@seism0saurus said in ACME with a private CA (step-ca):

Certificate Revocation Lists are basically broken.

Which has really ZERO to do with the cert you have on your local printer or switch, or some software your running gui like the unifi controller or your nas..

nas.jpg

What is the scenario where I would need to revoke this cert? It is accessed by me, on my local network. To be honest I could just use http for this but the browser complains.

@aes4096 said in ACME IP address or domain:

I can use the DNS method or purchase a Wildcard certificate with subdomain protection, which is more expensive.

If you can use a DNS Method you can ask a wildcard certificate.
Letsencrypt will still be free of use.

If you own( = rent) a domain name, you control the domain. You are the only one being able to create sub domains.
I can proof that : try creating aes4096.microsoft.com : good luck ^^

@jcubillo

Oh ... great. I guess they want to stop being the registrar for 'everybody'.

@johnpoz said in Unable to generate ACME Certificate:

re you trying to write this dns entry, lost-sierra.blog isn't a valid domain on the public internet.. I show nxdomain for that domain,

Thanks John. I had a lame typo in my dns entry. Should not have included the '-' between lost and sierra. Looks like I'm all set now. You get a gold star!
Jeff

@KelvinU said in New cert Invalid response:

it's not listed

yeah prob not - hhehehe

Move your domain to some sort of global dns provider..

@linuxlover2 said in new cert setup not finishing:

so now have to wait 2 weeks to renew.

One week, or even right away, check here Rate Limits.

@Maxpower said in Issue with ACME Certificates Refresh & Restarting HAProxy:

For this, I have configured the command /usr/local/etc/rc.d/haproxy.sh to restart HAProxy, as its described in the GUI

What exactly did you do here ?
Can you go into detail ?

@jimp said in ACME certificate PHP Fatal Error:

When you leave it blank it defaults to using DoH/DoT queries to cloudflare and quad9 IIRC

Aha ... the log tells me just that : it's the local acme.sh that is checking regularly - like some kind of 'active waiting'.
And when found, then it informs Letencrypt to do the file domain name zone TXT verification.

If a local policy forbids DoH activity then 'acme.sh' will fail.

@decidable3195 Ich würde dir ja wirklich gerne helfen, aber ohne zu verstehen, was ihr da wo tut, kann ich es schlicht nicht. Du sprichst von ACME und dann von DNS, jetzt hast du irgendwo irgendwas umgestellt aber postest nicht was. Woher soll man denn wissen, was du jetzt wie verstellt hast? Dass die Seite nicht mehr geht wundert nicht, da viele entsprechend intern mit Umleitungen auf HTTPS etc. arbeiten, dann funktioniert der Login nicht mehr.
Da ihr aber anscheinend keinen Proxy einsetzt kann es auch nicht wirklich was auf der Sense gewesen sein, was das Problem jetzt verursacht?

Also wäre es schön wenn wir mal einen Schritt zurück gehen und wir mal komplett aufdröseln um hier überhaupt Sinn reinzubekommen:

Um welche Dienste geht es hier konkret? Wo laufen diese und mit welcher internen IP? Wie greift man von wo darauf zu? Welche internen Netze (wenn mehrere) sind involviert? Was hat die Sense damit zu tun? Bei welchem Zugriff ist die überhaupt involviert?

Am Einfachsten wäre natürlich ein kleiner Plan oder Skizze aber wenn dus mal etwas weitergehend niederschreiben würdest, wäre das auch schon eine große Hilfe. So verstehe ich wie gesagt überhaupt nicht was wo wie läuft und warum die Sense da involviert sein soll.

Cheers
\jens

FYI just today that script gave me hassles until it... just started to work.

Same script by Jan Broer as always, same config as always.

pfsense: 2.6.0-RELEASE (amd64) acme: 0.7.3 haproxy: 0.61_7 Frontend configuration: ACL configuration ACL Name: url_acme_http01 Expression: "Path starts with:" Value: /.well-known/acme-challenge/ Actions Action: http-request lua service Condition acl names: METH_GET url_acme_http01 lua-function: acme-http01

Lua script in case I lose it again:

-- ACME http-01 domain validation plugin for Haproxy 1.6+ -- copyright (C) 2015 Jan Broer -- -- usage: -- -- 1) copy acme-webroot.lua in your haproxy config dir -- -- 2) Invoke the plugin by adding in the 'global' section of haproxy.cfg: -- -- lua-load /etc/haproxy/acme-webroot.lua -- -- 3) insert these two lines in every http frontend that is -- serving domains for which you want to create certificates: -- -- acl url_acme_http01 path_beg /.well-known/acme-challenge/ -- http-request use-service lua.acme-http01 if METH_GET url_acme_http01 -- -- 4) reload haproxy -- -- 5) create a certificate: -- -- ./letsencrypt-auto certonly --text --webroot --webroot-path /var/tmp -d blah.example.com --renew-by-default --agree-tos --email my@email.com -- acme = {} acme.version = "0.1.1" -- -- Configuration -- -- When HAProxy is *not* configured with the 'chroot' option you must set an absolute path here and pass -- that as 'webroot-path' to the letsencrypt client acme.conf = { ["non_chroot_webroot"] = "" } -- -- Startup -- acme.startup = function() core.Info("[acme] http-01 plugin v" .. acme.version); end -- -- ACME http-01 validation endpoint -- acme.http01 = function(applet) local response = "" local reqPath = applet.path local src = applet.sf:src() local token = reqPath:match( ".+/(.*)$" ) if token then token = sanitizeToken(token) end if (token == nil or token == '') then response = "bad request\n" applet:set_status(400) core.Warning("[acme] malformed request (client-ip: " .. tostring(src) .. ")") else auth = getKeyAuth(token) if (auth:len() >= 1) then response = auth .. "\n" applet:set_status(200) core.Info("[acme] served http-01 token: " .. token .. " (client-ip: " .. tostring(src) .. ")") else response = "resource not found\n" applet:set_status(404) core.Warning("[acme] http-01 token not found: " .. token .. " (client-ip: " .. tostring(src) .. ")") end end applet:add_header("Server", "haproxy/acme-http01-authenticator") applet:add_header("Content-Length", string.len(response)) applet:add_header("Content-Type", "text/plain") applet:start_response() applet:send(response) end -- -- strip chars that are not in the URL-safe Base64 alphabet -- see https://github.com/letsencrypt/acme-spec/blob/master/draft-barnes-acme.md -- function sanitizeToken(token) _strip="[^%a%d%+%-%_=]" token = token:gsub(_strip,'') return token end -- -- get key auth from token file -- function getKeyAuth(token) local keyAuth = "" local path = acme.conf.non_chroot_webroot .. "/.well-known/acme-challenge/" .. token local f = io.open(path, "rb") if f ~= nil then keyAuth = f:read("*all") f:close() end return keyAuth end core.register_init(acme.startup) core.register_service("acme-http01", "http", acme.http01)

The package still cant add txt record. You have to add txt manually and then update the cert.

@tlex forget it I found it :P
2c8dc80d-eb3a-429c-8b8a-fecf788629d8-image.png

0f3482cf-3a71-4a17-82d4-5da3ab20a12b-image.png

@amarand said in ACME with Siteground:

Is that not a feature that Let's Encrypt supports?

Your quiet close.
It's :
@gertjan said in ACME with Siteground:

The TXT filed will contain a challenge code to be put into the TXT field. This code is give to the acme script by Letsensrypt. For example : 'bmDWOCHFZRtOOCr_vU-mEfTIqA6i9ib0R3V6-RMF3FE'.

This bmD....................RMF3FE thing is generated randomly, and will be unique for every certificate request.
This proofs that you control right now - and not some time X in the past.
Note that, ones this test passed, it stays valid for one week.

@viktor_g I will update it as soon as possible.

@pooperman

there is some issue with SSL handshake:

1.JPG

Do it even easier:

Run acme package on FW1 (I assume it's a CARP cluster with syncing?) and let it create a certificate for both names (fw1.xxx AND fw2.xxx). When it's done, select the cert for the webui. Then login to FW2 and select it, too, as certificates get synchronized automatically (if selected) to the secondary. There choose the same certificate as WebUI cert and be done :)

Just check that you configure the acme service on fw1 to restart its own webserver after renewal AND via remote the service on fw2 (see the help for this)!

Greets