Renew certificate fails with CSR error -> unable to load Private Key



  • After three months with a working certificate I  have to renew it. I forwarded the ports 80 and 443 to the router IP and clicked the [Issue/Renew] button but got the following message:

    abc.dns.de-LetsEncrypt
    Renewing certificateaccount: LetsEncrypt
    server: letsencrypt-production

    /usr/local/pkg/acme/acme.sh –issue -d abc.dns.de' --home '/tmp/acme/abc.dns.de-LetsEncrypt/' --accountconf '/tmp/acme/abc.dns.de-LetsEncrypt/accountconf.conf' --force --reloadCmd '/tmp/acme/abc.dns.de-LetsEncrypt/reloadcmd.sh' --standalone --httpport '80' --log-level 3 --log '/tmp/acme/abc.dns.de-LetsEncrypt/acme_issuecert.log'

    Array
    (
    [path] => /etc:/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/bin/
    [PATH] => /etc:/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/bin/
    [port] => 80
    )
    [Wed Jul 26 22:31:09 CEST 2017] Standalone mode.
    [Wed Jul 26 22:31:42 CEST 2017] Registering account
    [Wed Jul 26 22:31:43 CEST 2017] Already registered
    [Wed Jul 26 22:31:44 CEST 2017] Update success.
    [Wed Jul 26 22:31:44 CEST 2017] ACCOUNT_THUMBPRINT='UiECxMmf2-lxaqoecnm5knDeDj_o2sYle2t5BuWj-sE'
    [Wed Jul 26 22:31:44 CEST 2017] Single domain='abc.dns.de'
    unable to load Private Key
    34379201032:error:0906D06C:PEM routines:PEM_read_bio:no start line:/builder/pfsense-234/tmp/FreeBSD-src/secure/lib/libcrypto/../../../crypto/openssl/crypto/pem/pem_lib.c:696:Expecting: ANY PRIVATE KEY
    [Wed Jul 26 22:31:44 CEST 2017] Create CSR error.
    [Wed Jul 26 22:31:44 CEST 2017] Please check log file for more details: /tmp/acme/abc.dns.de-LetsEncrypt/acme_issuecert.log

    Attached you will find the acme_issuecert.log.

    I created a new account key and registered the key and tried again without success.

    Any ideas?
    acme_issuecert.txt



  • Now I get the error message:

    abc.dns.de.de
    Renewing certificateaccount: LetsEncrypt
    server: letsencrypt-production

    /usr/local/pkg/acme/acme.sh –issue -d 'abc.dns.de.de' --home '/tmp/acme/abc.dns.de.de/' --accountconf '/tmp/acme/abc.dns.de.de/accountconf.conf' --force --reloadCmd '/tmp/acme/abc.dns.de.de/reloadcmd.sh' --standalone --httpport '8082' --log-level 3 --log '/tmp/acme/abc.dns.de.de/acme_issuecert.log'

    Array
    (
    [path] => /etc:/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/bin/
    [PATH] => /etc:/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/bin/
    [port] => 8082
    )
    [Thu Jul 27 23:39:32 CEST 2017] Standalone mode.
    [Thu Jul 27 23:40:03 CEST 2017] Single domain='abc.dns.de.de'
    [Thu Jul 27 23:40:03 CEST 2017] Getting domain auth token for each domain
    [Thu Jul 27 23:40:03 CEST 2017] Getting webroot for domain='abc.dns.de.de'
    [Thu Jul 27 23:40:03 CEST 2017] Getting new-authz for domain='abc.dns.de.de'
    [Thu Jul 27 23:40:06 CEST 2017] The new-authz request is ok.
    [Thu Jul 27 23:40:06 CEST 2017] Verifying:abc.dns.de.de
    [Thu Jul 27 23:40:06 CEST 2017] Standalone mode server
    [Thu Jul 27 23:40:11 CEST 2017] Pending
    [Thu Jul 27 23:40:14 CEST 2017] abc.dns.de.de:Verify error:Fetching http://abc.dns.de.de/.well-known/acme-challenge/9S88B1jm_CNSkKHKYQ4DQplByQTHvWTsATsdAL0Bxpw: Timeout
    GET / HTTP/1.1
    Host: localhost:8082
    User-Agent: acme.sh/2.6.7 (https://github.com/Neilpang/acme.sh)
    Accept: /

    [Thu Jul 27 23:40:14 CEST 2017] Please check log file for more details: /tmp/acme/abc.dns.de.de/acme_issuecert.log



  • When teh LetsEncrypt server tries to acces the file
    http://abc.dns.de.de/.well-known/acme-challenge/9S88B1jm_CNSkKHKYQ4DQplByQTHvWTsATsdAL0Bxp
    it can't.

    This part : http://abc.dns.de.de/ should point a device (your pfsense box, reachable at abc.dns.de.de ) and it should serve pages at this location .well-known/acme-challenge/9S88B1jm_CNSkKHKYQ4DQplByQTHvWTsATsdAL0Bxp (handled by the mini web server activated by the acme script)

    Check if the DNS of abc.dns.de.de is ok - must be the IP of your box.
    Check for NAT rules - port 80 - to the web server.

    But : first of all : https://doc.pfsense.org/index.php/ACME_package - what did you shose ? how did you set it up ?

    Btw : I'm sung myself the 'nsupdate' method. It's probably the longest one to set up, but what relieve, after that, it runs (renews) all by itself … I've nothing to do anymore/



  • Hello Gertja,

    thanks for your answer.
    Yes, nslookup shows me the correct IP.

    I executed again the steps from "Obtaining a Certificate" but now, in Validation Methods - nsupdate I do not completely understand 
    Before starting, an appropriate DNS key and settings must be in place in the DNS infrastructure for the domain to allow the host to update a TXT DNS record for _acme-challenge.<domain name="">.
    When clicking [Issue/Renew] I get new

    [Sat Jul 29 17:13:12 CEST 2017] Add the following TXT record:
    [Sat Jul 29 17:13:12 CEST 2017] Domain: '_acme-challenge.abc.dns.de'
    [Sat Jul 29 17:13:12 CEST 2017] TXT value: '-nkjdfkgndfkjhtgfhnjknbjkbkjbk'
    [Sat Jul 29 17:13:12 CEST 2017] Please be aware that you prepend _acme-challenge. before your domain
    [Sat Jul 29 17:13:12 CEST 2017] so the resulting subdomain will be: _acme-challenge.abc.dns.de
    [Sat Jul 29 17:13:12 CEST 2017] Please add the TXT records to the domains, and retry again.

    but where exactly?

    Add or update the TXT record in the domain's DNS server for _acme-challenge. <domain name="">with the TXT value from the output???</domain></domain>



  • Got it :-)

    Just
    mkdir /usr/local/www/.well-know/
    mkdir /usr/local/www/.well-know/acme-challenge

    and use stand-alone HTTP server in Domain SAN list