ACME Package Updates 0.1.31-0.1.34
-
I have made some updates to the ACME package over the last few days, including:
0.1.31: Convert ACME's nsupdate method to use the more reliable ddns-confgen key file syntax. Also add an optional key name field to the nsupdate method which should allow zone keys to work. Existing entries need no modifications.
0.1.32: Update acme.sh to 2.7.6, Added new providers from acme.sh: INWX.de, Servercow, and UnoEuro
0.1.33: Add a checkbox to standalone http/tls modes to optionally bind to IPv6 instead of IPv4. Implements #7519
0.1.34: Add an ACME option to write certificates to the filesystem on install/renew. Implements #7706If any problems come up, let me know, thanks!
-
Dear Jim,
Thank you very much! Being able to easily read and use the certificates from the LAN side is great!
There is just one more idea you might want to consider: One may run a cluster of webservers in different locations (I do that with two locations connected by VPN, webroot files shared via gluster and a galera cluster across locations). HAProxy and ACME on pfsense is a good frontend to that. Presently, one practically (i.e., without very substantial custom scripting) needs to generate one set of ACME certificates per location. It would be great if one could synchronize the certificates to the secondary location one way or the other. This might be accomplished by XMLRPC Sync like in freeradius or by a way to feed certificates into the certificate manager on the other side - running a script to regularly check /conf/acme/ and copy selected content to another pfsense device should be simple enough.
Regards,
Michael Schefczyk
-
Trying to xmlrpc sync them elsewhere is unlikely to be viable in that way.
Using the filesystem option and having another script copy them out (to or from) the firewall from that point is probably best. Given the wide range of time between renewals and expiration there isn't any time pressure for that to happen immediately like a sync would do.
-
Dear Jim,
Transporting the certificate files based on scripts outside pfsense appears to be relatively easy to me. As you wrote, daily cron jobs would be sufficient. A bigger hurdle is to upload the certificate to the target system. One would have to replace a given certificate by its successor without changing the name. Is there a good way to execute such job for example command line via SSH?
Regards,
Michael Schefczyk
-
Hello!
Acme2 is out and wildcard certs (test) as well.
Acme.sh also supports new v2 protocol.
Can we expect package update before feb 27th?
Thanks! -
v2 is not "out" yet, there is a staging server for it.
I just synchronized to the latest acme.sh code on the 5th but their v2 support is still in a separate branch.
We won't be adding support until at least they merge it into their master branch. It's still super early and there isn't any practical use for it yet, the v2 staging servers are not trusted by anyone either.
tl;dr: We'll support it when it's ready, and it isn't ready yet, but we are keeping a very close eye on it.
-
Thanks, perfect answer
-
Hi, I am new to Pfsense. What is ACME?
-
-
Hi Jimp,
Just upgraded to version 0.1.34 (on pfSense 2.3.5_p1), on a manual 'Issue/Renew' i'm now getting:
[Thu Jan 11 20:32:39 CET 2018] Verifying:jetmix.nl [Thu Jan 11 20:32:39 CET 2018] Standalone mode server echo: write error on stdout echo: write error on stdout echo: write error on stdout echo: write error on stdout [Thu Jan 11 20:32:43 CET 2018] jetmix.nl:Verify error:Invalid response from ...Edit: i revisited the config and saved it ones more, now the error is gone⦠solved.
-
Hmm, I'll have to setup a test for that. I have tested standalone mode (IPv4 and IPv6) on 2.4.x but I didn't test it on 2.3.x. I don't immediately see what would make a difference or cause that error, however.
-
Hi Jimp,
Edited my original post: a revisit of the config and save solved the problem.Thanks for the reply.
-
ok, thanks!
-
I've been attempting to get this working for the past few days now.
At first I was trying on IPv4 and kept getting 400 timeouts. Now I am attempting on my IPv6 address, and can confim that the packets are not blocked by the firewall due to my permit statment having hits.
I am getting the error```
Error, can not get domain token fw.pardigital.net -
I've been attempting to get this working for the past few days now.
At first I was trying on IPv4 and kept getting 400 timeouts. Now I am attempting on my IPv6 address, and can confim that the packets are not blocked by the firewall due to my permit statment having hits.
I am getting the error```
Error, can not get domain token fw.pardigital.netThat's actually the script unable to parse a response back from ACME, and not something local failing. There must be something in the response they are sending that is different for that domain or unexpected in some way. The code around where that message is triggered hasn't changed in nearly a year or more. Please start a new thread to investigate that on its own since it doesn't appear to be related to this update.
-
Of course this isn't a general discussion thread, my mistake .
