Let's Encypt problem on 2.4



  • After upgrade to pfSense 2.4 I have same problem with requesting Let's Encrypt certificate.
    Verify error:Invalid response from http://xxx/.well-known/acme-challenge/5SZPMcDkKgav2DsRQT4lLi9vHk7bIzMYccf_Z5zlaCE [x.x.x.x]: 404
    On 2.3.x version there wasn't any problem with requesting certificates.



  • Have same issues!
    Copy from https://forum.pfsense.org/index.php?topic=101186.75 summa info:
    pfSense 2.4.0 , haproxy 0.52_14  (1.7.9), acme 0.1.20
    Firewall part:
    all 80 and 443 tcp port are allowed on all interfaces any to any
    HAProxy part:
    Created acme-webroot.lua in files tab, created one frontend to all WAN IPs on only 80 port, ACL: url_acme_http01 with value /.well-known/acme-challenge/ and Actions: http-request lua service with value METH_GET url_acme_http01 and function acme-http01

    ACME part:
    create issue cert to one domain with SAL list:
    method webroot local folder: /tmp/haproxy_chroot/.well-known/acme-challenge/, tried to /tmp/haproxy_chroot/haproxywebroot/.well-known/acme-challenge/

    I we created by hands folders (think it may can help, but no):
    even tried to change permission to folder to 777 /tmp/haproxy_chroot for test purpose.
    mkdir -p /tmp/haproxy_chroot/haproxywebroot/.well-known/acme-challenge/
    mkdir -p /tmp/haproxy_chroot/.well-known/acme-challenge/
    mkdir -p /tmp/haproxy_chroot/well-known/acme-challenge/

    Then i disable HAProxy and tried standalone ACME server, this not work too, but now it crash by timeout, tried NAT from custom port to WANs 80, and tried 80 directly, nothing not work.

    I use dns.he.net, and I have case to use ACME in DNS key mode, but this option not good for me because ACME package in pfSense saves password of he.net in cleantext in admin panel, config.xml and backups.xml.



  • HAProxy see attachment.

    RootFolder: /tmp/haproxy_chroot/.well-known/acme-challenge/
    , Key Type: Host Key
    , Key Algorithm: HMAC-MD5

    Firewall Ports 80/433 open! 80 is needed for ACME in my case. Other options did not work even if HAProxy was shut down.

    An be sure, that the lua file is copied without error/missing characters!






  • I do all like you did already day ago and it not work for me, look at attachments config. In there I added screenshot how it looks from WAN to other - code: 404, body: resource not found - and this is answer from LUA script.
    Firewall configured - its opened for all WANs 80, 443.
    WebConfigurator auto redirect rule is disabled for free 80 port.
    HAProxy works fine. Tested http and https works from all IPv4 and IPv6 WANs.
    ACME LUA script taken ftom post and then from git:
    https://raw.githubusercontent.com/janeczku/haproxy-acme-validation-plugin/master/acme-http01-webroot.lua
    ACME.SH webroot local folder pointing to: /tmp/haproxy_chroot/.well-known/acme-challenge/
    I have many domains, and tried 2 days with really many variants to do, with only 1 IPv4, and with multi 2xIPv4 2xIPv6 on HA and DNS every time correct, etc. Erased all (even folders with rm -rf /tmp/acme) and installed and configured again from zero, etc.

    ACME answer: (anonymized only sensitive to some.domain.com and IP)

    some.domain.com
    Renewing certificateaccount: i@domain.com 
    server: letsencrypt-staging 
    
    /usr/local/pkg/acme/acme.sh --issue -d 'some.domain.com' --home '/tmp/acme/some.domain.com/' --accountconf '/tmp/acme/some.domain.com/accountconf.conf' --force --reloadCmd '/tmp/acme/some.domain.com/reloadcmd.sh' --webroot pfSenseacme --log-level 3 --log '/tmp/acme/some.domain.com/acme_issuecert.log'
    
    Array
    (
    [path] => /etc:/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/bin/
    [PATH] => /etc:/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/bin/
    [folder] => /tmp/haproxy_chroot/.well-known/acme-challenge/
    )
    [Fri Oct 20 00:35:27 EEST 2017] Registering account
    [Fri Oct 20 00:35:29 EEST 2017] Already registered
    [Fri Oct 20 00:35:30 EEST 2017] Update account tos info success.
    [Fri Oct 20 00:35:30 EEST 2017] ACCOUNT_THUMBPRINT='XXXXX'
    [Fri Oct 20 00:35:30 EEST 2017] Single domain='some.domain.com'
    [Fri Oct 20 00:35:30 EEST 2017] Getting domain auth token for each domain
    [Fri Oct 20 00:35:30 EEST 2017] Getting webroot for domain='some.domain.com'
    [Fri Oct 20 00:35:30 EEST 2017] Getting new-authz for domain='some.domain.com'
    [Fri Oct 20 00:35:31 EEST 2017] The new-authz request is ok.
    [Fri Oct 20 00:35:31 EEST 2017] Verifying:some.domain.com
    [Fri Oct 20 00:35:35 EEST 2017] some.domain.com:Verify error:Invalid response from http://some.domain.com/.well-known/acme-challenge/XXXXX [IP]: 404
    [Fri Oct 20 00:35:35 EEST 2017] Please check log file for more details: /tmp/acme/some.domain.com/acme_issuecert.log
    
    

    ACME_ISSUECERT.LOG (anonymized only sensitive to some.domain.com and IP, crypto-data to XXXXX)

    [Fri Oct 20 01:03:32 EEST 2017] readlink exists=0
    [Fri Oct 20 01:03:32 EEST 2017] dirname exists=0
    [Fri Oct 20 01:03:32 EEST 2017] Lets find script dir.
    [Fri Oct 20 01:03:32 EEST 2017] _SCRIPT_='/usr/local/pkg/acme/acme.sh'
    [Fri Oct 20 01:03:32 EEST 2017] _script='/usr/local/pkg/acme/acme.sh'
    [Fri Oct 20 01:03:32 EEST 2017] _script_home='/usr/local/pkg/acme'
    [Fri Oct 20 01:03:32 EEST 2017] Using config home:/tmp/acme/some.domain.com/
    [Fri Oct 20 01:03:32 EEST 2017] APP
    [Fri Oct 20 01:03:32 EEST 2017] 2:LOG_FILE='/tmp/acme/some.domain.com/acme_issuecert.log'
    [Fri Oct 20 01:03:32 EEST 2017] APP
    [Fri Oct 20 01:03:32 EEST 2017] 3:LOG_LEVEL='3'
    [Fri Oct 20 01:03:32 EEST 2017] LE_WORKING_DIR='/tmp/acme/some.domain.com/'
    [Fri Oct 20 01:03:32 EEST 2017] Using config home:/tmp/acme/some.domain.com/
    [Fri Oct 20 01:03:32 EEST 2017] _ACME_SERVER_HOST='acme-staging.api.letsencrypt.org'
    [Fri Oct 20 01:03:32 EEST 2017] CA_CONF='/tmp/acme/some.domain.com//ca/acme-staging.api.letsencrypt.org/ca.conf'
    [Fri Oct 20 01:03:32 EEST 2017] DOMAIN_PATH='/tmp/acme/some.domain.com//some.domain.com'
    [Fri Oct 20 01:03:32 EEST 2017] Using ACME_DIRECTORY: https://acme-staging.api.letsencrypt.org/directory
    [Fri Oct 20 01:03:32 EEST 2017] _init api for server: https://acme-staging.api.letsencrypt.org/directory
    [Fri Oct 20 01:03:32 EEST 2017] GET
    [Fri Oct 20 01:03:32 EEST 2017] url='https://acme-staging.api.letsencrypt.org/directory'
    [Fri Oct 20 01:03:32 EEST 2017] timeout
    [Fri Oct 20 01:03:32 EEST 2017] curl exists=0
    [Fri Oct 20 01:03:32 EEST 2017] wget exists=127
    [Fri Oct 20 01:03:32 EEST 2017] _CURL='curl -L --silent --dump-header /tmp/acme/some.domain.com//http.header '
    [Fri Oct 20 01:03:33 EEST 2017] ret='0'
    [Fri Oct 20 01:03:33 EEST 2017] response='{
      "A5kiE-zljR8": "https://community.letsencrypt.org/t/adding-random-entries-to-the-directory/33417",
      "key-change": "https://acme-staging.api.letsencrypt.org/acme/key-change",
      "meta": {
        "terms-of-service": "https://letsencrypt.org/documents/LE-SA-v1.1.1-August-1-2016.pdf"
      },
      "new-authz": "https://acme-staging.api.letsencrypt.org/acme/new-authz",
      "new-cert": "https://acme-staging.api.letsencrypt.org/acme/new-cert",
      "new-reg": "https://acme-staging.api.letsencrypt.org/acme/new-reg",
      "revoke-cert": "https://acme-staging.api.letsencrypt.org/acme/revoke-cert"
    }'
    [Fri Oct 20 01:03:33 EEST 2017] ACME_KEY_CHANGE='https://acme-staging.api.letsencrypt.org/acme/key-change'
    [Fri Oct 20 01:03:33 EEST 2017] ACME_NEW_AUTHZ='https://acme-staging.api.letsencrypt.org/acme/new-authz'
    [Fri Oct 20 01:03:33 EEST 2017] ACME_NEW_ORDER='https://acme-staging.api.letsencrypt.org/acme/new-cert'
    [Fri Oct 20 01:03:33 EEST 2017] ACME_NEW_ACCOUNT='https://acme-staging.api.letsencrypt.org/acme/new-reg'
    [Fri Oct 20 01:03:33 EEST 2017] ACME_REVOKE_CERT='https://acme-staging.api.letsencrypt.org/acme/revoke-cert'
    [Fri Oct 20 01:03:33 EEST 2017] Le_NextRenewTime
    [Fri Oct 20 01:03:33 EEST 2017] OK
    [Fri Oct 20 01:03:33 EEST 2017] 2:Le_Domain='some.domain.com'
    [Fri Oct 20 01:03:33 EEST 2017] OK
    [Fri Oct 20 01:03:33 EEST 2017] 3:Le_Alt='no'
    [Fri Oct 20 01:03:33 EEST 2017] OK
    [Fri Oct 20 01:03:33 EEST 2017] 4:Le_Webroot='pfSenseacme'
    [Fri Oct 20 01:03:33 EEST 2017] OK
    [Fri Oct 20 01:03:33 EEST 2017] 5:Le_PreHook=''
    [Fri Oct 20 01:03:33 EEST 2017] OK
    [Fri Oct 20 01:03:33 EEST 2017] 6:Le_PostHook=''
    [Fri Oct 20 01:03:33 EEST 2017] OK
    [Fri Oct 20 01:03:33 EEST 2017] 7:Le_RenewHook=''
    [Fri Oct 20 01:03:33 EEST 2017] OK
    [Fri Oct 20 01:03:33 EEST 2017] 8:Le_API='https://acme-staging.api.letsencrypt.org/directory'
    [Fri Oct 20 01:03:33 EEST 2017] _on_before_issue
    [Fri Oct 20 01:03:33 EEST 2017] 'pfSenseacme' does not contain 'no'
    [Fri Oct 20 01:03:33 EEST 2017] Le_LocalAddress
    [Fri Oct 20 01:03:33 EEST 2017] Check for domain='some.domain.com'
    [Fri Oct 20 01:03:33 EEST 2017] _currentRoot='pfSenseacme'
    [Fri Oct 20 01:03:33 EEST 2017] 'pfSenseacme' does not contain 'apache'
    [Fri Oct 20 01:03:33 EEST 2017] _saved_account_key_hash='XXXXX'
    [Fri Oct 20 01:03:33 EEST 2017] base64 single line.
    [Fri Oct 20 01:03:33 EEST 2017] _saved_account_key_hash is not changed, skip register account.
    [Fri Oct 20 01:03:33 EEST 2017] Read key length:
    [Fri Oct 20 01:03:33 EEST 2017] _createcsr
    [Fri Oct 20 01:03:33 EEST 2017] domain='some.domain.com'
    [Fri Oct 20 01:03:33 EEST 2017] domainlist
    [Fri Oct 20 01:03:33 EEST 2017] csrkey='/tmp/acme/some.domain.com//some.domain.com/some.domain.com.key'
    [Fri Oct 20 01:03:33 EEST 2017] csr='/tmp/acme/some.domain.com//some.domain.com/some.domain.com.csr'
    [Fri Oct 20 01:03:33 EEST 2017] csrconf='/tmp/acme/some.domain.com//some.domain.com/some.domain.com.csr.conf'
    [Fri Oct 20 01:03:33 EEST 2017] Single domain='some.domain.com'
    [Fri Oct 20 01:03:33 EEST 2017] _is_idn_d='some.domain.com'
    [Fri Oct 20 01:03:33 EEST 2017] _idn_temp
    [Fri Oct 20 01:03:33 EEST 2017] _csr_cn='some.domain.com'
    [Fri Oct 20 01:03:33 EEST 2017] OK
    [Fri Oct 20 01:03:33 EEST 2017] 1:Le_Keylength=''
    [Fri Oct 20 01:03:33 EEST 2017] Getting domain auth token for each domain
    [Fri Oct 20 01:03:33 EEST 2017] Getting webroot for domain='some.domain.com'
    [Fri Oct 20 01:03:33 EEST 2017] _w='pfSenseacme'
    [Fri Oct 20 01:03:33 EEST 2017] _currentRoot='pfSenseacme'
    [Fri Oct 20 01:03:33 EEST 2017] Getting new-authz for domain='some.domain.com'
    [Fri Oct 20 01:03:33 EEST 2017] _init api for server: https://acme-staging.api.letsencrypt.org/directory
    [Fri Oct 20 01:03:33 EEST 2017] ACME_KEY_CHANGE='https://acme-staging.api.letsencrypt.org/acme/key-change'
    [Fri Oct 20 01:03:33 EEST 2017] ACME_NEW_AUTHZ='https://acme-staging.api.letsencrypt.org/acme/new-authz'
    [Fri Oct 20 01:03:33 EEST 2017] ACME_NEW_ORDER='https://acme-staging.api.letsencrypt.org/acme/new-cert'
    [Fri Oct 20 01:03:33 EEST 2017] ACME_NEW_ACCOUNT='https://acme-staging.api.letsencrypt.org/acme/new-reg'
    [Fri Oct 20 01:03:33 EEST 2017] ACME_REVOKE_CERT='https://acme-staging.api.letsencrypt.org/acme/revoke-cert'
    [Fri Oct 20 01:03:33 EEST 2017] Try new-authz for the 0 time.
    [Fri Oct 20 01:03:33 EEST 2017] _is_idn_d='some.domain.com'
    [Fri Oct 20 01:03:33 EEST 2017] _idn_temp
    [Fri Oct 20 01:03:33 EEST 2017] url='https://acme-staging.api.letsencrypt.org/acme/new-authz'
    [Fri Oct 20 01:03:33 EEST 2017] payload='{"resource": "new-authz", "identifier": {"type": "dns", "value": "some.domain.com"}}'
    [Fri Oct 20 01:03:33 EEST 2017] RSA key
    [Fri Oct 20 01:03:33 EEST 2017] pub_exp='010001'
    [Fri Oct 20 01:03:33 EEST 2017] base64 single line.
    [Fri Oct 20 01:03:33 EEST 2017] xxd exists=127
    [Fri Oct 20 01:03:33 EEST 2017] _URGLY_PRINTF='1'
    [Fri Oct 20 01:03:33 EEST 2017] e='AQAB'
    [Fri Oct 20 01:03:33 EEST 2017] modulus='XXXXX'
    [Fri Oct 20 01:03:33 EEST 2017] xxd exists=127
    [Fri Oct 20 01:03:33 EEST 2017] base64 single line.
    [Fri Oct 20 01:03:33 EEST 2017] _URGLY_PRINTF='1'
    [Fri Oct 20 01:03:33 EEST 2017] n='XXXXX'
    [Fri Oct 20 01:03:33 EEST 2017] jwk='{"e": "AQAB", "kty": "RSA", "n": "XXXXX"}'
    [Fri Oct 20 01:03:33 EEST 2017] JWK_HEADER='{"alg": "RS256", "jwk": {"e": "AQAB", "kty": "RSA", "n": "XXXXX"}}'
    [Fri Oct 20 01:03:33 EEST 2017] base64 single line.
    [Fri Oct 20 01:03:33 EEST 2017] payload64='XXXXX'
    [Fri Oct 20 01:03:33 EEST 2017] _request_retry_times='0'
    [Fri Oct 20 01:03:33 EEST 2017] Get nonce. ACME_DIRECTORY='https://acme-staging.api.letsencrypt.org/directory'
    [Fri Oct 20 01:03:33 EEST 2017] GET
    [Fri Oct 20 01:03:33 EEST 2017] url='https://acme-staging.api.letsencrypt.org/directory'
    [Fri Oct 20 01:03:33 EEST 2017] timeout
    [Fri Oct 20 01:03:33 EEST 2017] curl exists=0
    [Fri Oct 20 01:03:33 EEST 2017] wget exists=127
    [Fri Oct 20 01:03:33 EEST 2017] _CURL='curl -L --silent --dump-header /tmp/acme/some.domain.com//http.header '
    [Fri Oct 20 01:03:34 EEST 2017] ret='0'
    [Fri Oct 20 01:03:34 EEST 2017] _headers='HTTP/1.1 200 OK
    Server: nginx
    Content-Type: application/json
    Content-Length: 581
    Replay-Nonce: XXXXX
    X-Frame-Options: DENY
    Strict-Transport-Security: max-age=604800
    Expires: Thu, 19 Oct 2017 22:03:34 GMT
    Cache-Control: max-age=0, no-cache, no-store
    Pragma: no-cache
    Date: Thu, 19 Oct 2017 22:03:34 GMT
    Connection: keep-alive
    
    '
    [Fri Oct 20 01:03:34 EEST 2017] _CACHED_NONCE='XXXXX'
    [Fri Oct 20 01:03:34 EEST 2017] nonce='XXXXX'
    [Fri Oct 20 01:03:34 EEST 2017] protected='{"nonce": "XXXXX", "url": "https://acme-staging.api.letsencrypt.org/acme/new-authz", "alg": "RS256", "jwk": {"e": "AQAB", "kty": "RSA", "n": "XXXXX"}}'
    [Fri Oct 20 01:03:34 EEST 2017] base64 single line.
    [Fri Oct 20 01:03:34 EEST 2017] protected64='XXXXX'
    [Fri Oct 20 01:03:34 EEST 2017] base64 single line.
    [Fri Oct 20 01:03:34 EEST 2017] _sig_t='XXXXX'
    [Fri Oct 20 01:03:34 EEST 2017] sig='XXXXX'
    [Fri Oct 20 01:03:34 EEST 2017] body='{"header": {"alg": "RS256", "jwk": {"e": "AQAB", "kty": "RSA", "n": "XXXXX", "payload": "XXXXX", "signature": "XXXXX"}'
    [Fri Oct 20 01:03:34 EEST 2017] POST
    [Fri Oct 20 01:03:34 EEST 2017] url='https://acme-staging.api.letsencrypt.org/acme/new-authz'
    [Fri Oct 20 01:03:34 EEST 2017] body='{"header": {"alg": "RS256", "jwk": {"e": "AQAB", "kty": "RSA", "n": "XXXXX"}}, "protected": "XXXXX", "payload": "XXXXX", "signature": "XXXXX"}'
    [Fri Oct 20 01:03:34 EEST 2017] curl exists=0
    [Fri Oct 20 01:03:34 EEST 2017] wget exists=127
    [Fri Oct 20 01:03:34 EEST 2017] _CURL='curl -L --silent --dump-header /tmp/acme/some.domain.com//http.header '
    [Fri Oct 20 01:03:35 EEST 2017] _ret='0'
    [Fri Oct 20 01:03:35 EEST 2017] original='{
      "identifier": {
        "type": "dns",
        "value": "some.domain.com"
      },
      "status": "pending",
      "expires": "2017-10-26T22:03:35.303794955Z",
      "challenges": [
        {
          "type": "dns-01",
          "status": "pending",
          "uri": "https://acme-staging.api.letsencrypt.org/acme/challenge/XXXXX/70042157",
          "token": "XXXXX"
        },
        {
          "type": "http-01",
          "status": "pending",
          "uri": "https://acme-staging.api.letsencrypt.org/acme/challenge/XXXXX/70042158",
          "token": "XXXXX"
        },
        {
          "type": "tls-sni-01",
          "status": "pending",
          "uri": "https://acme-staging.api.letsencrypt.org/acme/challenge/XXXXX/70042159",
          "token": "XXXXX"
        }
      ],
      "combinations": [
        [
          0
        ],
        [
          1
        ],
        [
          2
        ]
      ]
    }'
    [Fri Oct 20 01:03:35 EEST 2017] responseHeaders='HTTP/1.1 100 Continue
    Expires: Thu, 19 Oct 2017 22:03:35 GMT
    Cache-Control: max-age=0, no-cache, no-store
    Pragma: no-cache
    
    HTTP/1.1 201 Created
    Server: nginx
    Content-Type: application/json
    Content-Length: 1017
    Boulder-Requester: 4937986
    Link: <https: acme-staging.api.letsencrypt.org="" acme="" new-cert="">;rel="next"
    Location: https://acme-staging.api.letsencrypt.org/acme/authz/XXXXX
    Replay-Nonce: XXXXX
    X-Frame-Options: DENY
    Strict-Transport-Security: max-age=604800
    Expires: Thu, 19 Oct 2017 22:03:35 GMT
    Cache-Control: max-age=0, no-cache, no-store
    Pragma: no-cache
    Date: Thu, 19 Oct 2017 22:03:35 GMT
    Connection: keep-alive
    
    '
    [Fri Oct 20 01:03:35 EEST 2017] response='{"identifier":{"type":"dns","value":"some.domain.com"},"status":"pending","expires":"2017-10-26T22:03:35.303794955Z","challenges":[{"type":"dns-01","status":"pending","uri":"https://acme-staging.api.letsencrypt.org/acme/challenge/XXXXX/70042157","token":"XXXXX"},{"type":"http-01","status":"pending","uri":"https://acme-staging.api.letsencrypt.org/acme/challenge/XXXXX","token":"XXXXX"},{"type":"tls-sni-01","status":"pending","uri":"https://acme-staging.api.letsencrypt.org/acme/challenge/XXXXX/70042159","token":"XXXXX"}],"combinations":[[0],[1],[2]]}'
    [Fri Oct 20 01:03:35 EEST 2017] code='201'
    [Fri Oct 20 01:03:35 EEST 2017] The new-authz request is ok.
    [Fri Oct 20 01:03:35 EEST 2017] base64 single line.
    [Fri Oct 20 01:03:35 EEST 2017] entry='"type":"http-01","status":"pending","uri":"https://acme-staging.api.letsencrypt.org/acme/challenge/XXXXX","token":"XXXXX"'
    [Fri Oct 20 01:03:35 EEST 2017] token='XXXXX'
    [Fri Oct 20 01:03:35 EEST 2017] uri='https://acme-staging.api.letsencrypt.org/acme/challenge/XXXXX'
    [Fri Oct 20 01:03:35 EEST 2017] keyauthorization='XXXXX.XXXXX'
    [Fri Oct 20 01:03:35 EEST 2017] dvlist='some.domain.com#XXXXX.XXXXX#https://acme-staging.api.letsencrypt.org/acme/challenge/XXXXX#http-01#pfSenseacme'
    [Fri Oct 20 01:03:35 EEST 2017] vlist='some.domain.com#XXXXX.XXXXX#https://acme-staging.api.letsencrypt.org/acme/challenge/XXXXX#http-01#pfSenseacme,'
    [Fri Oct 20 01:03:35 EEST 2017] ok, let's start to verify
    [Fri Oct 20 01:03:35 EEST 2017] Verifying:some.domain.com
    [Fri Oct 20 01:03:35 EEST 2017] d='some.domain.com'
    [Fri Oct 20 01:03:35 EEST 2017] keyauthorization='XXXXX.XXXXX'
    [Fri Oct 20 01:03:35 EEST 2017] uri='https://acme-staging.api.letsencrypt.org/acme/challenge/XXXXX'
    [Fri Oct 20 01:03:35 EEST 2017] _currentRoot='pfSenseacme'
    [Fri Oct 20 01:03:35 EEST 2017] wellknown_path='pfSenseacme/.well-known/acme-challenge'
    [Fri Oct 20 01:03:35 EEST 2017] writing token:XXXXX to pfSenseacme/.well-known/acme-challenge/XXXXX
    [Fri Oct 20 01:03:35 EEST 2017] Changing owner/group of .well-known to root:wheel
    [Fri Oct 20 01:03:35 EEST 2017] mktemp exists=0
    [Fri Oct 20 01:03:35 EEST 2017] tigger domain validation.
    [Fri Oct 20 01:03:35 EEST 2017] _t_url='https://acme-staging.api.letsencrypt.org/acme/challenge/XXXXX'
    [Fri Oct 20 01:03:35 EEST 2017] _t_key_authz='XXXXX.XXXXX'
    [Fri Oct 20 01:03:35 EEST 2017] url='https://acme-staging.api.letsencrypt.org/acme/challenge/XXXXX'
    [Fri Oct 20 01:03:35 EEST 2017] payload='{"resource": "challenge", "keyAuthorization": "XXXXX.XXXXX"}'
    [Fri Oct 20 01:03:35 EEST 2017] Use cached jwk for file: /tmp/acme/some.domain.com//ca/acme-staging.api.letsencrypt.org/account.key
    [Fri Oct 20 01:03:35 EEST 2017] base64 single line.
    [Fri Oct 20 01:03:35 EEST 2017] payload64='XXXXX'
    [Fri Oct 20 01:03:35 EEST 2017] _request_retry_times='0'
    [Fri Oct 20 01:03:35 EEST 2017] Use _CACHED_NONCE='XXXXX'
    [Fri Oct 20 01:03:35 EEST 2017] nonce='XXXXX'
    [Fri Oct 20 01:03:35 EEST 2017] protected='{"nonce": "XXXXX", "url": "https://acme-staging.api.letsencrypt.org/acme/challenge/XXXXX", "alg": "RS256", "jwk": {"e": "AQAB", "kty": "RSA", "n": "XXXXX"}}'
    [Fri Oct 20 01:03:35 EEST 2017] base64 single line.
    [Fri Oct 20 01:03:35 EEST 2017] protected64='XXXXX'
    [Fri Oct 20 01:03:35 EEST 2017] base64 single line.
    [Fri Oct 20 01:03:35 EEST 2017] _sig_t='XXXXX'
    [Fri Oct 20 01:03:35 EEST 2017] sig='XXXXX'
    [Fri Oct 20 01:03:35 EEST 2017] body='{"header": {"alg": "RS256", "jwk": {"e": "AQAB", "kty": "RSA", "n": "XXXXX"}}, "protected": "XXXXX", "payload": "XXXXX", "signature": "XXXXX"}'
    [Fri Oct 20 01:03:35 EEST 2017] POST
    [Fri Oct 20 01:03:35 EEST 2017] url='https://acme-staging.api.letsencrypt.org/acme/challenge/XXXXX'
    [Fri Oct 20 01:03:35 EEST 2017] body='{"header": {"alg": "RS256", "jwk": {"e": "AQAB", "kty": "RSA", "n": "XXXXX"}}, "protected": "XXXXX", "payload": "XXXXX", "signature": "XXXXX"}'
    [Fri Oct 20 01:03:35 EEST 2017] curl exists=0
    [Fri Oct 20 01:03:35 EEST 2017] wget exists=127
    [Fri Oct 20 01:03:35 EEST 2017] _CURL='curl -L --silent --dump-header /tmp/acme/some.domain.com//http.header '
    [Fri Oct 20 01:03:36 EEST 2017] _ret='0'
    [Fri Oct 20 01:03:36 EEST 2017] original='{
      "type": "http-01",
      "status": "pending",
      "uri": "https://acme-staging.api.letsencrypt.org/acme/challenge/XXXXX",
      "token": "XXXXX",
      "keyAuthorization": "XXXXX.XXXXX"
    }'
    [Fri Oct 20 01:03:36 EEST 2017] responseHeaders='HTTP/1.1 100 Continue
    Expires: Thu, 19 Oct 2017 22:03:36 GMT
    Cache-Control: max-age=0, no-cache, no-store
    Pragma: no-cache
    
    HTTP/1.1 202 Accepted
    Server: nginx
    Content-Type: application/json
    Content-Length: 338
    Boulder-Requester: 4937986
    Link: <https: acme-staging.api.letsencrypt.org="" acme="" authz="" xxxxx="">;rel="up"
    Location: https://acme-staging.api.letsencrypt.org/acme/challenge/XXXXX
    Replay-Nonce: XXXXX
    Expires: Thu, 19 Oct 2017 22:03:36 GMT
    Cache-Control: max-age=0, no-cache, no-store
    Pragma: no-cache
    Date: Thu, 19 Oct 2017 22:03:36 GMT
    Connection: keep-alive
    
    '
    [Fri Oct 20 01:03:36 EEST 2017] response='{"type":"http-01","status":"pending","uri":"https://acme-staging.api.letsencrypt.org/acme/challenge/XXXXX","token":"XXXXX","keyAuthorization":"XXXXX.XXXXX"}'
    [Fri Oct 20 01:03:36 EEST 2017] code='202'
    [Fri Oct 20 01:03:36 EEST 2017] sleep 2 secs to verify
    [Fri Oct 20 01:03:38 EEST 2017] checking
    [Fri Oct 20 01:03:38 EEST 2017] GET
    [Fri Oct 20 01:03:38 EEST 2017] url='https://acme-staging.api.letsencrypt.org/acme/challenge/XXXXX'
    [Fri Oct 20 01:03:38 EEST 2017] timeout
    [Fri Oct 20 01:03:38 EEST 2017] curl exists=0
    [Fri Oct 20 01:03:38 EEST 2017] wget exists=127
    [Fri Oct 20 01:03:38 EEST 2017] _CURL='curl -L --silent --dump-header /tmp/acme/some.domain.com//http.header '
    [Fri Oct 20 01:03:39 EEST 2017] ret='0'
    [Fri Oct 20 01:03:39 EEST 2017] original='{
      "type": "http-01",
      "status": "invalid",
      "error": {
        "type": "urn:acme:error:unauthorized",
        "detail": "Invalid response from http://some.domain.com/.well-known/acme-challenge/XXXXX [IP]: 404",
        "status": 403
      },
      "uri": "https://acme-staging.api.letsencrypt.org/acme/challenge/XXXXX",
      "token": "XXXXX",
      "keyAuthorization": "XXXXX.XXXXX",
      "validationRecord": [
        {
          "url": "http://some.domain.com/.well-known/acme-challenge/XXXXX",
          "hostname": "some.domain.com",
          "port": "80",
          "addressesResolved": [
            "IP"
          ],
          "addressUsed": "IP",
          "addressesTried": []
        }
      ]
    }'
    [Fri Oct 20 01:03:39 EEST 2017] response='{"type":"http-01","status":"invalid","error":{"type":"urn:acme:error:unauthorized","detail":"Invalid response from http://some.domain.com/.well-known/acme-challenge/XXXXX [IP]: 404","status": 403},"uri":"https://acme-staging.api.letsencrypt.org/acme/challenge/XXXXX","token":"XXXXX","keyAuthorization":"XXXXX.XXXXX","validationRecord":[{"url":"http://some.domain.com/.well-known/acme-challenge/XXXXX","hostname":"some.domain.com","port":"80","addressesResolved":["IP"],"addressUsed":"IP","addressesTried":[]}]}'
    [Fri Oct 20 01:03:39 EEST 2017] error='"error":{"type":"urn:acme:error:unauthorized","detail":"Invalid response from http://some.domain.com/.well-known/acme-challenge/XXXXX [IP]: 404","status": 403'
    [Fri Oct 20 01:03:39 EEST 2017] errordetail='Invalid response from http://some.domain.com/.well-known/acme-challenge/XXXXX [IP]: 404'
    [Fri Oct 20 01:03:39 EEST 2017] some.domain.com:Verify error:Invalid response from http://some.domain.com/.well-known/acme-challenge/XXXXX [IP]: 404
    [Fri Oct 20 01:03:39 EEST 2017] pid
    [Fri Oct 20 01:03:39 EEST 2017] No need to restore nginx, skip.
    [Fri Oct 20 01:03:39 EEST 2017] _clearupdns
    [Fri Oct 20 01:03:39 EEST 2017] skip dns.
    [Fri Oct 20 01:03:39 EEST 2017] _on_issue_err
    [Fri Oct 20 01:03:39 EEST 2017] Please check log file for more details: /tmp/acme/some.domain.com/acme_issuecert.log
    [Fri Oct 20 01:03:39 EEST 2017] _chk_vlist='some.domain.com#XXXXX#https://acme-staging.api.letsencrypt.org/acme/challenge/XXXXX#http-01#pfSenseacme,'
    [Fri Oct 20 01:03:39 EEST 2017] start to deactivate authz
    [Fri Oct 20 01:03:39 EEST 2017] tigger domain validation.
    [Fri Oct 20 01:03:39 EEST 2017] _t_url='https://acme-staging.api.letsencrypt.org/acme/challenge/XXXXX'
    [Fri Oct 20 01:03:39 EEST 2017] _t_key_authz='XXXXX'
    [Fri Oct 20 01:03:39 EEST 2017] url='https://acme-staging.api.letsencrypt.org/acme/challenge/XXXXX'
    [Fri Oct 20 01:03:39 EEST 2017] payload='{"resource": "challenge", "keyAuthorization": "XXXXX"}'
    [Fri Oct 20 01:03:39 EEST 2017] Use cached jwk for file: /tmp/acme/some.domain.com//ca/acme-staging.api.letsencrypt.org/account.key
    [Fri Oct 20 01:03:39 EEST 2017] base64 single line.
    [Fri Oct 20 01:03:39 EEST 2017] payload64='XXXXX'
    [Fri Oct 20 01:03:39 EEST 2017] _request_retry_times='0'
    [Fri Oct 20 01:03:39 EEST 2017] Use _CACHED_NONCE='XXXXX'
    [Fri Oct 20 01:03:39 EEST 2017] nonce='XXXXX'
    [Fri Oct 20 01:03:39 EEST 2017] protected='{"nonce": "XXXXX", "url": "https://acme-staging.api.letsencrypt.org/acme/challenge/XXXXX", "alg": "RS256", "jwk": {"e": "AQAB", "kty": "RSA", "n": "XXXXX"}}'
    [Fri Oct 20 01:03:39 EEST 2017] base64 single line.
    [Fri Oct 20 01:03:39 EEST 2017] protected64='XXXXX'
    [Fri Oct 20 01:03:39 EEST 2017] base64 single line.
    [Fri Oct 20 01:03:39 EEST 2017] _sig_t='XXXXX'
    [Fri Oct 20 01:03:39 EEST 2017] sig='XXXXX"}'
    [Fri Oct 20 01:03:39 EEST 2017] POST
    [Fri Oct 20 01:03:39 EEST 2017] url='https://acme-staging.api.letsencrypt.org/acme/challenge/XXXXX'
    [Fri Oct 20 01:03:39 EEST 2017] body='{"header": {"alg": "RS256", "jwk": {"e": "AQAB", "kty": "RSA", "n": "XXXXX"}'
    [Fri Oct 20 01:03:39 EEST 2017] curl exists=0
    [Fri Oct 20 01:03:39 EEST 2017] wget exists=127
    [Fri Oct 20 01:03:39 EEST 2017] _CURL='curl -L --silent --dump-header /tmp/acme/some.domain.com//http.header '
    [Fri Oct 20 01:03:40 EEST 2017] _ret='0'
    [Fri Oct 20 01:03:40 EEST 2017] original='{
      "type": "urn:acme:error:malformed",
      "detail": "Unable to update challenge :: The challenge is not pending.",
      "status": 400
    }'
    [Fri Oct 20 01:03:40 EEST 2017] responseHeaders='HTTP/1.1 100 Continue
    Expires: Thu, 19 Oct 2017 22:03:39 GMT
    Cache-Control: max-age=0, no-cache, no-store
    Pragma: no-cache
    
    HTTP/1.1 400 Bad Request
    Server: nginx
    Content-Type: application/problem+json
    Content-Length: 132
    Boulder-Requester: 4937986
    Replay-Nonce: XXXXX
    Expires: Thu, 19 Oct 2017 22:03:40 GMT
    Cache-Control: max-age=0, no-cache, no-store
    Pragma: no-cache
    Date: Thu, 19 Oct 2017 22:03:40 GMT
    Connection: close
    
    '
    [Fri Oct 20 01:03:40 EEST 2017] response='{"type":"urn:acme:error:malformed","detail":"Unable to update challenge :: The challenge is not pending.","status": 400}'
    [Fri Oct 20 01:03:40 EEST 2017] code='400'</https:></https:>
    



    ![Result of not working ACME.png](/public/imported_attachments/1/Result of not working ACME.png)
    ![Result of not working ACME.png_thumb](/public/imported_attachments/1/Result of not working ACME.png_thumb)



  • Bad part that Administrator of Forum move topic to Cahce/Proxy, but it ACME problems not HAProxy how I think…

    Today tried from another place with minimum configured fresh installed pfSense 2.3.4p1 and only 2 packages installed: acme 0.1.20, haproxy 0.52_14.
    Same result like in post above: HAproxy lua script answer: Code: 404, HTML body: resource not found.
    Again tried install crean system with only acme 0.1.20 and pure ACME standalone HTTP server on 80 - not work to, and standalone  HTTPS server on port 443 to:

    some.domain.com
    Renewing certificateaccount: i@some.domain.com 
    server: letsencrypt-staging 
    
    /usr/local/pkg/acme/acme.sh --issue -d 'some.domain.com' --home '/tmp/acme/some.domain.com/' --accountconf '/tmp/acme/some.domain.com/accountconf.conf' --force --reloadCmd '/tmp/acme/some.domain.com/reloadcmd.sh' --tls --tlsport '443' --log-level 3 --log '/tmp/acme/some.domain.com/acme_issuecert.log'
    
    Array
    (
    [path] => /etc:/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/bin/
    [PATH] => /etc:/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/bin/
    [port] => 443
    )
    [Fri Oct 20 14:21:45 EEST 2017] Standalone tls mode.
    [Fri Oct 20 14:21:45 EEST 2017] Single domain='some.domain.com'
    [Fri Oct 20 14:21:45 EEST 2017] Getting domain auth token for each domain
    [Fri Oct 20 14:21:45 EEST 2017] Getting webroot for domain='some.domain.com'
    [Fri Oct 20 14:21:45 EEST 2017] Getting new-authz for domain='some.domain.com'
    [Fri Oct 20 14:21:48 EEST 2017] The new-authz request is ok.
    [Fri Oct 20 14:21:48 EEST 2017] Verifying:some.domain.com
    [Fri Oct 20 14:21:48 EEST 2017] Starting tls server.
    [Fri Oct 20 14:21:48 EEST 2017] Multi domain='DNS:93be3fdba632d9a19e3e09e501ead865.4834279ed8ba2cbefa4c6c87099b5de3.acme.invalid'
    [Fri Oct 20 14:21:53 EEST 2017] Pending
    [Fri Oct 20 14:21:55 EEST 2017] Pending
    [Fri Oct 20 14:21:58 EEST 2017] some.domain.com:Verify error:Timeout
    [Fri Oct 20 14:21:59 EEST 2017] Please check log file for more details: /tmp/acme/some.domain.com/acme_issuecert.log
    
    

    Tried dns.he.net - it works, but it really not secure - it pass login\pass in many places (logs on filesystem, webconfigurator, etc.) with plaintext, and have access to all DNS systems that I don't want to give - to high risk. And I understand that it can't be upgraded without cooperating with HE.net - thay do not allow create DDNS to TXT records, only to A and AAAA. But if somebody ask them - maybe thay add this function to API, and then we can use secure key that can renew only one TXT record and don't have access to account.
    But after i have successfully received certificate by dns.he.net, I tested one by one:
    standalone http
    standalone https(tls)
    webroot folder with HAproxy and lua script
    to renew that cert that i already have and he successful renew cert! :o

    Because of it I understood that broken part is creating new cert from ANY type of HTTP in ACME.SH, but not renewing part. The version of pfSense, or any proxy has no relation to this bug.
    Really odd that in logs i see my pfsense IPv6 but my domain not pointing to IPv6, and even firewall not open to accept IPv6 in this configuration:

    [Fri Oct 20 14:35:54 EEST 2017] readlink exists=0
    [Fri Oct 20 14:35:54 EEST 2017] dirname exists=0
    [Fri Oct 20 14:35:54 EEST 2017] Lets find script dir.
    [Fri Oct 20 14:35:54 EEST 2017] _SCRIPT_='/usr/local/pkg/acme/acme.sh'
    [Fri Oct 20 14:35:54 EEST 2017] _script='/usr/local/pkg/acme/acme.sh'
    [Fri Oct 20 14:35:54 EEST 2017] _script_home='/usr/local/pkg/acme'
    [Fri Oct 20 14:35:54 EEST 2017] Using config home:/tmp/acme/some.domain.com/
    [Fri Oct 20 14:35:54 EEST 2017] APP
    [Fri Oct 20 14:35:54 EEST 2017] 2:LOG_FILE='/tmp/acme/some.domain.com/acme_issuecert.log'
    [Fri Oct 20 14:35:54 EEST 2017] APP
    [Fri Oct 20 14:35:54 EEST 2017] 3:LOG_LEVEL='3'
    [Fri Oct 20 14:35:54 EEST 2017] LE_WORKING_DIR='/tmp/acme/some.domain.com/'
    [Fri Oct 20 14:35:54 EEST 2017] Using config home:/tmp/acme/some.domain.com/
    [Fri Oct 20 14:35:54 EEST 2017] _ACME_SERVER_HOST='acme-staging.api.letsencrypt.org'
    [Fri Oct 20 14:35:54 EEST 2017] CA_CONF='/tmp/acme/some.domain.com//ca/acme-staging.api.letsencrypt.org/ca.conf'
    [Fri Oct 20 14:35:54 EEST 2017] DOMAIN_PATH='/tmp/acme/some.domain.com//some.domain.com'
    [Fri Oct 20 14:35:54 EEST 2017] Using ACME_DIRECTORY: https://acme-staging.api.letsencrypt.org/directory
    [Fri Oct 20 14:35:54 EEST 2017] _init api for server: https://acme-staging.api.letsencrypt.org/directory
    [Fri Oct 20 14:35:54 EEST 2017] GET
    [Fri Oct 20 14:35:54 EEST 2017] url='https://acme-staging.api.letsencrypt.org/directory'
    [Fri Oct 20 14:35:54 EEST 2017] timeout
    [Fri Oct 20 14:35:54 EEST 2017] curl exists=0
    [Fri Oct 20 14:35:54 EEST 2017] wget exists=127
    [Fri Oct 20 14:35:54 EEST 2017] _CURL='curl -L --silent --dump-header /tmp/acme/some.domain.com//http.header '
    [Fri Oct 20 14:35:55 EEST 2017] ret='0'
    [Fri Oct 20 14:35:55 EEST 2017] response='{
      "OG7j8ypmhts": "https://community.letsencrypt.org/t/adding-random-entries-to-the-directory/33417",
      "key-change": "https://acme-staging.api.letsencrypt.org/acme/key-change",
      "meta": {
        "terms-of-service": "https://letsencrypt.org/documents/LE-SA-v1.1.1-August-1-2016.pdf"
      },
      "new-authz": "https://acme-staging.api.letsencrypt.org/acme/new-authz",
      "new-cert": "https://acme-staging.api.letsencrypt.org/acme/new-cert",
      "new-reg": "https://acme-staging.api.letsencrypt.org/acme/new-reg",
      "revoke-cert": "https://acme-staging.api.letsencrypt.org/acme/revoke-cert"
    }'
    [Fri Oct 20 14:35:55 EEST 2017] ACME_KEY_CHANGE='https://acme-staging.api.letsencrypt.org/acme/key-change'
    [Fri Oct 20 14:35:55 EEST 2017] ACME_NEW_AUTHZ='https://acme-staging.api.letsencrypt.org/acme/new-authz'
    [Fri Oct 20 14:35:55 EEST 2017] ACME_NEW_ORDER='https://acme-staging.api.letsencrypt.org/acme/new-cert'
    [Fri Oct 20 14:35:55 EEST 2017] ACME_NEW_ACCOUNT='https://acme-staging.api.letsencrypt.org/acme/new-reg'
    [Fri Oct 20 14:35:55 EEST 2017] ACME_REVOKE_CERT='https://acme-staging.api.letsencrypt.org/acme/revoke-cert'
    [Fri Oct 20 14:35:55 EEST 2017] APP
    [Fri Oct 20 14:35:55 EEST 2017] 1:Le_Domain='some.domain.com'
    [Fri Oct 20 14:35:55 EEST 2017] APP
    [Fri Oct 20 14:35:55 EEST 2017] 2:Le_Alt='no'
    [Fri Oct 20 14:35:55 EEST 2017] APP
    [Fri Oct 20 14:35:55 EEST 2017] 3:Le_Webroot='no'
    [Fri Oct 20 14:35:55 EEST 2017] APP
    [Fri Oct 20 14:35:55 EEST 2017] 4:Le_PreHook=''
    [Fri Oct 20 14:35:55 EEST 2017] APP
    [Fri Oct 20 14:35:55 EEST 2017] 5:Le_PostHook=''
    [Fri Oct 20 14:35:55 EEST 2017] APP
    [Fri Oct 20 14:35:55 EEST 2017] 6:Le_RenewHook=''
    [Fri Oct 20 14:35:55 EEST 2017] APP
    [Fri Oct 20 14:35:55 EEST 2017] 7:Le_API='https://acme-staging.api.letsencrypt.org/directory'
    [Fri Oct 20 14:35:55 EEST 2017] _on_before_issue
    [Fri Oct 20 14:35:55 EEST 2017] 'no' contains 'no'
    [Fri Oct 20 14:35:55 EEST 2017] nc exists=0
    [Fri Oct 20 14:35:55 EEST 2017] Le_LocalAddress
    [Fri Oct 20 14:35:55 EEST 2017] Check for domain='some.domain.com'
    [Fri Oct 20 14:35:55 EEST 2017] _currentRoot='no'
    [Fri Oct 20 14:35:55 EEST 2017] Standalone mode.
    [Fri Oct 20 14:35:55 EEST 2017] APP
    [Fri Oct 20 14:35:55 EEST 2017] 8:Le_HTTPPort='80'
    [Fri Oct 20 14:35:55 EEST 2017] _checkport='80'
    [Fri Oct 20 14:35:55 EEST 2017] _checkaddr
    [Fri Oct 20 14:35:55 EEST 2017] ss exists=127
    [Fri Oct 20 14:35:55 EEST 2017] netstat exists=0
    [Fri Oct 20 14:35:55 EEST 2017] Using: netstat
    [Fri Oct 20 14:35:55 EEST 2017] 'no' does not contain 'apache'
    [Fri Oct 20 14:35:55 EEST 2017] config file is empty, can not read CA_KEY_HASH
    [Fri Oct 20 14:35:55 EEST 2017] _saved_account_key_hash
    [Fri Oct 20 14:35:55 EEST 2017] Using config home:/tmp/acme/some.domain.com/
    [Fri Oct 20 14:35:55 EEST 2017] _ACME_SERVER_HOST='acme-staging.api.letsencrypt.org'
    [Fri Oct 20 14:35:55 EEST 2017] CA_CONF='/tmp/acme/some.domain.com//ca/acme-staging.api.letsencrypt.org/ca.conf'
    [Fri Oct 20 14:35:55 EEST 2017] RSA key
    [Fri Oct 20 14:35:55 EEST 2017] pub_exp='010001'
    [Fri Oct 20 14:35:55 EEST 2017] base64 single line.
    [Fri Oct 20 14:35:55 EEST 2017] xxd exists=127
    [Fri Oct 20 14:35:55 EEST 2017] _URGLY_PRINTF='1'
    [Fri Oct 20 14:35:55 EEST 2017] e='AQAB'
    [Fri Oct 20 14:35:55 EEST 2017] modulus='XXXXX'
    [Fri Oct 20 14:35:55 EEST 2017] base64 single line.
    [Fri Oct 20 14:35:55 EEST 2017] xxd exists=127
    [Fri Oct 20 14:35:55 EEST 2017] _URGLY_PRINTF='1'
    [Fri Oct 20 14:35:56 EEST 2017] n='XXXXX'
    [Fri Oct 20 14:35:56 EEST 2017] jwk='{"e": "AQAB", "kty": "RSA", "n": "XXXXX"}'
    [Fri Oct 20 14:35:56 EEST 2017] JWK_HEADER='{"alg": "RS256", "jwk": {"e": "AQAB", "kty": "RSA", "n": "XXXXX"}}'
    [Fri Oct 20 14:35:56 EEST 2017] _init api for server: https://acme-staging.api.letsencrypt.org/directory
    [Fri Oct 20 14:35:56 EEST 2017] ACME_KEY_CHANGE='https://acme-staging.api.letsencrypt.org/acme/key-change'
    [Fri Oct 20 14:35:56 EEST 2017] ACME_NEW_AUTHZ='https://acme-staging.api.letsencrypt.org/acme/new-authz'
    [Fri Oct 20 14:35:56 EEST 2017] ACME_NEW_ORDER='https://acme-staging.api.letsencrypt.org/acme/new-cert'
    [Fri Oct 20 14:35:56 EEST 2017] ACME_NEW_ACCOUNT='https://acme-staging.api.letsencrypt.org/acme/new-reg'
    [Fri Oct 20 14:35:56 EEST 2017] ACME_REVOKE_CERT='https://acme-staging.api.letsencrypt.org/acme/revoke-cert'
    [Fri Oct 20 14:35:56 EEST 2017] AGREEMENT
    [Fri Oct 20 14:35:56 EEST 2017] Registering account
    [Fri Oct 20 14:35:56 EEST 2017] url='https://acme-staging.api.letsencrypt.org/acme/new-reg'
    [Fri Oct 20 14:35:56 EEST 2017] payload='{"resource": "new-reg", "agreement": ""}'
    [Fri Oct 20 14:35:56 EEST 2017] Use cached jwk for file: /tmp/acme/some.domain.com//ca/acme-staging.api.letsencrypt.org/account.key
    [Fri Oct 20 14:35:56 EEST 2017] base64 single line.
    [Fri Oct 20 14:35:56 EEST 2017] payload64='XXXXX'
    [Fri Oct 20 14:35:56 EEST 2017] _request_retry_times='0'
    [Fri Oct 20 14:35:56 EEST 2017] Get nonce. ACME_DIRECTORY='https://acme-staging.api.letsencrypt.org/directory'
    [Fri Oct 20 14:35:56 EEST 2017] GET
    [Fri Oct 20 14:35:56 EEST 2017] url='https://acme-staging.api.letsencrypt.org/directory'
    [Fri Oct 20 14:35:56 EEST 2017] timeout
    [Fri Oct 20 14:35:56 EEST 2017] curl exists=0
    [Fri Oct 20 14:35:56 EEST 2017] wget exists=127
    [Fri Oct 20 14:35:56 EEST 2017] _CURL='curl -L --silent --dump-header /tmp/acme/some.domain.com//http.header '
    [Fri Oct 20 14:35:56 EEST 2017] ret='0'
    [Fri Oct 20 14:35:56 EEST 2017] _headers='HTTP/1.1 200 OK
    Server: nginx
    Content-Type: application/json
    Content-Length: 581
    Replay-Nonce: XXXXX
    X-Frame-Options: DENY
    Strict-Transport-Security: max-age=604800
    Expires: Fri, 20 Oct 2017 11:35:58 GMT
    Cache-Control: max-age=0, no-cache, no-store
    Pragma: no-cache
    Date: Fri, 20 Oct 2017 11:35:58 GMT
    Connection: keep-alive
    
    '
    [Fri Oct 20 14:35:56 EEST 2017] _CACHED_NONCE='XXXXX'
    [Fri Oct 20 14:35:56 EEST 2017] nonce='XXXXX'
    [Fri Oct 20 14:35:56 EEST 2017] protected='{"nonce": "XXXXX", "url": "https://acme-staging.api.letsencrypt.org/acme/new-reg", "alg": "RS256", "jwk": {"e": "AQAB", "kty": "RSA", "n": "XXXXX"}}'
    [Fri Oct 20 14:35:56 EEST 2017] base64 single line.
    [Fri Oct 20 14:35:56 EEST 2017] protected64='XXXXX'
    [Fri Oct 20 14:35:56 EEST 2017] base64 single line.
    [Fri Oct 20 14:35:56 EEST 2017] _sig_t='XXXXX+XXXXX+XXXXX'
    [Fri Oct 20 14:35:56 EEST 2017] sig='XXXXX-XXXXX-XXXXX-XXXXX-XXXXX-XXXXX-XXXXX'
    [Fri Oct 20 14:35:56 EEST 2017] body='{"header": {"alg": "RS256", "jwk": {"e": "AQAB", "kty": "RSA", "n": "XXXXX"}}, "protected": "XXXXX", "payload": "XXXXX", "signature": "XXXXX-XXXXX-XXXXX-XXXXX-XXXXX-XXXXX-XXXXX"}'
    [Fri Oct 20 14:35:56 EEST 2017] POST
    [Fri Oct 20 14:35:56 EEST 2017] url='https://acme-staging.api.letsencrypt.org/acme/new-reg'
    [Fri Oct 20 14:35:56 EEST 2017] body='{"header": {"alg": "RS256", "jwk": {"e": "AQAB", "kty": "RSA", "n": "XXXXX"}}, "protected": "XXXXX", "payload": "XXXXX", "signature": "XXXXX-XXXXX-XXXXX-XXXXX-XXXXX-XXXXX-XXXXX"}'
    [Fri Oct 20 14:35:56 EEST 2017] curl exists=0
    [Fri Oct 20 14:35:56 EEST 2017] wget exists=127
    [Fri Oct 20 14:35:56 EEST 2017] _CURL='curl -L --silent --dump-header /tmp/acme/some.domain.com//http.header '
    [Fri Oct 20 14:35:57 EEST 2017] _ret='0'
    [Fri Oct 20 14:35:57 EEST 2017] original='{
      "type": "urn:acme:error:malformed",
      "detail": "Registration key is already in use",
      "status": 409
    }'
    [Fri Oct 20 14:35:57 EEST 2017] responseHeaders='HTTP/1.1 100 Continue
    Expires: Fri, 20 Oct 2017 11:35:59 GMT
    Cache-Control: max-age=0, no-cache, no-store
    Pragma: no-cache
    
    HTTP/1.1 409 Conflict
    Server: nginx
    Content-Type: application/problem+json
    Content-Length: 107
    Boulder-Requester: 4940498
    Location: https://acme-staging.api.letsencrypt.org/acme/reg/4940498
    Replay-Nonce: XXXXX
    Expires: Fri, 20 Oct 2017 11:35:59 GMT
    Cache-Control: max-age=0, no-cache, no-store
    Pragma: no-cache
    Date: Fri, 20 Oct 2017 11:35:59 GMT
    Connection: close
    
    '
    [Fri Oct 20 14:35:57 EEST 2017] response='{"type":"urn:acme:error:malformed","detail":"Registration key is already in use","status": 409}'
    [Fri Oct 20 14:35:57 EEST 2017] code='409'
    [Fri Oct 20 14:35:57 EEST 2017] Already registered
    [Fri Oct 20 14:35:57 EEST 2017] _accUri='https://acme-staging.api.letsencrypt.org/acme/reg/4940498'
    [Fri Oct 20 14:35:57 EEST 2017] APP
    [Fri Oct 20 14:35:57 EEST 2017] 1:ACCOUNT_URL='https://acme-staging.api.letsencrypt.org/acme/reg/4940498'
    [Fri Oct 20 14:35:57 EEST 2017] _tos
    [Fri Oct 20 14:35:57 EEST 2017] Use default tos: https://letsencrypt.org/documents/LE-SA-v1.1.1-August-1-2016.pdf
    [Fri Oct 20 14:35:57 EEST 2017] AGREEMENT='https://letsencrypt.org/documents/LE-SA-v1.1.1-August-1-2016.pdf'
    [Fri Oct 20 14:35:57 EEST 2017] Update tos: https://letsencrypt.org/documents/LE-SA-v1.1.1-August-1-2016.pdf
    [Fri Oct 20 14:35:57 EEST 2017] url='https://acme-staging.api.letsencrypt.org/acme/reg/4940498'
    [Fri Oct 20 14:35:57 EEST 2017] payload='{"resource": "reg", "agreement": "https://letsencrypt.org/documents/LE-SA-v1.1.1-August-1-2016.pdf"}'
    [Fri Oct 20 14:35:57 EEST 2017] Use cached jwk for file: /tmp/acme/some.domain.com//ca/acme-staging.api.letsencrypt.org/account.key
    [Fri Oct 20 14:35:57 EEST 2017] base64 single line.
    [Fri Oct 20 14:35:57 EEST 2017] payload64='XXXXX'
    [Fri Oct 20 14:35:57 EEST 2017] _request_retry_times='0'
    [Fri Oct 20 14:35:57 EEST 2017] Use _CACHED_NONCE='XXXXX'
    [Fri Oct 20 14:35:57 EEST 2017] nonce='XXXXX'
    [Fri Oct 20 14:35:57 EEST 2017] protected='{"nonce": "XXXXX", "url": "https://acme-staging.api.letsencrypt.org/acme/reg/4940498", "alg": "RS256", "jwk": {"e": "AQAB", "kty": "RSA", "n": "XXXXX"}}'
    [Fri Oct 20 14:35:57 EEST 2017] base64 single line.
    [Fri Oct 20 14:35:57 EEST 2017] protected64='XXXXX'
    [Fri Oct 20 14:35:57 EEST 2017] base64 single line.
    [Fri Oct 20 14:35:57 EEST 2017] _sig_t='XXXXX+XXXXX+XXXXX+XXXXX/XXXXX/XXXXX+XXXXX+XXXXX+XXXXX/XXXXX+XXXXX+XXXXX+XXXXX/XXXXX+XXXXX+XXXXX/XXXXX+XXXXX+XXXXX+XXXXX+XXXXX/XXXXX+XXXXX+XXXXX+XXXXX='
    [Fri Oct 20 14:35:57 EEST 2017] sig='XXXXX-XXXXX-XXXXX-XXXXX_XXXXX_XXXXX-XXXXX-XXXXX-XXXXX_XXXXX-XXXXX-XXXXX-XXXXX_XXXXX-XXXXX-XXXXX_XXXXX-XXXXX-XXXXX-XXXXX-XXXXX_XXXXX-XXXXX-XXXXX-XXXXX'
    [Fri Oct 20 14:35:57 EEST 2017] body='{"header": {"alg": "RS256", "jwk": {"e": "AQAB", "kty": "RSA", "n": "XXXXX"}}, "protected": "XXXXX", "payload": "XXXXX", "signature": "XXXXX-XXXXX-XXXXX-XXXXX_XXXXX_XXXXX-XXXXX-XXXXX-XXXXX_XXXXX-XXXXX-XXXXX-XXXXX_XXXXX-XXXXX-XXXXX_XXXXX-XXXXX-XXXXX-XXXXX-XXXXX_XXXXX-XXXXX-XXXXX-XXXXX"}'
    [Fri Oct 20 14:35:57 EEST 2017] POST
    [Fri Oct 20 14:35:57 EEST 2017] url='https://acme-staging.api.letsencrypt.org/acme/reg/4940498'
    [Fri Oct 20 14:35:57 EEST 2017] body='{"header": {"alg": "RS256", "jwk": {"e": "AQAB", "kty": "RSA", "n": "XXXXX"}}, "protected": "XXXXX", "payload": "XXXXX", "signature": "XXXXX-XXXXX-XXXXX-XXXXX_XXXXX_XXXXX-XXXXX-XXXXX-XXXXX_XXXXX-XXXXX-XXXXX-XXXXX_XXXXX-XXXXX-XXXXX_XXXXX-XXXXX-XXXXX-XXXXX-XXXXX_XXXXX-XXXXX-XXXXX-XXXXX"}'
    [Fri Oct 20 14:35:57 EEST 2017] curl exists=0
    [Fri Oct 20 14:35:57 EEST 2017] wget exists=127
    [Fri Oct 20 14:35:57 EEST 2017] _CURL='curl -L --silent --dump-header /tmp/acme/some.domain.com//http.header '
    [Fri Oct 20 14:35:58 EEST 2017] _ret='0'
    [Fri Oct 20 14:35:58 EEST 2017] original='{
      "id": 4940498,
      "key": {
        "kty": "RSA",
        "n": "XXXXX",
        "e": "AQAB"
      },
      "contact": [],
      "agreement": "https://letsencrypt.org/documents/LE-SA-v1.1.1-August-1-2016.pdf",
      "initialIp": "some mine IPv6",
      "createdAt": "2017-10-20T10:46:18Z",
      "Status": "valid"
    }'
    [Fri Oct 20 14:35:58 EEST 2017] responseHeaders='HTTP/1.1 100 Continue
    Expires: Fri, 20 Oct 2017 11:36:00 GMT
    Cache-Control: max-age=0, no-cache, no-store
    Pragma: no-cache
    
    HTTP/1.1 202 Accepted
    Server: nginx
    Content-Type: application/json
    Content-Length: 978
    Boulder-Requester: 4940498
    Link: <https: acme-staging.api.letsencrypt.org="" acme="" new-authz="">;rel="next"
    Link: <https: letsencrypt.org="" documents="" le-sa-v1.1.1-august-1-2016.pdf="">;rel="terms-of-service"
    Replay-Nonce: r-XXXXX
    Expires: Fri, 20 Oct 2017 11:36:00 GMT
    Cache-Control: max-age=0, no-cache, no-store
    Pragma: no-cache
    Date: Fri, 20 Oct 2017 11:36:00 GMT
    Connection: keep-alive
    
    '
    [Fri Oct 20 14:35:58 EEST 2017] response='{"id": 4940498,"key":{"kty":"RSA","n":"XXXXX","e":"AQAB"},"contact":[],"agreement":"https://letsencrypt.org/documents/LE-SA-v1.1.1-August-1-2016.pdf","initialIp":"some mine IPv6","createdAt":"2017-10-20T10:46:18Z","Status":"valid"}'
    [Fri Oct 20 14:35:58 EEST 2017] code='202'
    [Fri Oct 20 14:35:58 EEST 2017] Update account tos info success.
    [Fri Oct 20 14:35:58 EEST 2017] base64 single line.
    [Fri Oct 20 14:35:58 EEST 2017] Calc CA_KEY_HASH='XXXXX'
    [Fri Oct 20 14:35:58 EEST 2017] APP
    [Fri Oct 20 14:35:58 EEST 2017] 2:CA_KEY_HASH='XXXXX'
    [Fri Oct 20 14:35:58 EEST 2017] base64 single line.
    [Fri Oct 20 14:35:58 EEST 2017] ACCOUNT_THUMBPRINT='XXXXX'
    [Fri Oct 20 14:35:58 EEST 2017] Read key length:
    [Fri Oct 20 14:35:58 EEST 2017] _createcsr
    [Fri Oct 20 14:35:58 EEST 2017] domain='some.domain.com'
    [Fri Oct 20 14:35:58 EEST 2017] domainlist
    [Fri Oct 20 14:35:58 EEST 2017] csrkey='/tmp/acme/some.domain.com//some.domain.com/some.domain.com.key'
    [Fri Oct 20 14:35:58 EEST 2017] csr='/tmp/acme/some.domain.com//some.domain.com/some.domain.com.csr'
    [Fri Oct 20 14:35:58 EEST 2017] csrconf='/tmp/acme/some.domain.com//some.domain.com/some.domain.com.csr.conf'
    [Fri Oct 20 14:35:58 EEST 2017] Single domain='some.domain.com'
    [Fri Oct 20 14:35:58 EEST 2017] _is_idn_d='some.domain.com'
    [Fri Oct 20 14:35:58 EEST 2017] _idn_temp
    [Fri Oct 20 14:35:58 EEST 2017] _csr_cn='some.domain.com'
    [Fri Oct 20 14:35:58 EEST 2017] APP
    [Fri Oct 20 14:35:58 EEST 2017] 9:Le_Keylength=''
    [Fri Oct 20 14:35:58 EEST 2017] Getting domain auth token for each domain
    [Fri Oct 20 14:35:58 EEST 2017] Getting webroot for domain='some.domain.com'
    [Fri Oct 20 14:35:58 EEST 2017] _w='no'
    [Fri Oct 20 14:35:58 EEST 2017] _currentRoot='no'
    [Fri Oct 20 14:35:58 EEST 2017] Getting new-authz for domain='some.domain.com'
    [Fri Oct 20 14:35:58 EEST 2017] _init api for server: https://acme-staging.api.letsencrypt.org/directory
    [Fri Oct 20 14:35:58 EEST 2017] ACME_KEY_CHANGE='https://acme-staging.api.letsencrypt.org/acme/key-change'
    [Fri Oct 20 14:35:58 EEST 2017] ACME_NEW_AUTHZ='https://acme-staging.api.letsencrypt.org/acme/new-authz'
    [Fri Oct 20 14:35:58 EEST 2017] ACME_NEW_ORDER='https://acme-staging.api.letsencrypt.org/acme/new-cert'
    [Fri Oct 20 14:35:58 EEST 2017] ACME_NEW_ACCOUNT='https://acme-staging.api.letsencrypt.org/acme/new-reg'
    [Fri Oct 20 14:35:58 EEST 2017] ACME_REVOKE_CERT='https://acme-staging.api.letsencrypt.org/acme/revoke-cert'
    [Fri Oct 20 14:35:58 EEST 2017] Try new-authz for the 0 time.
    [Fri Oct 20 14:35:58 EEST 2017] _is_idn_d='some.domain.com'
    [Fri Oct 20 14:35:58 EEST 2017] _idn_temp
    [Fri Oct 20 14:35:58 EEST 2017] url='https://acme-staging.api.letsencrypt.org/acme/new-authz'
    [Fri Oct 20 14:35:58 EEST 2017] payload='{"resource": "new-authz", "identifier": {"type": "dns", "value": "some.domain.com"}}'
    [Fri Oct 20 14:35:58 EEST 2017] Use cached jwk for file: /tmp/acme/some.domain.com//ca/acme-staging.api.letsencrypt.org/account.key
    [Fri Oct 20 14:35:58 EEST 2017] base64 single line.
    [Fri Oct 20 14:35:58 EEST 2017] payload64='XXXXX'
    [Fri Oct 20 14:35:58 EEST 2017] _request_retry_times='0'
    [Fri Oct 20 14:35:58 EEST 2017] Use _CACHED_NONCE='r-XXXXX'
    [Fri Oct 20 14:35:58 EEST 2017] nonce='r-XXXXX'
    [Fri Oct 20 14:35:58 EEST 2017] protected='{"nonce": "r-XXXXX", "url": "https://acme-staging.api.letsencrypt.org/acme/new-authz", "alg": "RS256", "jwk": {"e": "AQAB", "kty": "RSA", "n": "XXXXX"}}'
    [Fri Oct 20 14:35:58 EEST 2017] base64 single line.
    [Fri Oct 20 14:35:58 EEST 2017] protected64='XXXXX'
    [Fri Oct 20 14:35:58 EEST 2017] base64 single line.
    [Fri Oct 20 14:35:58 EEST 2017] _sig_t='XXXXX/XXXXX/XXXXX/XXXXX+XXXXX+XXXXX+XXXXX++XXXXX+XXXXX/XXXXX+XXXXX+XXXXX+XXXXX+XXXXX/XXXXX/XXXXX/XXXXX/XXXXX'
    [Fri Oct 20 14:35:58 EEST 2017] sig='XXXXX-XXXXX-XXXXX-XXXXX--XXXXX-XXXXX-XXXXX-XXXXX-XXXXX-XXXXX'
    [Fri Oct 20 14:35:58 EEST 2017] body='{"header": {"alg": "RS256", "jwk": {"e": "AQAB", "kty": "RSA", "n": "XXXXX"}}, "protected": "XXXXX", "payload": "XXXXX", "signature": "XXXXX-XXXXX-XXXXX-XXXXX--XXXXX-XXXXX-XXXXX-XXXXX-XXXXX-XXXXX"}'
    [Fri Oct 20 14:35:58 EEST 2017] POST
    [Fri Oct 20 14:35:58 EEST 2017] url='https://acme-staging.api.letsencrypt.org/acme/new-authz'
    [Fri Oct 20 14:35:58 EEST 2017] body='{"header": {"alg": "RS256", "jwk": {"e": "AQAB", "kty": "RSA", "n": "XXXXX"}}, "protected": "XXXXX", "payload": "XXXXX", "signature": "XXXXX-XXXXX-XXXXX-XXXXX--XXXXX-XXXXX-XXXXX-XXXXX-XXXXX-XXXXX"}'
    [Fri Oct 20 14:35:58 EEST 2017] curl exists=0
    [Fri Oct 20 14:35:58 EEST 2017] wget exists=127
    [Fri Oct 20 14:35:58 EEST 2017] _CURL='curl -L --silent --dump-header /tmp/acme/some.domain.com//http.header '
    [Fri Oct 20 14:36:00 EEST 2017] _ret='0'
    [Fri Oct 20 14:36:00 EEST 2017] original='{
      "identifier": {
        "type": "dns",
        "value": "some.domain.com"
      },
      "status": "valid",
      "expires": "2017-11-19T11:27:38Z",
      "challenges": [
        {
          "type": "tls-sni-01",
          "status": "pending",
          "uri": "https://acme-staging.api.letsencrypt.org/acme/challenge/XXXXX/70195865",
          "token": "XXXXX"
        },
        {
          "type": "dns-01",
          "status": "valid",
          "uri": "https://acme-staging.api.letsencrypt.org/acme/challenge/XXXXX/70195866",
          "token": "XXXXX",
          "keyAuthorization": "XXXXX.XXXXX",
          "validationRecord": [
            {
              "hostname": "some.domain.com",
              "port": "",
              "addressesResolved": [],
              "addressUsed": "",
              "addressesTried": []
            }
          ]
        },
        {
          "type": "http-01",
          "status": "pending",
          "uri": "https://acme-staging.api.letsencrypt.org/acme/challenge/XXXXX/70195867",
          "token": "XXXXX"
        }
      ],
      "combinations": [
        [
          0
        ],
        [
          2
        ],
        [
          1
        ]
      ]
    }'
    [Fri Oct 20 14:36:00 EEST 2017] responseHeaders='HTTP/1.1 100 Continue
    Expires: Fri, 20 Oct 2017 11:36:01 GMT
    Cache-Control: max-age=0, no-cache, no-store
    Pragma: no-cache
    
    HTTP/1.1 201 Created
    Server: nginx
    Content-Type: application/json
    Content-Length: 1327
    Boulder-Requester: 4940498
    Link: <https: acme-staging.api.letsencrypt.org="" acme="" new-cert="">;rel="next"
    Location: https://acme-staging.api.letsencrypt.org/acme/authz/XXXXX
    Replay-Nonce: XXXXX
    X-Frame-Options: DENY
    Strict-Transport-Security: max-age=604800
    Expires: Fri, 20 Oct 2017 11:36:01 GMT
    Cache-Control: max-age=0, no-cache, no-store
    Pragma: no-cache
    Date: Fri, 20 Oct 2017 11:36:01 GMT
    Connection: keep-alive
    
    '
    [Fri Oct 20 14:36:00 EEST 2017] response='{"identifier":{"type":"dns","value":"some.domain.com"},"status":"valid","expires":"2017-11-19T11:27:38Z","challenges":[{"type":"tls-sni-01","status":"pending","uri":"https://acme-staging.api.letsencrypt.org/acme/challenge/XXXXX/70195865","token":"XXXXX"},{"type":"dns-01","status":"valid","uri":"https://acme-staging.api.letsencrypt.org/acme/challenge/XXXXX/70195866","token":"XXXXX","keyAuthorization":"XXXXX.XXXXX","validationRecord":[{"hostname":"some.domain.com","port":"","addressesResolved":[],"addressUsed":"","addressesTried":[]}]},{"type":"http-01","status":"pending","uri":"https://acme-staging.api.letsencrypt.org/acme/challenge/XXXXX/70195867","token":"XXXXX"}],"combinations":[[0],[2],[1]]}'
    [Fri Oct 20 14:36:00 EEST 2017] code='201'
    [Fri Oct 20 14:36:00 EEST 2017] The new-authz request is ok.
    [Fri Oct 20 14:36:00 EEST 2017] base64 single line.
    [Fri Oct 20 14:36:00 EEST 2017] entry='"type":"http-01","status":"pending","uri":"https://acme-staging.api.letsencrypt.org/acme/challenge/XXXXX/70195867","token":"XXXXX"'
    [Fri Oct 20 14:36:00 EEST 2017] token='XXXXX'
    [Fri Oct 20 14:36:00 EEST 2017] uri='https://acme-staging.api.letsencrypt.org/acme/challenge/XXXXX/70195867'
    [Fri Oct 20 14:36:00 EEST 2017] keyauthorization='XXXXX.XXXXX'
    [Fri Oct 20 14:36:00 EEST 2017] some.domain.com is already verified, skip.
    [Fri Oct 20 14:36:00 EEST 2017] keyauthorization='verified_ok'
    [Fri Oct 20 14:36:00 EEST 2017] dvlist='some.domain.com#verified_ok#https://acme-staging.api.letsencrypt.org/acme/challenge/XXXXX/70195867#http-01#no'
    [Fri Oct 20 14:36:00 EEST 2017] vlist='some.domain.com#verified_ok#https://acme-staging.api.letsencrypt.org/acme/challenge/XXXXX/70195867#http-01#no,'
    [Fri Oct 20 14:36:00 EEST 2017] some.domain.com is already verified, skip http-01.
    [Fri Oct 20 14:36:00 EEST 2017] ok, let's start to verify
    [Fri Oct 20 14:36:00 EEST 2017] some.domain.com is already verified, skip http-01.
    [Fri Oct 20 14:36:00 EEST 2017] pid
    [Fri Oct 20 14:36:00 EEST 2017] No need to restore nginx, skip.
    [Fri Oct 20 14:36:00 EEST 2017] _clearupdns
    [Fri Oct 20 14:36:00 EEST 2017] skip dns.
    [Fri Oct 20 14:36:00 EEST 2017] Verify finished, start to sign.
    [Fri Oct 20 14:36:00 EEST 2017] i='2'
    [Fri Oct 20 14:36:00 EEST 2017] j='15'
    [Fri Oct 20 14:36:00 EEST 2017] url='https://acme-staging.api.letsencrypt.org/acme/new-cert'
    [Fri Oct 20 14:36:00 EEST 2017] payload='{"resource": "new-cert", "csr": "XXXXX"}'
    [Fri Oct 20 14:36:00 EEST 2017] Use cached jwk for file: /tmp/acme/some.domain.com//ca/acme-staging.api.letsencrypt.org/account.key
    [Fri Oct 20 14:36:00 EEST 2017] base64 single line.
    [Fri Oct 20 14:36:00 EEST 2017] payload64='XXXXX'
    [Fri Oct 20 14:36:00 EEST 2017] _request_retry_times='0'
    [Fri Oct 20 14:36:00 EEST 2017] Use _CACHED_NONCE='XXXXX'
    [Fri Oct 20 14:36:00 EEST 2017] nonce='XXXXX'
    [Fri Oct 20 14:36:00 EEST 2017] protected='{"nonce": "XXXXX", "url": "https://acme-staging.api.letsencrypt.org/acme/new-cert", "alg": "RS256", "jwk": {"e": "AQAB", "kty": "RSA", "n": "XXXXX"}}'
    [Fri Oct 20 14:36:00 EEST 2017] base64 single line.
    [Fri Oct 20 14:36:00 EEST 2017] protected64='XXXXX'
    [Fri Oct 20 14:36:00 EEST 2017] base64 single line.
    [Fri Oct 20 14:36:00 EEST 2017] _sig_t='XXXXX+XXXXX+XXXXX+XXXXX/XXXXX/XXXXX+XXXXX+XXXXX+XXXXX/XXXXX+XXXXX+XXXXX+XXXXX/XXXXX+XXXXX+XXXXX/XXXXX+XXXXX+XXXXX+XXXXX+XXXXX/XXXXX+XXXXX+XXXXX+XXXXX='
    [Fri Oct 20 14:36:00 EEST 2017] sig='XXXXX'
    [Fri Oct 20 14:36:00 EEST 2017] body='{"header": {"alg": "RS256", "jwk": {"e": "AQAB", "kty": "RSA", "n": "XXXXX"}}, "protected": "XXXXX", "payload": "XXXXX", "signature": "XXXXX"}'
    [Fri Oct 20 14:36:00 EEST 2017] POST
    [Fri Oct 20 14:36:00 EEST 2017] url='https://acme-staging.api.letsencrypt.org/acme/new-cert'
    [Fri Oct 20 14:36:00 EEST 2017] body='{"header": {"alg": "RS256", "jwk": {"e": "AQAB", "kty": "RSA", "n": "XXXXX"}}, "protected": "XXXXX", "payload": "XXXXX", "signature": "XXXXX"}'
    [Fri Oct 20 14:36:00 EEST 2017] curl exists=0
    [Fri Oct 20 14:36:00 EEST 2017] wget exists=127
    [Fri Oct 20 14:36:00 EEST 2017] _CURL='curl -L --silent --dump-header /tmp/acme/some.domain.com//http.header '
    [Fri Oct 20 14:36:00 EEST 2017] base64 single line.
    [Fri Oct 20 14:36:01 EEST 2017] _ret='0'
    [Fri Oct 20 14:36:01 EEST 2017] original='XXXXX'
    [Fri Oct 20 14:36:01 EEST 2017] responseHeaders='HTTP/1.1 100 Continue
    Expires: Fri, 20 Oct 2017 11:36:02 GMT
    Cache-Control: max-age=0, no-cache, no-store
    Pragma: no-cache
    
    HTTP/1.1 201 Created
    Server: nginx
    Content-Type: application/pkix-cert
    Content-Length: 1254
    Boulder-Requester: 4940498
    Link: <https: acme-staging.api.letsencrypt.org="" acme="" issuer-cert="">;rel="up"
    Location: https://acme-staging.api.letsencrypt.org/acme/cert/XXXXX
    Replay-Nonce: XXXXX
    X-Frame-Options: DENY
    Strict-Transport-Security: max-age=604800
    Expires: Fri, 20 Oct 2017 11:36:03 GMT
    Cache-Control: max-age=0, no-cache, no-store
    Pragma: no-cache
    Date: Fri, 20 Oct 2017 11:36:03 GMT
    Connection: keep-alive
    
    '
    [Fri Oct 20 14:36:01 EEST 2017] response='XXXXX'
    [Fri Oct 20 14:36:01 EEST 2017] code='201'
    [Fri Oct 20 14:36:01 EEST 2017] Le_LinkCert='https://acme-staging.api.letsencrypt.org/acme/cert/XXXXX'
    [Fri Oct 20 14:36:01 EEST 2017] APP
    [Fri Oct 20 14:36:01 EEST 2017] 10:Le_LinkCert='https://acme-staging.api.letsencrypt.org/acme/cert/XXXXX'
    [Fri Oct 20 14:36:01 EEST 2017] base64 multiline:'multiline'
    [Fri Oct 20 14:36:01 EEST 2017] Cert success.
    [Fri Oct 20 14:36:01 EEST 2017] Your cert is in  /tmp/acme/some.domain.com//some.domain.com/some.domain.com.cer
    [Fri Oct 20 14:36:01 EEST 2017] Your cert key is in  /tmp/acme/some.domain.com//some.domain.com/some.domain.com.key
    [Fri Oct 20 14:36:01 EEST 2017] APP
    [Fri Oct 20 14:36:01 EEST 2017] 4:USER_PATH='/etc:/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/bin/'
    [Fri Oct 20 14:36:01 EEST 2017] Le_LinkIssuer='https://acme-staging.api.letsencrypt.org/acme/issuer-cert'
    [Fri Oct 20 14:36:01 EEST 2017] APP
    [Fri Oct 20 14:36:01 EEST 2017] 11:Le_LinkIssuer='https://acme-staging.api.letsencrypt.org/acme/issuer-cert'
    [Fri Oct 20 14:36:01 EEST 2017] _link_issuer_retry='0'
    [Fri Oct 20 14:36:01 EEST 2017] GET
    [Fri Oct 20 14:36:01 EEST 2017] url='https://acme-staging.api.letsencrypt.org/acme/issuer-cert'
    [Fri Oct 20 14:36:01 EEST 2017] timeout
    [Fri Oct 20 14:36:01 EEST 2017] curl exists=0
    [Fri Oct 20 14:36:01 EEST 2017] wget exists=127
    [Fri Oct 20 14:36:01 EEST 2017] _CURL='curl -L --silent --dump-header /tmp/acme/some.domain.com//http.header '
    [Fri Oct 20 14:36:01 EEST 2017] ret='0'
    [Fri Oct 20 14:36:01 EEST 2017] base64 multiline:'multiline'
    [Fri Oct 20 14:36:01 EEST 2017] The intermediate CA cert is in  /tmp/acme/some.domain.com//some.domain.com/ca.cer
    [Fri Oct 20 14:36:01 EEST 2017] And the full chain certs is there:  /tmp/acme/some.domain.com//some.domain.com/fullchain.cer
    [Fri Oct 20 14:36:01 EEST 2017] APP
    [Fri Oct 20 14:36:01 EEST 2017] 12:Le_CertCreateTime='1508499361'
    [Fri Oct 20 14:36:01 EEST 2017] APP
    [Fri Oct 20 14:36:01 EEST 2017] 13:Le_CertCreateTimeStr='Fri Oct 20 11:36:01 UTC 2017'
    [Fri Oct 20 14:36:01 EEST 2017] APP
    [Fri Oct 20 14:36:01 EEST 2017] 14:Le_NextRenewTimeStr='Tue Dec 19 11:36:01 UTC 2017'
    [Fri Oct 20 14:36:01 EEST 2017] APP
    [Fri Oct 20 14:36:01 EEST 2017] 15:Le_NextRenewTime='1513596961'
    [Fri Oct 20 14:36:01 EEST 2017] _on_issue_success
    [Fri Oct 20 14:36:01 EEST 2017] '' does not contain 'dns'
    [Fri Oct 20 14:36:01 EEST 2017] APP
    [Fri Oct 20 14:36:01 EEST 2017] 16:Le_RealCertPath=''
    [Fri Oct 20 14:36:01 EEST 2017] APP
    [Fri Oct 20 14:36:01 EEST 2017] 17:Le_RealCACertPath=''
    [Fri Oct 20 14:36:01 EEST 2017] APP
    [Fri Oct 20 14:36:01 EEST 2017] 18:Le_RealKeyPath=''
    [Fri Oct 20 14:36:01 EEST 2017] APP
    [Fri Oct 20 14:36:01 EEST 2017] 19:Le_ReloadCmd='/tmp/acme/some.domain.com/reloadcmd.sh'
    [Fri Oct 20 14:36:01 EEST 2017] APP
    [Fri Oct 20 14:36:01 EEST 2017] 20:Le_RealFullChainPath=''
    [Fri Oct 20 14:36:01 EEST 2017] Run reload cmd: /tmp/acme/some.domain.com/reloadcmd.sh
    [Fri Oct 20 14:36:02 EEST 2017] Reload success</https:></https:></https:></https:>
    


  • I'm using ACME 0.1.20 and HAProxy 0.52_14. This works for me, with some performance issues:

    • HAProxy Frontend *.80 doese the redirect to my https backend 127.0.0.1:12345 (pfsense WebUI), with acl for beginning path "/.well-known".

    • ACME uses Domain SAN List Method "webroot local folder". I use this setup for two different domains (two certificates)

    • HAProxy Frontend *443 does SNI to their backends, using issued ACME certificates

    • HAProxy redirect Backend for Cert A does a redirect to a Dummy Frontend 127.0.0.1:2300

    • HAProxy Dummy Frontend 127.0.0.1:2300 does SSL Offloading (with cert A) and directs to my real Backend A

    • HAProxy Backend A does some ACLs and points to my backend Serverfrarm  A

    • HAProxy Backend for Cert B does a redirect to a Dummy Frontend 127.0.0.1:2301

    • HAProxy Dummy Frontend 127.0.0.1:2301 does SSL Offloading (with cert B) and directs to my real Backend B

    • HAProxy Backend B does some ACLs and points to my backend Serverfrarm B

    • repeatingly the last three points does the magic for every hosted https Webpage/-application in DMZ



  • Try to issue new certificate for domain (not renew existing), and you see about what I'am saying. I'm posted issue on github, maube Neilpang fix the issue.
    https://github.com/Neilpang/acme.sh/issues/1078



  • Find problem, described bug here:
    https://forum.pfsense.org/index.php?topic=138617.0


  • Rebel Alliance Developer Netgate

    A new version of the ACME package will be available later today which should correct this.


Log in to reply