Acme/LE help

wgstarks

I'm trying to get LE certificate following the instructions here. I'm trying to set nsupdate for validation as recommended, but I don't know what to paste into the KEY field.

Every time I try to generate a certificate I get a null key error.

Gertjan

Hi,

You missed this part :

Before starting, an appropriate DNS key and settings must be in place in the DNS infrastructure for the domain …

just above.

Have a look at this https://doc.pfsense.org/index.php/RFC2136_Dynamic_DNS for some useful instructions.
The key ( "/0/4bxF9A08n/zke/vANyQ==" as mentioned that page) is the key used by bind (on the DNS server side) and pfSense, in the LE package.

wgstarks

@Gertjan:

Hi,

You missed this part :

Before starting, an appropriate DNS key and settings must be in place in the DNS infrastructure for the domain …

just above.

Have a look at this https://doc.pfsense.org/index.php/RFC2136_Dynamic_DNS for some useful instructions.
The key ( "/0/4bxF9A08n/zke/vANyQ==" as mentioned that page) is the key used by bind (on the DNS server side) and pfSense, in the LE package.

Thanks but that info is all completely over my head.
I’m using Namecheap for DNS so guessing that that doesn’t qualify as “directly controlled”?

Perhaps there is a simpler verification method? I was just attempting this one because it was recommended in the wiki.

Gertjan

@wgstarks:

Thanks but that info is all completely over my head.
I’m using Namecheap for DNS so guessing that that doesn’t qualify as “directly controlled”?

Perhaps there is a simpler verification method? I was just attempting this one because it was recommended in the wiki.

The dns-nsupdate is useful when you control your domain on your ow DNS server - like bind (named) on your own server or VPS. You'll be needing root access.
Name-cheap, however, needs a special API I guess, as many other DNS host offer.
Name-cheap has been discussed on the forum already like here (a couple of lines below) Let's Encypt w Acme package working, but not ideal.

edit : and the conclusion is : probably not possible.

wgstarks

I thought I finally got things working using the haproxy method but there is still a timeout error.

LE_Cert
Renewing certificateaccount: LE_Cert 
server: letsencrypt-production 

/usr/local/pkg/acme/acme.sh --issue -d 'dahoney.me' --home '/tmp/acme/LE_Cert/' --accountconf '/tmp/acme/LE_Cert/accountconf.conf' --force --reloadCmd '/tmp/acme/LE_Cert/reloadcmd.sh' --webroot pfSenseacme --log-level 3 --log '/tmp/acme/LE_Cert/acme_issuecert.log'

Array
(
[path] => /etc:/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/bin/
[PATH] => /etc:/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/bin/
[folder] => /tmp/haproxy_chroot/.well-known/acme-challenge/
)
[Sun Dec 3 17:34:15 EST 2017] Single domain='dahoney.me'
[Sun Dec 3 17:34:15 EST 2017] Getting domain auth token for each domain
[Sun Dec 3 17:34:15 EST 2017] Getting webroot for domain='dahoney.me'
[Sun Dec 3 17:34:15 EST 2017] Getting new-authz for domain='dahoney.me'
[Sun Dec 3 17:34:21 EST 2017] The new-authz request is ok.
[Sun Dec 3 17:34:21 EST 2017] Verifying:dahoney.me
[Sun Dec 3 17:34:21 EST 2017] Found domain http api file: /tmp/acme/LE_Cert//httpapi/pfSenseacme.sh

challenge_response_put LE_Cert, dahoney.me
FOUND domainitemwebroot
put token at: /tmp/haproxy_chroot/.well-known/acme-challenge// <redacted>[Sun Dec 3 17:34:25 EST 2017] Pending
[Sun Dec 3 17:34:28 EST 2017] Pending
[Sun Dec 3 17:34:31 EST 2017] Found domain http api file: /tmp/acme/LE_Cert//httpapi/pfSenseacme.sh
[Sun Dec 3 17:34:30 EST 2017] dahoney.me:Verify error:Fetching http://dahoney.me/.well-known/acme-challenge/<redacted>: Timeout
[Sun Dec 3 17:34:31 EST 2017] Please check log file for more details: /tmp/acme/LE_Cert/acme_issuecert.log</redacted></redacted>

What did I miss?

Gertjan

This :

dahoney.me:Verify error:Fetching http://dahoney.me/.well-known/acme-challenge/<redacted>: Timeout</redacted>

A "request" has been sent from the "LE 'server and 'http://dahoney.me/.well-known/acme-challenge" did not bring back the right reply.
This means :
dahoney.me has to resolve to the IP your pfSense is using.
Port 80 has to be open.
etc. (see the acme/le manual about the subject).

wgstarks

Doesn't haproxy open the port when it runs?

Gertjan

I don't know ^^ I guess not.
When I 'surf' to "http://dahoney.me/" I'm smached with a huge "cloudfare error", better make that work first.
Also : 2 A and AAAA records ! Multiwan ?

I'm using "LE + nsupdate" - I hope haproxy users will chime in.

edit : a start : https://forum.pfsense.org/index.php?topic=140857.0 - two forum lines away.

wgstarks

I’m in the middle of switching my DNS servers from Namecheap to Cloudflare, just waiting for the changes to take effect (up to 24 hrs). Plan to try authentication using txt record.

Not sure why you’re seeing multiple A records? I have one A record and a couple of CNAME’s. Maybe something due to the changing DNS servers? I do see a bunch of MX records which seems strange since I’m not running any email on this site. Currently just planning to use it for VPN. Maybe the MX records are just placeholders?