Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    DV for Lets Encrypt

    Scheduled Pinned Locked Moved webGUI
    4 Posts 2 Posters 1.2k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • S
      slacker9876
      last edited by

      Hello all,

      I am testing the ACME script to provide an ssl certificate to my web GUI on pfsense. I have followed the configuration process and received the "staging" record text which is now in my DNS (correctly). I host my own DNS with BIND How long does it take for pfSense to make another attempt? I'd left the default setting of 120 seconds, but I see no attempt by lets encrypt to attempt the auth. Here is the current log:

      /tmp/acme/pfsense-GUI-Cert/acme_issuecert.log

      [[Wed May 17 08:02:46 -05 2017] response='{"identifier":{"type":"dns","value":"pfsense.labf5.com"},"status":"pending","expires":"2017-05-24T13:02:46.59526629Z","challenges":[{"type":"tls-sni-01","status":"pending","uri":"https://acme-staging.api.letsencrypt.org/acme/challenge/jxQ-Iyr10CxFmc4yYQAIRer0g_bynWQ_DHfeqUWRkHQ/39376928","token":"D8DIa2EdANYwfQmZ5sIed1JZBxJ0GrvITxyOykFkCVI"},{"type":"dns-01","status":"pending","uri":"https://acme-staging.api.letsencrypt.org/acme/challenge/jxQ-Iyr10CxFmc4yYQAIRer0g_bynWQ_DHfeqUWRkHQ/39376929","token":"wWAT37-J9FETtvjQWpT3jGmaa20bLrWht8z4ERYGMY0"},{"type":"http-01","status":"pending","uri":"https://acme-staging.api.letsencrypt.org/acme/challenge/jxQ-Iyr10CxFmc4yYQAIRer0g_bynWQ_DHfeqUWRkHQ/39376930","token":"TpVkDOc0JyOWP_Ex1nVyjn9F3TK5c2a_w5IS6qbb2Pw"}],"combinations":[[1],[2],[0]]}'
      [Wed May 17 08:02:46 -05 2017] code='201'
      [Wed May 17 08:02:46 -05 2017] The new-authz request is ok.
      [Wed May 17 08:02:46 -05 2017] base64 single line.
      [Wed May 17 08:02:46 -05 2017] entry='"type":"dns-01","status":"pending","uri":"https://acme-staging.api.letsencrypt.org/acme/challenge/jxQ-Iyr10CxFmc4yYQAIRer0g_bynWQ_DHfeqUWRkHQ/39376929","token":"wWAT37-J9FETtvjQWpT3jGmaa20bLrWht8z4ERYGMY0"'
      [Wed May 17 08:02:46 -05 2017] token='wWAT37-J9FETtvjQWpT3jGmaa20bLrWht8z4ERYGMY0'
      [Wed May 17 08:02:46 -05 2017] uri='https://acme-staging.api.letsencrypt.org/acme/challenge/jxQ-Iyr10CxFmc4yYQAIRer0g_bynWQ_DHfeqUWRkHQ/39376929'
      [Wed May 17 08:02:46 -05 2017] keyauthorization='wWAT37-J9FETtvjQWpT3jGmaa20bLrWht8z4ERYGMY0.mFIgUxO81dgLgbfGWbrmQlScd_Np4ldlK6TLYuUOSHg'
      [Wed May 17 08:02:46 -05 2017] dvlist='pfsense.labf5.com#wWAT37-J9FETtvjQWpT3jGmaa20bLrWht8z4ERYGMY0.mFIgUxO81dgLgbfGWbrmQlScd_Np4ldlK6TLYuUOSHg#https://acme-staging.api.letsencrypt.org/acme/challenge/jxQ-Iyr10CxFmc4yYQAIRer0g_bynWQ_DHfeqUWRkHQ/39376929#dns-01#dns'
      [Wed May 17 08:02:46 -05 2017] vlist='pfsense.labf5.com#wWAT37-J9FETtvjQWpT3jGmaa20bLrWht8z4ERYGMY0.mFIgUxO81dgLgbfGWbrmQlScd_Np4ldlK6TLYuUOSHg#https://acme-staging.api.letsencrypt.org/acme/challenge/jxQ-Iyr10CxFmc4yYQAIRer0g_bynWQ_DHfeqUWRkHQ/39376929#dns-01#dns,'
      [Wed May 17 08:02:46 -05 2017] txtdomain='_acme-challenge.pfsense.labf5.com'
      [Wed May 17 08:02:46 -05 2017] base64 single line.
      [Wed May 17 08:02:46 -05 2017] txt='F9A<removed>fy-1A'
      [Wed May 17 08:02:46 -05 2017] d_api
      [Wed May 17 08:02:46 -05 2017] Add the following TXT record:
      [Wed May 17 08:02:46 -05 2017] Domain: '_acme-challenge.pfsense.labf5.com'
      [Wed May 17 08:02:46 -05 2017] TXT value: 'F9A<removed>fy-1A'
      [Wed May 17 08:02:46 -05 2017] Please be aware that you prepend _acme-challenge. before your domain
      [Wed May 17 08:02:46 -05 2017] so the resulting subdomain will be: _acme-challenge.pfsense.labf5.com
      [Wed May 17 08:02:46 -05 2017] OK
      [Wed May 17 08:02:46 -05 2017] 9:Le_Vlist='pfsense.labf5.com#wWAT37-J9FETtvjQWpT3jGmaa20bLrWht8z4ERYGMY0.mFIgUxO81dgLgbfGWbrmQlScd_Np4ldlK6TLYuUOSHg#https://acme-staging.api.letsencrypt.org/acme/challenge/jxQ-Iyr10CxFmc4yYQAIRer0g_bynWQ_DHfeqUWRkHQ/39376929#dns-01#dns,'
      [Wed May 17 08:02:46 -05 2017] Dns record not added yet, so, save to /tmp/acme/pfsense-GUI-Cert//pfsense.labf5.com/pfsense.labf5.com.conf and exit.
      [Wed May 17 08:02:46 -05 2017] Please add the TXT records to the domains, and retry again.
      [Wed May 17 08:02:46 -05 2017] pid
      [Wed May 17 08:02:46 -05 2017] No need to restore nginx, skip.
      [Wed May 17 08:02:46 -05 2017] _clearupdns
      [Wed May 17 08:02:46 -05 2017] Dns not added, skip.
      [Wed May 17 08:02:46 -05 2017] _on_issue_err
      [Wed May 17 08:02:46 -05 2017] Please check log file for more details: /tmp/acme/pfsense-GUI-Cert/acme_issuecert.log

      How long does pfsense take to honor the request and provide the challenge?</removed></removed>

      1 Reply Last reply Reply Quote 0
      • S
        slacker9876
        last edited by

        I thought I might want to show my record, here it is:

        ; TXT Redords
        _acme-challenge.pfsense.labf5.com      IN      TXT    "F9A<removed>fy-1A"</removed>

        1 Reply Last reply Reply Quote 0
        • jimpJ
          jimp Rebel Alliance Developer Netgate
          last edited by

          If you use DNS-manual you have to make the second request yourself, it is manual and not automatic. Wait a couple minutes after manually entering the TXT record and then click the button the issue the certificate again.

          Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

          Need help fast? Netgate Global Support!

          Do not Chat/PM for help!

          1 Reply Last reply Reply Quote 0
          • S
            slacker9876
            last edited by

            Thanks Jim! I did a renew and it picked it up straight away! I am now running on the "prod" cert with my handy green padlock. Great work to the pfsense team!

            1 Reply Last reply Reply Quote 0
            • First post
              Last post
            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.