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.