New user failing to issue certificate
-
Hi.
I have tried to follow this guide to set up ACME (And HAProxy)
First I just did it with duckdns.org, and the certificate was issued, but it gave me not-secure when accessing stuff.mydomain.duckdns.org, I found out I needed my own top level domain, so I bought a domain at namesilo.comBut I am not able to issue...
- Removed Certificates and Account keys from ACME
- Remove all TXT at NameSilo
- Rebooted pfSense
- Added new Account key
- Created new Certificate
- Clicked Issue
- Still did not work, but I get a _acme-challenge TXT at NameSilo. Last renewed date still Thu, 01 Jan 1970 01:00:00 +0100
- waited 3 days and tried new issue, same problem.
This is the log I get:
Jul 15 03:36:33 ACME [Wed Jul 15 03:33:47 CEST 2020] Not valid yet, let's wait 10 seconds and check next one. Jul 15 03:36:33 ACME [Wed Jul 15 03:33:58 CEST 2020] Let's wait 10 seconds and check again. Jul 15 03:36:33 ACME [Wed Jul 15 03:34:09 CEST 2020] Checking mydomain.top for _acme-challenge.mydomain.top Jul 15 03:36:33 ACME [Wed Jul 15 03:34:14 CEST 2020] Not valid yet, let's wait 10 seconds and check next one. Jul 15 03:36:33 ACME [Wed Jul 15 03:34:25 CEST 2020] Let's wait 10 seconds and check again. Jul 15 03:36:33 ACME [Wed Jul 15 03:34:35 CEST 2020] Checking mydomain.top for _acme-challenge.mydomain.top Jul 15 03:36:33 ACME [Wed Jul 15 03:34:35 CEST 2020] Not valid yet, let's wait 10 seconds and check next one. Jul 15 03:36:33 ACME [Wed Jul 15 03:34:46 CEST 2020] Let's wait 10 seconds and check again. Jul 15 03:36:33 ACME [Wed Jul 15 03:34:56 CEST 2020] Checking mydomain.top for _acme-challenge.mydomain.top Jul 15 03:36:33 ACME [Wed Jul 15 03:34:56 CEST 2020] Not valid yet, let's wait 10 seconds and check next one. Jul 15 03:36:33 ACME [Wed Jul 15 03:35:07 CEST 2020] Let's wait 10 seconds and check again. Jul 15 03:36:33 ACME [Wed Jul 15 03:35:17 CEST 2020] Checking mydomain.top for _acme-challenge.mydomain.top Jul 15 03:36:33 ACME [Wed Jul 15 03:35:18 CEST 2020] Not valid yet, let's wait 10 seconds and check next one. Jul 15 03:36:33 ACME [Wed Jul 15 03:35:29 CEST 2020] Let's wait 10 seconds and check again. Jul 15 03:36:33 ACME [Wed Jul 15 03:35:39 CEST 2020] Checking mydomain.top for _acme-challenge.mydomain.top Jul 15 03:36:33 ACME [Wed Jul 15 03:35:39 CEST 2020] Not valid yet, let's wait 10 seconds and check next one. Jul 15 03:36:33 ACME [Wed Jul 15 03:35:49 CEST 2020] Let's wait 10 seconds and check again. Jul 15 03:36:33 ACME [Wed Jul 15 03:35:59 CEST 2020] Checking mydomain.top for _acme-challenge.mydomain.top Jul 15 03:36:33 ACME [Wed Jul 15 03:36:00 CEST 2020] Not valid yet, let's wait 10 seconds and check next one. Jul 15 03:36:33 ACME [Wed Jul 15 03:36:11 CEST 2020] Let's wait 10 seconds and check again. Jul 15 03:36:33 ACME [Wed Jul 15 03:36:21 CEST 2020] Checking mydomain.top for _acme-challenge.mydomain.top Jul 15 03:36:33 ACME [Wed Jul 15 03:36:21 CEST 2020] Domain mydomain.top '_acme-challenge.mydomain.top' success. Jul 15 03:36:33 ACME [Wed Jul 15 03:36:21 CEST 2020] All success, let's return Jul 15 03:36:33 ACME [Wed Jul 15 03:36:21 CEST 2020] Verifying: *.mydomain.top Jul 15 03:36:33 ACME [Wed Jul 15 03:36:24 CEST 2020] It seems the CA server is busy now, let's wait and retry. Sleeping 1 seconds. Jul 15 03:36:33 ACME [Wed Jul 15 03:36:29 CEST 2020] Removing DNS records. Jul 15 03:36:33 ACME [Wed Jul 15 03:36:29 CEST 2020] Removing txt: exXXXXXXXXXXXXXXXX-8XXXXXXXXXXXXXXXXXXp-Fr8 for domain: _acme-challenge.mydomain.top Jul 15 03:36:33 ACME [Wed Jul 15 03:36:32 CEST 2020] Successfully retrieved the record id for ACME challenge. Jul 15 03:36:33 ACME [Wed Jul 15 03:36:33 CEST 2020] Successfully removed the TXT record. Jul 15 03:36:33 ACME [Wed Jul 15 03:36:33 CEST 2020] Removed: Success Jul 15 03:36:33 ACME [Wed Jul 15 03:36:29 CEST 2020] *.mydomain.top:Verify error:Incorrect TXT record Jul 15 03:36:33 ACME [Wed Jul 15 03:36:33 CEST 2020] Please check log file for more details: /tmp/acme/LE_Root_Cert/acme_issuecert.log Jul 15 03:36:33 php ACME, Failed to renew certificate for LE_Root_Cert
This is my config:
Do anyone have an idea?
-
Ones these
.... the _acme-challenge TXT records - are used, they become useless / stale. Delete them.Check this part :
Jul 15 03:36:33 ACME [Wed Jul 15 03:36:29 CEST 2020] Removing txt: exXXXXXXXXXXXXXXXX-8XXXXXXXXXXXXXXXXXXp-Fr8 for domain: _acme-challenge.mydomain.top
Jul 15 03:36:33 ACME [Wed Jul 15 03:36:32 CEST 2020] Successfully retrieved the record id for ACME challenge.
Jul 15 03:36:33 ACME [Wed Jul 15 03:36:33 CEST 2020] Successfully removed the TXT record.
Jul 15 03:36:33 ACME [Wed Jul 15 03:36:33 CEST 2020] Removed: Successthe logs says it removed the _acme-challenge.mydomain.top record, but did it really do so - which one was deleted ?
Also, for a wild card domain you should have two "Domainname", like "mydomain.top" and *.mydomain.top".
See the original doc : Wildcard Domain Step-By-Step -
@Gertjan Thanks for your answer. The screenshot is some days old and before I deleted the TXT's.
Now I checked my domain, there is no TXT records, just the two CNAME record I have made myself.I tried again now and _acme-challenge TXT mbyXXXXXXXF1k are created at NameSilo.
And I see this (same as before):
And nothing in the logs. So I tried Issue again and I got this:
Still nothing in the logsBTW: I don't think I understood the wildcard thing.
My goal is to be able to access all servers behind my pfsense with SSL. server1.domain.top and server2.domain.top ect. -
@Flemmingss said in New user failing to issue certificate:
Still nothing in the logs
Yes, here is it :
which means : if the challenge TXT record isn't added, letenscrypt can't verify, etc etc.
-
@Gertjan
Hmm. I desabled my "HTTP to HTTPS" NAT rule (created as in the video i posted), and it worked.LE_Root_Cert Renewing certificate account: LE_Cert server: letsencrypt-staging-2 /usr/local/pkg/acme/acme.sh --issue -d '*.XXX.top' --dns 'dns_namesilo' --home '/tmp/acme/LE_Root_Cert/' --accountconf '/tmp/acme/LE_Root_Cert/accountconf.conf' --force --reloadCmd '/tmp/acme/LE_Root_Cert/reloadcmd.sh' --log-level 3 --log '/tmp/acme/LE_Root_Cert/acme_issuecert.log' Array ( [path] => /etc:/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/bin/ [PATH] => /etc:/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/bin/ [Namesilo_Key] => 74XXXX30 ) [Fri Jul 17 18:21:16 CEST 2020] Single domain='*.XXX.top' [Fri Jul 17 18:21:16 CEST 2020] Getting domain auth token for each domain [Fri Jul 17 18:21:18 CEST 2020] Getting webroot for domain='*.XXX.top' [Fri Jul 17 18:21:18 CEST 2020] Adding txt value: GXCXXXtQY for domain: _acme-challenge.XXX.top [Fri Jul 17 18:21:20 CEST 2020] Successfully added TXT record, ready for validation. [Fri Jul 17 18:21:20 CEST 2020] The txt record is added: Success. [Fri Jul 17 18:21:20 CEST 2020] Let's check each dns records now. Sleep 20 seconds first. [Fri Jul 17 18:21:40 CEST 2020] Checking XXX.top for _acme-challenge.XXX.top [Fri Jul 17 18:21:41 CEST 2020] Domain XXX.top '_acme-challenge.XXX.top' success. [Fri Jul 17 18:21:41 CEST 2020] All success, let's return [Fri Jul 17 18:21:41 CEST 2020] Verifying: *.XXX.top [Fri Jul 17 18:21:44 CEST 2020] Success [Fri Jul 17 18:21:44 CEST 2020] Removing DNS records. [Fri Jul 17 18:21:44 CEST 2020] Removing txt: GXXXXQY for domain: _acme-challenge.XXX.top [Fri Jul 17 18:21:46 CEST 2020] Successfully retrieved the record id for ACME challenge. [Fri Jul 17 18:21:47 CEST 2020] Successfully removed the TXT record. [Fri Jul 17 18:21:47 CEST 2020] Removed: Success [Fri Jul 17 18:21:47 CEST 2020] Verify finished, start to sign. [Fri Jul 17 18:21:47 CEST 2020] Lets finalize the order, Le_OrderFinalize: https://acme-staging-v02.api.letsencrypt.org/acme/finalize/14XXX77 [Fri Jul 17 18:21:48 CEST 2020] Download cert, Le_LinkCert: https://acme-staging-v02.api.letsencrypt.org/acme/cert/faXXXdc [Fri Jul 17 18:21:49 CEST 2020] Cert success. -----BEGIN CERTIFICATE----- MIIXXX XXXX XXXXM4s= -----END CERTIFICATE----- [Fri Jul 17 18:21:49 CEST 2020] Your cert is in /tmp/acme/LE_Root_Cert//*.XXX.top/*.XXX.top.cer [Fri Jul 17 18:21:49 CEST 2020] Your cert key is in /tmp/acme/LE_Root_Cert//*.XXX.top/*.XXX.top.key [Fri Jul 17 18:21:49 CEST 2020] The intermediate CA cert is in /tmp/acme/LE_Root_Cert//*.XXX.top/ca.cer [Fri Jul 17 18:21:49 CEST 2020] And the full chain certs is there: /tmp/acme/LE_Root_Cert//*.XXX.top/fullchain.cer [Fri Jul 17 18:21:49 CEST 2020] Run reload cmd: /tmp/acme/LE_Root_Cert/reloadcmd.sh IMPORT CERT LE_Root_Cert, /tmp/acme/LE_Root_Cert/*.XXX.top/*.XXX.top.key, /tmp/acme/LE_Root_Cert/*.XXX.top/*.XXX.top.cer update cert![Fri Jul 17 18:21:49 CEST 2020] Reload success
However, I changed from staging to production, and it did not work. Same as before