Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Acme/LE help

    Scheduled Pinned Locked Moved ACME
    9 Posts 2 Posters 1.6k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • wgstarksW
      wgstarks
      last edited by

      I'm trying to get LE certificate following the instructions here. I'm trying to set nsupdate for validation as recommended, but I don't know what to paste into the KEY field.

      Every time I try to generate a certificate I get a null key error.

      Box: SG-4200

      1 Reply Last reply Reply Quote 0
      • GertjanG
        Gertjan
        last edited by

        Hi,

        You missed this part :

        Before starting, an appropriate DNS key and settings must be in place in the DNS infrastructure for the domain …

        just above.

        Have a look at this https://doc.pfsense.org/index.php/RFC2136_Dynamic_DNS for some useful instructions.
        The key ( "/0/4bxF9A08n/zke/vANyQ==" as mentioned that page) is the key used by bind (on the DNS server side) and pfSense, in the LE package.

        No "help me" PM's please. Use the forum, the community will thank you.
        Edit : and where are the logs ??

        1 Reply Last reply Reply Quote 0
        • wgstarksW
          wgstarks
          last edited by

          @Gertjan:

          Hi,

          You missed this part :

          Before starting, an appropriate DNS key and settings must be in place in the DNS infrastructure for the domain …

          just above.

          Have a look at this https://doc.pfsense.org/index.php/RFC2136_Dynamic_DNS for some useful instructions.
          The key ( "/0/4bxF9A08n/zke/vANyQ==" as mentioned that page) is the key used by bind (on the DNS server side) and pfSense, in the LE package.

          Thanks but that info is all completely over my head.😁
          I’m using Namecheap for DNS so guessing that that doesn’t qualify as “directly controlled”?

          Perhaps there is a simpler verification method? I was just attempting this one because it was recommended in the wiki.

          Box: SG-4200

          1 Reply Last reply Reply Quote 0
          • GertjanG
            Gertjan
            last edited by

            @wgstarks:

            Thanks but that info is all completely over my head.😁
            I’m using Namecheap for DNS so guessing that that doesn’t qualify as “directly controlled”?

            Perhaps there is a simpler verification method? I was just attempting this one because it was recommended in the wiki.

            The dns-nsupdate is useful when you control your domain on your ow DNS server - like bind (named) on your own server or VPS. You'll be needing root access.
            Name-cheap, however, needs a special API I guess, as many other DNS host offer.
            Name-cheap has been discussed on the forum already like here (a couple of lines below) Let's Encypt w Acme package working, but not ideal.

            edit : and the conclusion is : probably not possible.

            No "help me" PM's please. Use the forum, the community will thank you.
            Edit : and where are the logs ??

            1 Reply Last reply Reply Quote 0
            • wgstarksW
              wgstarks
              last edited by

              I thought I finally got things working using the haproxy method but there is still a timeout error.

              LE_Cert
              Renewing certificateaccount: LE_Cert 
              server: letsencrypt-production 
              
              /usr/local/pkg/acme/acme.sh --issue -d 'dahoney.me' --home '/tmp/acme/LE_Cert/' --accountconf '/tmp/acme/LE_Cert/accountconf.conf' --force --reloadCmd '/tmp/acme/LE_Cert/reloadcmd.sh' --webroot pfSenseacme --log-level 3 --log '/tmp/acme/LE_Cert/acme_issuecert.log'
              
              Array
              (
              [path] => /etc:/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/bin/
              [PATH] => /etc:/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/bin/
              [folder] => /tmp/haproxy_chroot/.well-known/acme-challenge/
              )
              [Sun Dec 3 17:34:15 EST 2017] Single domain='dahoney.me'
              [Sun Dec 3 17:34:15 EST 2017] Getting domain auth token for each domain
              [Sun Dec 3 17:34:15 EST 2017] Getting webroot for domain='dahoney.me'
              [Sun Dec 3 17:34:15 EST 2017] Getting new-authz for domain='dahoney.me'
              [Sun Dec 3 17:34:21 EST 2017] The new-authz request is ok.
              [Sun Dec 3 17:34:21 EST 2017] Verifying:dahoney.me
              [Sun Dec 3 17:34:21 EST 2017] Found domain http api file: /tmp/acme/LE_Cert//httpapi/pfSenseacme.sh
              
              challenge_response_put LE_Cert, dahoney.me
              FOUND domainitemwebroot
              put token at: /tmp/haproxy_chroot/.well-known/acme-challenge// <redacted>[Sun Dec 3 17:34:25 EST 2017] Pending
              [Sun Dec 3 17:34:28 EST 2017] Pending
              [Sun Dec 3 17:34:31 EST 2017] Found domain http api file: /tmp/acme/LE_Cert//httpapi/pfSenseacme.sh
              [Sun Dec 3 17:34:30 EST 2017] dahoney.me:Verify error:Fetching http://dahoney.me/.well-known/acme-challenge/<redacted>: Timeout
              [Sun Dec 3 17:34:31 EST 2017] Please check log file for more details: /tmp/acme/LE_Cert/acme_issuecert.log</redacted></redacted>
              

              What did I miss?

              Box: SG-4200

              1 Reply Last reply Reply Quote 0
              • GertjanG
                Gertjan
                last edited by

                This :

                dahoney.me:Verify error:Fetching http://dahoney.me/.well-known/acme-challenge/<redacted>: Timeout</redacted>

                A "request" has been sent from the "LE 'server and 'http://dahoney.me/.well-known/acme-challenge" did not bring back the right reply.
                This means :
                dahoney.me has to resolve to the IP your pfSense is using.
                Port 80 has to be open.
                etc. (see the acme/le manual about the subject).

                No "help me" PM's please. Use the forum, the community will thank you.
                Edit : and where are the logs ??

                1 Reply Last reply Reply Quote 0
                • wgstarksW
                  wgstarks
                  last edited by

                  Doesn't haproxy open the port when it runs?

                  Box: SG-4200

                  1 Reply Last reply Reply Quote 0
                  • GertjanG
                    Gertjan
                    last edited by

                    I don't know ^^ I guess not.
                    When I 'surf' to "http://dahoney.me/" I'm smached with a huge "cloudfare error", better make that work first.
                    Also : 2 A and AAAA records ! Multiwan ?

                    I'm using "LE + nsupdate" - I hope haproxy users will chime in.

                    edit : a start : https://forum.pfsense.org/index.php?topic=140857.0 - two forum lines away.

                    No "help me" PM's please. Use the forum, the community will thank you.
                    Edit : and where are the logs ??

                    1 Reply Last reply Reply Quote 0
                    • wgstarksW
                      wgstarks
                      last edited by

                      I’m in the middle of switching my DNS servers from Namecheap to Cloudflare, just waiting for the changes to take effect (up to 24 hrs). Plan to try authentication using txt record.

                      Not sure why you’re seeing multiple A records? I have one A record and a couple of CNAME’s. Maybe something due to the changing DNS servers? I do see a bunch of MX records which seems strange since I’m not running any email on this site. Currently just planning to use it for VPN. Maybe the MX records are just placeholders?

                      Box: SG-4200

                      1 Reply Last reply Reply Quote 0
                      • First post
                        Last post
                      Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.