[Solved] Bug in ACME 0.1.20 package



  • Hi, I already wrote in posts about ACME 0.1.20 has broken http methods.
    Today I managed why, maybe I wrong, but for me it only one way that fixed situation when I try to issue certificate by http webroot method.
    In file /usr/local/pkg/acme/acme_sh.inc there are 146 line in code:

    $cmdparameters = " --webroot pfSesneacme";
    

    how I understand this parameter must take info from RootFolder line entered in webConfigurator, but she do not do this. If I change this line to:

    $cmdparameters = " --webroot '/tmp/haproxy_chroot/'";
    

    all begins working.
    The second part is that developer of ACME.SH say to me:
    "If you want that yours standalone HTTP\HTTPS work properly you must update acme.sh to last version (on pfSense it now 2.7.3, latest is 2.7.4), and you must install socat pkg."
    Maybe you can add socat pkg to dependency of ACME pkg. (I'm not need this because I use local webroot folder, but other people need it maybe)
    The third part that the help description about path folders in webConfigurator of ACME package is wrong - nothing better than the information that is misleading.



  • @DRago_Angel:

    Hi, I already wrote in posts about ACME 0.1.20 has broken http methods.
    Today I managed why, maybe I wrong, but for me it only one way that fixed situation when I try to issue certificate by http webroot method.
    In file /usr/local/pkg/acme/acme_sh.inc there are 146 line in code:

    $cmdparameters = " --webroot pfSesneacme";
    

    how I understand this parameter must take info from RootFolder line entered in webConfigurator, but she do not do this. If I change this line to:

    $cmdparameters = " --webroot '/tmp/haproxy_chroot/'";
    

    all begins working.
    The second part is that developer of ACME.SH say to me:
    "If you want that yours standalone HTTP\HTTPS work properly you must update acme.sh to last version (on pfSense it now 2.7.3, latest is 2.7.4), and you must install socat pkg."
    Maybe you can add socat pkg to dependency of ACME pkg. (I'm not need this because I use local webroot folder, but other people need it maybe)
    The third part that the help description about path folders in webConfigurator of ACME package is wrong - nothing better than the information that is misleading.

    Perfect work, after edit acme_sh.inc everything is working good.


  • Rebel Alliance Developer Netgate

    The ACME package should not be pointing directly to HAProxy's chroot. Lots of people who use the ACME package do not use HAProxy.

    And last I tried this, it worked: https://forum.netgate.com/topic/90643/let-s-encypt-support/32

    The code for webroot hasn't changed in 7 months, it can't be a new problem if that's the place it's failing.



  • I spend 3 days to do like in https://forum.pfsense.org/index.php?topic=101186.30 manual, tried multiple times with production server and with homelab vm, tried many (really many) variants - non of http (standalone and webroot) now in version 0.1.20 not work (tested on pfSense 2.3.4, 2.3.4p1 and 2.4.0 and all of test runed in fresh installed OS with minimum confirmation that only needed to acme working in homelab).
    Here message of developer in issue of acme.sh and my chat with him:
    https://github.com/Neilpang/acme.sh/issues/1078#issuecomment-338449604



  • Maybe that code must be updated if he not been changed 7 mouths? Can you please explain how command acme.sh with parameter –webroot pfSenseacme must be parsed by acme.sh? Because how I see logs with --debug 2 - it can't parse this. And second - it even not creating files in this directory that I point from GUI. In my workaround - after run script via webGUI - I have file in that directory that haproxy needed /tmp/haproxy_chroot/.well-known/acme-challenge



  • @jimp:

    The ACME package should not be pointing directly to HAProxy's chroot. Lots of people who use the ACME package do not use HAProxy.

    Yes I know that, and because of it I writed:

    The second part is that developer of ACME.SH say to me:
    "If you want that yours standalone HTTP\HTTPS work properly you must update acme.sh to last version (on pfSense it now 2.7.3, latest is 2.7.4), and you must install socat pkg."
    Maybe you can add socat pkg to dependency of ACME pkg. (I'm not need this because I use local webroot folder, but other people need it maybe)

    Maybe try again to test this case? Not I'am one have troubles with this.


  • Rebel Alliance Developer Netgate

    Please stop. You really do not understand the problem or any potential solution. Stop posting this in other threads, too, where it is obviously incorrect.

    If you want to hack up your own system, feel free, but what you are proposing is not a fix that anyone should do to their own system.


  • Rebel Alliance Developer Netgate

    I found the issue. It was not in the specification of the webroot folder. During the recent acme.sh update, some HTTP API code was removed from acme.sh that the package relies on, so I put it back and now it works again:

    https://github.com/pfsense/FreeBSD-ports/commit/89d58d6676807a2a6090c993b4899407e7b42d7a

    The new package will show up when the builders are restarted, they're paused at the moment for some work on the pending 2.3.5 release.



  • Thank you. And please do not understand me wrong - i'm only want to help community.


Log in to reply