Navigation

    Netgate Discussion Forum
    • Register
    • Login
    • Search
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search

    DV for Lets Encrypt

    webGUI
    2
    4
    947
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • S
      slacker9876 last edited by

      Hello all,

      I am testing the ACME script to provide an ssl certificate to my web GUI on pfsense. I have followed the configuration process and received the "staging" record text which is now in my DNS (correctly). I host my own DNS with BIND How long does it take for pfSense to make another attempt? I'd left the default setting of 120 seconds, but I see no attempt by lets encrypt to attempt the auth. Here is the current log:

      /tmp/acme/pfsense-GUI-Cert/acme_issuecert.log

      [[Wed May 17 08:02:46 -05 2017] response='{"identifier":{"type":"dns","value":"pfsense.labf5.com"},"status":"pending","expires":"2017-05-24T13:02:46.59526629Z","challenges":[{"type":"tls-sni-01","status":"pending","uri":"https://acme-staging.api.letsencrypt.org/acme/challenge/jxQ-Iyr10CxFmc4yYQAIRer0g_bynWQ_DHfeqUWRkHQ/39376928","token":"D8DIa2EdANYwfQmZ5sIed1JZBxJ0GrvITxyOykFkCVI"},{"type":"dns-01","status":"pending","uri":"https://acme-staging.api.letsencrypt.org/acme/challenge/jxQ-Iyr10CxFmc4yYQAIRer0g_bynWQ_DHfeqUWRkHQ/39376929","token":"wWAT37-J9FETtvjQWpT3jGmaa20bLrWht8z4ERYGMY0"},{"type":"http-01","status":"pending","uri":"https://acme-staging.api.letsencrypt.org/acme/challenge/jxQ-Iyr10CxFmc4yYQAIRer0g_bynWQ_DHfeqUWRkHQ/39376930","token":"TpVkDOc0JyOWP_Ex1nVyjn9F3TK5c2a_w5IS6qbb2Pw"}],"combinations":[[1],[2],[0]]}'
      [Wed May 17 08:02:46 -05 2017] code='201'
      [Wed May 17 08:02:46 -05 2017] The new-authz request is ok.
      [Wed May 17 08:02:46 -05 2017] base64 single line.
      [Wed May 17 08:02:46 -05 2017] entry='"type":"dns-01","status":"pending","uri":"https://acme-staging.api.letsencrypt.org/acme/challenge/jxQ-Iyr10CxFmc4yYQAIRer0g_bynWQ_DHfeqUWRkHQ/39376929","token":"wWAT37-J9FETtvjQWpT3jGmaa20bLrWht8z4ERYGMY0"'
      [Wed May 17 08:02:46 -05 2017] token='wWAT37-J9FETtvjQWpT3jGmaa20bLrWht8z4ERYGMY0'
      [Wed May 17 08:02:46 -05 2017] uri='https://acme-staging.api.letsencrypt.org/acme/challenge/jxQ-Iyr10CxFmc4yYQAIRer0g_bynWQ_DHfeqUWRkHQ/39376929'
      [Wed May 17 08:02:46 -05 2017] keyauthorization='wWAT37-J9FETtvjQWpT3jGmaa20bLrWht8z4ERYGMY0.mFIgUxO81dgLgbfGWbrmQlScd_Np4ldlK6TLYuUOSHg'
      [Wed May 17 08:02:46 -05 2017] dvlist='pfsense.labf5.com#wWAT37-J9FETtvjQWpT3jGmaa20bLrWht8z4ERYGMY0.mFIgUxO81dgLgbfGWbrmQlScd_Np4ldlK6TLYuUOSHg#https://acme-staging.api.letsencrypt.org/acme/challenge/jxQ-Iyr10CxFmc4yYQAIRer0g_bynWQ_DHfeqUWRkHQ/39376929#dns-01#dns'
      [Wed May 17 08:02:46 -05 2017] vlist='pfsense.labf5.com#wWAT37-J9FETtvjQWpT3jGmaa20bLrWht8z4ERYGMY0.mFIgUxO81dgLgbfGWbrmQlScd_Np4ldlK6TLYuUOSHg#https://acme-staging.api.letsencrypt.org/acme/challenge/jxQ-Iyr10CxFmc4yYQAIRer0g_bynWQ_DHfeqUWRkHQ/39376929#dns-01#dns,'
      [Wed May 17 08:02:46 -05 2017] txtdomain='_acme-challenge.pfsense.labf5.com'
      [Wed May 17 08:02:46 -05 2017] base64 single line.
      [Wed May 17 08:02:46 -05 2017] txt='F9A<removed>fy-1A'
      [Wed May 17 08:02:46 -05 2017] d_api
      [Wed May 17 08:02:46 -05 2017] Add the following TXT record:
      [Wed May 17 08:02:46 -05 2017] Domain: '_acme-challenge.pfsense.labf5.com'
      [Wed May 17 08:02:46 -05 2017] TXT value: 'F9A<removed>fy-1A'
      [Wed May 17 08:02:46 -05 2017] Please be aware that you prepend _acme-challenge. before your domain
      [Wed May 17 08:02:46 -05 2017] so the resulting subdomain will be: _acme-challenge.pfsense.labf5.com
      [Wed May 17 08:02:46 -05 2017] OK
      [Wed May 17 08:02:46 -05 2017] 9:Le_Vlist='pfsense.labf5.com#wWAT37-J9FETtvjQWpT3jGmaa20bLrWht8z4ERYGMY0.mFIgUxO81dgLgbfGWbrmQlScd_Np4ldlK6TLYuUOSHg#https://acme-staging.api.letsencrypt.org/acme/challenge/jxQ-Iyr10CxFmc4yYQAIRer0g_bynWQ_DHfeqUWRkHQ/39376929#dns-01#dns,'
      [Wed May 17 08:02:46 -05 2017] Dns record not added yet, so, save to /tmp/acme/pfsense-GUI-Cert//pfsense.labf5.com/pfsense.labf5.com.conf and exit.
      [Wed May 17 08:02:46 -05 2017] Please add the TXT records to the domains, and retry again.
      [Wed May 17 08:02:46 -05 2017] pid
      [Wed May 17 08:02:46 -05 2017] No need to restore nginx, skip.
      [Wed May 17 08:02:46 -05 2017] _clearupdns
      [Wed May 17 08:02:46 -05 2017] Dns not added, skip.
      [Wed May 17 08:02:46 -05 2017] _on_issue_err
      [Wed May 17 08:02:46 -05 2017] Please check log file for more details: /tmp/acme/pfsense-GUI-Cert/acme_issuecert.log

      How long does pfsense take to honor the request and provide the challenge?</removed></removed>

      1 Reply Last reply Reply Quote 0
      • S
        slacker9876 last edited by

        I thought I might want to show my record, here it is:

        ; TXT Redords
        _acme-challenge.pfsense.labf5.com      IN      TXT    "F9A<removed>fy-1A"</removed>

        1 Reply Last reply Reply Quote 0
        • jimp
          jimp Rebel Alliance Developer Netgate last edited by

          If you use DNS-manual you have to make the second request yourself, it is manual and not automatic. Wait a couple minutes after manually entering the TXT record and then click the button the issue the certificate again.

          1 Reply Last reply Reply Quote 0
          • S
            slacker9876 last edited by

            Thanks Jim! I did a renew and it picked it up straight away! I am now running on the "prod" cert with my handy green padlock. Great work to the pfsense team!

            1 Reply Last reply Reply Quote 0
            • First post
              Last post

            Products

            • Platform Overview
            • TNSR
            • pfSense
            • Appliances

            Services

            • Training
            • Professional Services

            Support

            • Subscription Plans
            • Contact Support
            • Product Lifecycle
            • Documentation

            News

            • Media Coverage
            • Press
            • Events

            Resources

            • Blog
            • FAQ
            • Find a Partner
            • Resource Library
            • Security Information

            Company

            • About Us
            • Careers
            • Partners
            • Contact Us
            • Legal
            Our Mission

            We provide leading-edge network security at a fair price - regardless of organizational size or network sophistication. We believe that an open-source security model offers disruptive pricing along with the agility required to quickly address emerging threats.

            Subscribe to our Newsletter

            Product information, software announcements, and special offers. See our newsletter archive to sign up for future newsletters and to read past announcements.

            © 2021 Rubicon Communications, LLC | Privacy Policy