Renew certificate fails with CSR error -> unable to load Private Key

SunDalf · Jul 26, 2017, 9:12 PM

After three months with a working certificate I have to renew it. I forwarded the ports 80 and 443 to the router IP and clicked the [Issue/Renew] button but got the following message:

abc.dns.de-LetsEncrypt
Renewing certificateaccount: LetsEncrypt
server: letsencrypt-production

/usr/local/pkg/acme/acme.sh –issue -d abc.dns.de' --home '/tmp/acme/abc.dns.de-LetsEncrypt/' --accountconf '/tmp/acme/abc.dns.de-LetsEncrypt/accountconf.conf' --force --reloadCmd '/tmp/acme/abc.dns.de-LetsEncrypt/reloadcmd.sh' --standalone --httpport '80' --log-level 3 --log '/tmp/acme/abc.dns.de-LetsEncrypt/acme_issuecert.log'

Array
(
[path] => /etc:/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/bin/
[PATH] => /etc:/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/bin/
[port] => 80
)
[Wed Jul 26 22:31:09 CEST 2017] Standalone mode.
[Wed Jul 26 22:31:42 CEST 2017] Registering account
[Wed Jul 26 22:31:43 CEST 2017] Already registered
[Wed Jul 26 22:31:44 CEST 2017] Update success.
[Wed Jul 26 22:31:44 CEST 2017] ACCOUNT_THUMBPRINT='UiECxMmf2-lxaqoecnm5knDeDj_o2sYle2t5BuWj-sE'
[Wed Jul 26 22:31:44 CEST 2017] Single domain='abc.dns.de'
unable to load Private Key
34379201032:error:0906D06C:PEM routines:PEM_read_bio:no start line:/builder/pfsense-234/tmp/FreeBSD-src/secure/lib/libcrypto/../../../crypto/openssl/crypto/pem/pem_lib.c:696:Expecting: ANY PRIVATE KEY
[Wed Jul 26 22:31:44 CEST 2017] Create CSR error.
[Wed Jul 26 22:31:44 CEST 2017] Please check log file for more details: /tmp/acme/abc.dns.de-LetsEncrypt/acme_issuecert.log

Attached you will find the acme_issuecert.log.

I created a new account key and registered the key and tried again without success.

Any ideas?
acme_issuecert.txt

SunDalf · Jul 27, 2017, 9:42 PM

Now I get the error message:

abc.dns.de.de
Renewing certificateaccount: LetsEncrypt
server: letsencrypt-production

/usr/local/pkg/acme/acme.sh –issue -d 'abc.dns.de.de' --home '/tmp/acme/abc.dns.de.de/' --accountconf '/tmp/acme/abc.dns.de.de/accountconf.conf' --force --reloadCmd '/tmp/acme/abc.dns.de.de/reloadcmd.sh' --standalone --httpport '8082' --log-level 3 --log '/tmp/acme/abc.dns.de.de/acme_issuecert.log'

Array
(
[path] => /etc:/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/bin/
[PATH] => /etc:/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/bin/
[port] => 8082
)
[Thu Jul 27 23:39:32 CEST 2017] Standalone mode.
[Thu Jul 27 23:40:03 CEST 2017] Single domain='abc.dns.de.de'
[Thu Jul 27 23:40:03 CEST 2017] Getting domain auth token for each domain
[Thu Jul 27 23:40:03 CEST 2017] Getting webroot for domain='abc.dns.de.de'
[Thu Jul 27 23:40:03 CEST 2017] Getting new-authz for domain='abc.dns.de.de'
[Thu Jul 27 23:40:06 CEST 2017] The new-authz request is ok.
[Thu Jul 27 23:40:06 CEST 2017] Verifying:abc.dns.de.de
[Thu Jul 27 23:40:06 CEST 2017] Standalone mode server
[Thu Jul 27 23:40:11 CEST 2017] Pending
[Thu Jul 27 23:40:14 CEST 2017] abc.dns.de.de:Verify error:Fetching http://abc.dns.de.de/.well-known/acme-challenge/9S88B1jm_CNSkKHKYQ4DQplByQTHvWTsATsdAL0Bxpw: Timeout
GET / HTTP/1.1
Host: localhost:8082
User-Agent: acme.sh/2.6.7 (https://github.com/Neilpang/acme.sh)
Accept: /

[Thu Jul 27 23:40:14 CEST 2017] Please check log file for more details: /tmp/acme/abc.dns.de.de/acme_issuecert.log

Gertjan · Jul 28, 2017, 5:04 PM

When teh LetsEncrypt server tries to acces the file
http://abc.dns.de.de/.well-known/acme-challenge/9S88B1jm_CNSkKHKYQ4DQplByQTHvWTsATsdAL0Bxp
it can't.

This part : http://abc.dns.de.de/ should point a device (your pfsense box, reachable at abc.dns.de.de ) and it should serve pages at this location .well-known/acme-challenge/9S88B1jm_CNSkKHKYQ4DQplByQTHvWTsATsdAL0Bxp (handled by the mini web server activated by the acme script)

Check if the DNS of abc.dns.de.de is ok - must be the IP of your box.
Check for NAT rules - port 80 - to the web server.

But : first of all : https://doc.pfsense.org/index.php/ACME_package - what did you shose ? how did you set it up ?

Btw : I'm sung myself the 'nsupdate' method. It's probably the longest one to set up, but what relieve, after that, it runs (renews) all by itself … I've nothing to do anymore/

SunDalf · Jul 29, 2017, 3:52 PM

Hello Gertja,

thanks for your answer.
Yes, nslookup shows me the correct IP.

I executed again the steps from "Obtaining a Certificate" but now, in Validation Methods - nsupdate I do not completely understand
Before starting, an appropriate DNS key and settings must be in place in the DNS infrastructure for the domain to allow the host to update a TXT DNS record for _acme-challenge.<domain name="">.
When clicking [Issue/Renew] I get new

[Sat Jul 29 17:13:12 CEST 2017] Add the following TXT record:
[Sat Jul 29 17:13:12 CEST 2017] Domain: '_acme-challenge.abc.dns.de'
[Sat Jul 29 17:13:12 CEST 2017] TXT value: '-nkjdfkgndfkjhtgfhnjknbjkbkjbk'
[Sat Jul 29 17:13:12 CEST 2017] Please be aware that you prepend _acme-challenge. before your domain
[Sat Jul 29 17:13:12 CEST 2017] so the resulting subdomain will be: _acme-challenge.abc.dns.de
[Sat Jul 29 17:13:12 CEST 2017] Please add the TXT records to the domains, and retry again.

but where exactly?

Add or update the TXT record in the domain's DNS server for _acme-challenge. <domain name="">with the TXT value from the output???</domain></domain>

SunDalf · Jul 29, 2017, 9:49 PM

Got it :-)

Just
mkdir /usr/local/www/.well-know/
mkdir /usr/local/www/.well-know/acme-challenge

and use stand-alone HTTP server in Domain SAN list