Acme/letsencrypt renewed certificates not saved in certmanager, Call hook error



  • Team,
    I am vary happy long time user of pfsense. In november 2017 I installed acme, created a profile, requested a certificate and used it. Now in 7 days it will expire. I use DNS manual as I did not have time to play with the port 80/443 redirection, they are used for other purposes. So I did issue a new TXT challenge, updated teh TXT DNS entry and hit renew. The certificate seemed to renew and I got a new certificate and an info that they were saved in tmp folder… however, the newly issued certificate was NOT saved in certificate manager and also the LAST RENEWED stays as it was in november 2017.

    So my question is, where did it went wrong? I can see only last line saying: Call hook error.
    This is the result of the renew:

    NalzoviceRDP
    Renewing certificateaccount: LetsEncryptNalzovice
    server: letsencrypt-production
    /usr/local/pkg/acme/acme.sh --renew -d 'rdp.domov-nalzovice.cz' --home '/tmp/acme/NalzoviceRDP/' --accountconf '/tmp/acme/NalzoviceRDP/accountconf.conf' --force --reloadCmd '/tmp/acme/NalzoviceRDP/reloadcmd.sh' --dns --log-level 3 --log '/tmp/acme/NalzoviceRDP/acme_issuecert.log'
    Array
    (
    [path] => /etc:/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/bin/
    [PATH] => /etc:/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/bin/
    )
    [Thu Feb 22 09:17:25 CET 2018] Renew: 'rdp.domov-nalzovice.cz'
    [Thu Feb 22 09:17:27 CET 2018] Single domain='rdp.domov-nalzovice.cz'
    [Thu Feb 22 09:17:27 CET 2018] Getting domain auth token for each domain
    [Thu Feb 22 09:17:27 CET 2018] Verifying:rdp.domov-nalzovice.cz
    [Thu Feb 22 09:17:35 CET 2018] Success
    [Thu Feb 22 09:17:35 CET 2018] Verify finished, start to sign.
    [Thu Feb 22 09:17:37 CET 2018] Cert success.
    –---BEGIN CERTIFICATE-----
    MIIFDzCCA/egAwIBAgISA7TOCIYAdNQeYJ4QYSwycndpMA0GCSqGSIb3DQEBCwUA
    ---edited----
    TzyoqXofdIk7cmTHR+1N2lSnB7jjpv/3VPzWpjvHLxkN9CrMtwTBuYF8gX1EpdZK
    QDCP
    -----END CERTIFICATE-----
    [Thu Feb 22 09:17:37 CET 2018] Your cert is in /tmp/acme/NalzoviceRDP//rdp.domov-nalzovice.cz/rdp.domov-nalzovice.cz.cer
    [Thu Feb 22 09:17:37 CET 2018] Your cert key is in /tmp/acme/NalzoviceRDP//rdp.domov-nalzovice.cz/rdp.domov-nalzovice.cz.key
    [Thu Feb 22 09:17:38 CET 2018] The intermediate CA cert is in /tmp/acme/NalzoviceRDP//rdp.domov-nalzovice.cz/ca.cer
    [Thu Feb 22 09:17:38 CET 2018] And the full chain certs is there: /tmp/acme/NalzoviceRDP//rdp.domov-nalzovice.cz/fullchain.cer
    [Thu Feb 22 09:17:38 CET 2018] It seems that you are using dns manual mode. please take care: The dns manual mode can not renew automatically, you must issue it again manually. You'd better use the other modes instead.
    [Thu Feb 22 09:17:38 CET 2018] Call hook error.

    Any idea?

    I saw this post, but that did not really gives any solution:
    https://forum.pfsense.org/index.php?topic=143663.msg785030#msg785030

    …and I am on latest versions of everything.


  • Rebel Alliance Developer Netgate

    Do you still have two buttons there on that cert entry: One for Issue, one for Renew?

    With DNS-Manual you have to hit issue, then find/update the TXT, then renew after the DNS entries are in place.



  • Yes, I do both options.
    And I use them as described in the documentation…
    The issue generates the TXT record for my DNS and the RENEW then generates the certificates, which I can download from /tmp/acme/NalzoviceRDP//rdp.domov-nalzovice.cz/rdp.domov-nalzovice.cz.key and /tmp/acme/NalzoviceRDP//rdp.domov-nalzovice.cz/rdp.domov-nalzovice.cz.cer

    When I do this and when I upload the key and certificate manually to the cert. manager, the certificate shows up there...
    But it is quite some work as I need to first set the admin interface back to self signed certificate, then I get the "delete" icon on my current LetsEncrypt certificate, then I import it and then I set the admin interface back to the new certificate.

    I understand from the documentation, that this should not be necessary and it should all happen automatically...

    P.S. i have freed my port 80 so that next time (in 30 or 60 days) I will try to use the automated process as this DNS-manual way is kind of time consuming :)

    So to recap the answer - the process of getting the certificate renewed works until the last point - it does not get automatically uploaded to the cert. manager and the "status" of the certificate does not update with new "valid to" date.


  • Rebel Alliance Developer Netgate

    Hmm, ok. I don't have any set to manual at the moment but I'll try to get one setup. It should populate that automatically when the renewal action happens.



  • Well, it is not a burning issue for me, I just spotted this misbehaviour and as you can read on the thread I mentioned, I am not the only one. Perhaps using the standalone http server will be the way to go next time. I just do want to share my experience with others and perhaps help with getting this resolved - I can do whatever is needed when someone has an idea to test. Ready to help :)


  • Rebel Alliance Developer Netgate

    There is an updated ACME package on 2.4.3, you could upgrade to a 2.4.3 snapshot and try it there.



  • I ran into the same issue Creating a manual cert for my internal web sites but found a circumvention that worked for me.

    1. Use Method webroot local folder so that you can add a root folder of " /tmp/haproxy_chroot/.well-known/acme-challenge/"
    2. Change the method to DNS-Manual and save.
    3. Issue the cert and update DNS with correct TXT fields provided from issue
    4. Hit renew and verify that everything went well but fails with the Call hook error.
    5. Change the method back to webroot local folder again and save.
    6. Issue/Renew

    I then had a valid cert to use.


  • Rebel Alliance Developer Netgate

    I'm able to reproduce this here but there is an even easier workaround (at least on 2.4.3):

    • Click Issue
    • Fix your DNS with the new TXT record
    • Click Renew
    • Click Issue again

    The auth is still valid so the second renew goes through and you get the cert imported as expected.

    I found the source of the call hook error but even getting rid of that it still isn't importing. I'm still digging at why, but in the meantime it's easy to get around.


  • Rebel Alliance Developer Netgate

    ok I figured out why, somewhere along the way the "renew" action in acme.sh stopped running the reloadcmd.sh script which imports the cert back into pfSense. That particular "renew" action is only invoked for DNS-Manual entries, so I added a check to run it in just that case if it successfully obtained a certificate. It works for me.

    I only pushed that change to ACME on 2.4.3 at the moment, it will come to the other branches as soon as I push out this pending major update for ACME v2. I was waiting for Let's Encrypt's ACME v2 servers to go online this week but they pushed back that date so shrug

    So for now, if you upgrade to 2.4.3 and get ACME package version 0.2.0.4 which will go up with the next snapshot run, it will be fixed. You can try manually applying the changes yourself in the meantime as a quick fix:  https://github.com/pfsense/FreeBSD-ports/commit/a6f630edae775ad4b3619858baa910809297c2d0



  • Hi there,

    I'm sorry I know this topic is quite old but I am using the ACME package on my pfSense and I came across this error today.
    pfSense v2.4.4-RELEASE-p3
    ACME Package v.0.5.8

    Steps to reproduce:

    • Click Issue
    • Edit your DNS TXT record accordingly
    • Click Renew

    Expected results:
    Certificate renewal completed successfully

    Observed results:
    An error "Call hook error" is thrown, without any further info on the logs.
    You must hit renew a second time for the certificate to be updated.

    Logs:

    [Thu Jul 11 19:22:13 WEST 2019] readlink exists=0
    [Thu Jul 11 19:22:13 WEST 2019] dirname exists=0
    [Thu Jul 11 19:22:13 WEST 2019] Lets find script dir.
    [Thu Jul 11 19:22:13 WEST 2019] _SCRIPT_='/usr/local/pkg/acme/acme.sh'
    [Thu Jul 11 19:22:13 WEST 2019] _script='/usr/local/pkg/acme/acme.sh'
    [Thu Jul 11 19:22:13 WEST 2019] _script_home='/usr/local/pkg/acme'
    [Thu Jul 11 19:22:13 WEST 2019] Using config home:/tmp/acme/fw-cert/
    [Thu Jul 11 19:22:13 WEST 2019] APP
    [Thu Jul 11 19:22:13 WEST 2019] 3:LOG_FILE='/tmp/acme/fw-cert/acme_issuecert.log'
    [Thu Jul 11 19:22:13 WEST 2019] APP
    [Thu Jul 11 19:22:13 WEST 2019] 4:LOG_LEVEL='3'
    [Thu Jul 11 19:22:13 WEST 2019] LE_WORKING_DIR='/tmp/acme/fw-cert/'
    [Thu Jul 11 19:22:13 WEST 2019] Using config home:/tmp/acme/fw-cert/
    [Thu Jul 11 19:22:13 WEST 2019] ACME_DIRECTORY='https://acme-v02.api.letsencrypt.org/directory'
    [Thu Jul 11 19:22:13 WEST 2019] _ACME_SERVER_HOST='acme-v02.api.letsencrypt.org'
    [Thu Jul 11 19:22:13 WEST 2019] CA_CONF='/tmp/acme/fw-cert//ca/acme-v02.api.letsencrypt.org/ca.conf'
    [Thu Jul 11 19:22:13 WEST 2019] DOMAIN_PATH='/tmp/acme/fw-cert//fw.mydomain.com'
    [Thu Jul 11 19:22:13 WEST 2019] Renew: 'fw.mydomain.com'
    [Thu Jul 11 19:22:13 WEST 2019] Le_API
    [Thu Jul 11 19:22:13 WEST 2019] _main_domain='fw.mydomain.com'
    [Thu Jul 11 19:22:13 WEST 2019] _alt_domains='no'
    [Thu Jul 11 19:22:13 WEST 2019] 'dns' contains 'dns'
    [Thu Jul 11 19:22:13 WEST 2019] Using ACME_DIRECTORY: https://acme-v02.api.letsencrypt.org/directory
    [Thu Jul 11 19:22:13 WEST 2019] _init api for server: https://acme-v02.api.letsencrypt.org/directory
    [Thu Jul 11 19:22:13 WEST 2019] GET
    [Thu Jul 11 19:22:13 WEST 2019] url='https://acme-v02.api.letsencrypt.org/directory'
    [Thu Jul 11 19:22:13 WEST 2019] timeout=
    [Thu Jul 11 19:22:13 WEST 2019] curl exists=0
    [Thu Jul 11 19:22:13 WEST 2019] wget exists=127
    [Thu Jul 11 19:22:13 WEST 2019] _CURL='curl -L --silent --dump-header /tmp/acme/fw-cert//http.header  -g '
    [Thu Jul 11 19:22:15 WEST 2019] ret='0'
    [Thu Jul 11 19:22:15 WEST 2019] response='{
      "XXeBADlFCPs": "https://community.letsencrypt.org/t/adding-random-entries-to-the-directory/33417",
      "keyChange": "https://acme-v02.api.letsencrypt.org/acme/key-change",
      "meta": {
        "caaIdentities": [
          "letsencrypt.org"
        ],
        "termsOfService": "https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf",
        "website": "https://letsencrypt.org"
      },
      "newAccount": "https://acme-v02.api.letsencrypt.org/acme/new-acct",
      "newNonce": "https://acme-v02.api.letsencrypt.org/acme/new-nonce",
      "newOrder": "https://acme-v02.api.letsencrypt.org/acme/new-order",
      "revokeCert": "https://acme-v02.api.letsencrypt.org/acme/revoke-cert"
    }'
    [Thu Jul 11 19:22:15 WEST 2019] ACME_KEY_CHANGE='https://acme-v02.api.letsencrypt.org/acme/key-change'
    [Thu Jul 11 19:22:15 WEST 2019] ACME_NEW_AUTHZ
    [Thu Jul 11 19:22:15 WEST 2019] ACME_NEW_ORDER='https://acme-v02.api.letsencrypt.org/acme/new-order'
    [Thu Jul 11 19:22:15 WEST 2019] ACME_NEW_ACCOUNT='https://acme-v02.api.letsencrypt.org/acme/new-acct'
    [Thu Jul 11 19:22:15 WEST 2019] ACME_REVOKE_CERT='https://acme-v02.api.letsencrypt.org/acme/revoke-cert'
    [Thu Jul 11 19:22:15 WEST 2019] ACME_AGREEMENT='https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf'
    [Thu Jul 11 19:22:15 WEST 2019] ACME_NEW_NONCE='https://acme-v02.api.letsencrypt.org/acme/new-nonce'
    [Thu Jul 11 19:22:15 WEST 2019] ACME_VERSION='2'
    [Thu Jul 11 19:22:15 WEST 2019] Le_NextRenewTime='1567962357'
    [Thu Jul 11 19:22:15 WEST 2019] OK
    [Thu Jul 11 19:22:15 WEST 2019] 1:Le_Domain='fw.mydomain.com'
    [Thu Jul 11 19:22:15 WEST 2019] OK
    [Thu Jul 11 19:22:15 WEST 2019] 2:Le_Alt='no'
    [Thu Jul 11 19:22:15 WEST 2019] OK
    [Thu Jul 11 19:22:15 WEST 2019] 3:Le_Webroot='dns'
    [Thu Jul 11 19:22:15 WEST 2019] OK
    [Thu Jul 11 19:22:15 WEST 2019] 4:Le_PreHook=''
    [Thu Jul 11 19:22:15 WEST 2019] OK
    [Thu Jul 11 19:22:15 WEST 2019] 5:Le_PostHook=''
    [Thu Jul 11 19:22:15 WEST 2019] OK
    [Thu Jul 11 19:22:15 WEST 2019] 6:Le_RenewHook=''
    [Thu Jul 11 19:22:15 WEST 2019] _on_before_issue
    [Thu Jul 11 19:22:15 WEST 2019] _chk_main_domain='fw.mydomain.com'
    [Thu Jul 11 19:22:15 WEST 2019] _chk_alt_domains
    [Thu Jul 11 19:22:15 WEST 2019] 'dns' does not contain 'no'
    [Thu Jul 11 19:22:15 WEST 2019] Le_LocalAddress
    [Thu Jul 11 19:22:15 WEST 2019] d='fw.mydomain.com'
    [Thu Jul 11 19:22:15 WEST 2019] Check for domain='fw.mydomain.com'
    [Thu Jul 11 19:22:15 WEST 2019] _currentRoot='dns'
    [Thu Jul 11 19:22:15 WEST 2019] d
    [Thu Jul 11 19:22:15 WEST 2019] 'dns' does not contain 'apache'
    [Thu Jul 11 19:22:15 WEST 2019] _saved_account_key_hash='jR06iKbCw94E0U9X2mveGPwhxNAF7yBSUrUj7bS8jmk='
    [Thu Jul 11 19:22:15 WEST 2019] base64 single line.
    [Thu Jul 11 19:22:15 WEST 2019] _saved_account_key_hash is not changed, skip register account.
    [Thu Jul 11 19:22:15 WEST 2019] Read key length:
    [Thu Jul 11 19:22:15 WEST 2019] _createcsr
    [Thu Jul 11 19:22:15 WEST 2019] domain='fw.mydomain.com'
    [Thu Jul 11 19:22:15 WEST 2019] domainlist
    [Thu Jul 11 19:22:15 WEST 2019] csrkey='/tmp/acme/fw-cert//fw.mydomain.com/fw.mydomain.com.key'
    [Thu Jul 11 19:22:15 WEST 2019] csr='/tmp/acme/fw-cert//fw.mydomain.com/fw.mydomain.com.csr'
    [Thu Jul 11 19:22:15 WEST 2019] csrconf='/tmp/acme/fw-cert//fw.mydomain.com/fw.mydomain.com.csr.conf'
    [Thu Jul 11 19:22:15 WEST 2019] Single domain='fw.mydomain.com'
    [Thu Jul 11 19:22:15 WEST 2019] _is_idn_d='fw.mydomain.com'
    [Thu Jul 11 19:22:15 WEST 2019] _idn_temp
    [Thu Jul 11 19:22:15 WEST 2019] _is_idn_d='fw.mydomain.com'
    [Thu Jul 11 19:22:15 WEST 2019] _idn_temp
    [Thu Jul 11 19:22:15 WEST 2019] _csr_cn='fw.mydomain.com'
    [Thu Jul 11 19:22:15 WEST 2019] OK
    [Thu Jul 11 19:22:15 WEST 2019] 7:Le_Keylength=''
    [Thu Jul 11 19:22:15 WEST 2019] Getting domain auth token for each domain
    [Thu Jul 11 19:22:15 WEST 2019] _is_idn_d='fw.mydomain.com'
    [Thu Jul 11 19:22:15 WEST 2019] _idn_temp
    [Thu Jul 11 19:22:15 WEST 2019] d
    [Thu Jul 11 19:22:15 WEST 2019] _identifiers='{"type":"dns","value":"fw.mydomain.com"}'
    [Thu Jul 11 19:22:15 WEST 2019] url='https://acme-v02.api.letsencrypt.org/acme/new-order'
    [Thu Jul 11 19:22:15 WEST 2019] payload='{"identifiers": [{"type":"dns","value":"fw.mydomain.com"}]}'
    [Thu Jul 11 19:22:15 WEST 2019] RSA key
    [Thu Jul 11 19:22:15 WEST 2019] pub_exp='010001'
    [Thu Jul 11 19:22:15 WEST 2019] base64 single line.[Thu Jul 11 19:22:15 WEST 2019] 
    xxd exists=127
    [Thu Jul 11 19:22:15 WEST 2019] _URGLY_PRINTF='1'
    [Thu Jul 11 19:22:15 WEST 2019] e='AQAB'
    [Thu Jul 11 19:22:15 WEST 2019] modulus=''
    [Thu Jul 11 19:22:15 WEST 2019] xxd exists=127
    [Thu Jul 11 19:22:15 WEST 2019] base64 single line.
    [Thu Jul 11 19:22:15 WEST 2019] _URGLY_PRINTF='1'
    [Thu Jul 11 19:22:16 WEST 2019] n=''
    [Thu Jul 11 19:22:16 WEST 2019] jwk='{"e": "AQAB", "kty": "RSA", "n": ""}'
    [Thu Jul 11 19:22:16 WEST 2019] JWK_HEADER='{"alg": "RS256", "jwk": {"e": "AQAB", "kty": "RSA", "n": ""}}'
    [Thu Jul 11 19:22:16 WEST 2019] base64 single line.
    [Thu Jul 11 19:22:16 WEST 2019] payload64=''
    [Thu Jul 11 19:22:16 WEST 2019] _request_retry_times='1'
    [Thu Jul 11 19:22:16 WEST 2019] Get nonce with HEAD. ACME_NEW_NONCE='https://acme-v02.api.letsencrypt.org/acme/new-nonce'
    [Thu Jul 11 19:22:16 WEST 2019] HEAD
    [Thu Jul 11 19:22:16 WEST 2019] _post_url='https://acme-v02.api.letsencrypt.org/acme/new-nonce'
    [Thu Jul 11 19:22:16 WEST 2019] body
    [Thu Jul 11 19:22:16 WEST 2019] _postContentType='application/jose+json'
    [Thu Jul 11 19:22:16 WEST 2019] curl exists=0
    [Thu Jul 11 19:22:16 WEST 2019] wget exists=127
    [Thu Jul 11 19:22:16 WEST 2019] _CURL='curl -L --silent --dump-header /tmp/acme/fw-cert//http.header  -g '
    [Thu Jul 11 19:22:17 WEST 2019] _ret='0'
    [Thu Jul 11 19:22:17 WEST 2019] _headers='HTTP/1.1 200 OK
    Server: nginx
    Link: <https://acme-v02.api.letsencrypt.org/directory>;rel="index"
    Replay-Nonce: 
    X-Frame-Options: DENY
    Strict-Transport-Security: max-age=604800
    Content-Length: 0
    Expires: Thu, 11 Jul 2019 18:22:17 GMT
    Cache-Control: max-age=0, no-cache, no-store
    Pragma: no-cache
    Date: Thu, 11 Jul 2019 18:22:17 GMT
    Connection: keep-alive
    ^M'
    [Thu Jul 11 19:22:17 WEST 2019] _CACHED_NONCE=''
    [Thu Jul 11 19:22:17 WEST 2019] nonce=''
    [Thu Jul 11 19:22:17 WEST 2019] protected='{"nonce": "", "url": "https://acme-v02.api.letsencrypt.org/acme/new-order", "alg": "RS256", "kid": "https://acme-v02.api.letsencrypt.org/acme/acct/00131007"}'
    [Thu Jul 11 19:22:17 WEST 2019] base64 single line.
    [Thu Jul 11 19:22:17 WEST 2019] protected64=''
    [Thu Jul 11 19:22:17 WEST 2019] base64 single line.
    [Thu Jul 11 19:22:17 WEST 2019] _sig_t=''
    [Thu Jul 11 19:22:17 WEST 2019] sig=''
    [Thu Jul 11 19:22:17 WEST 2019] body='{"protected": "", "payload": "", "signature": ""}'
    [Thu Jul 11 19:22:17 WEST 2019] POST
    [Thu Jul 11 19:22:17 WEST 2019] _post_url='https://acme-v02.api.letsencrypt.org/acme/new-order'
    [Thu Jul 11 19:22:17 WEST 2019] body='{"protected": "", "payload": "", "signature": ""}'
    [Thu Jul 11 19:22:17 WEST 2019] _postContentType='application/jose+json'
    [Thu Jul 11 19:22:17 WEST 2019] Http already initialized.
    [Thu Jul 11 19:22:17 WEST 2019] _CURL='curl -L --silent --dump-header /tmp/acme/fw-cert//http.header  -g '
    [Thu Jul 11 19:22:18 WEST 2019] _ret='0'
    [Thu Jul 11 19:22:18 WEST 2019] responseHeaders='HTTP/1.1 100 Continue
    Expires: Thu, 11 Jul 2019 18:22:18 GMT
    Cache-Control: max-age=0, no-cache, no-store
    Pragma: no-cache
    
    HTTP/1.1 201 Created
    Server: nginx
    Content-Type: application/json
    Content-Length: 376
    Boulder-Requester: 00131007
    Link: <https://acme-v02.api.letsencrypt.org/directory>;rel="index"
    Location: https://acme-v02.api.letsencrypt.org/acme/order/00131007/700001337
    Replay-Nonce:
    X-Frame-Options: DENY
    Strict-Transport-Security: max-age=604800
    Expires: Thu, 11 Jul 2019 18:22:18 GMT
    Cache-Control: max-age=0, no-cache, no-store
    Pragma: no-cache
    Date: Thu, 11 Jul 2019 18:22:18 GMT
    Connection: keep-alive
    ^M'
    [Thu Jul 11 19:22:18 WEST 2019] code='201'
    [Thu Jul 11 19:22:18 WEST 2019] original='{
      "status": "ready",
      "expires": "2019-07-18T18:22:18.588852588Z",
      "identifiers": [
        {
          "type": "dns",
          "value": "fw.mydomain.com"
        }
      ],
      "authorizations": [
        "https://acme-v02.api.letsencrypt.org/acme/authz/minez"
      ],
      "finalize": "https://acme-v02.api.letsencrypt.org/acme/finalize/00131007/700001337"
    }'
    [Thu Jul 11 19:22:18 WEST 2019] response='{"status":"ready","expires":"2019-07-18T18:22:18.588852588Z","identifiers":[{"type":"dns","value":"fw.mydomain.com"}],"authorizations":["https://acme-v02.api.letsencrypt.org/acme/authz/minez"],"finalize":"https://acme-v02.api.letsencrypt.org/acme/finalize/00131007/700001337"}'
    [Thu Jul 11 19:22:18 WEST 2019] Le_LinkOrder='https://acme-v02.api.letsencrypt.org/acme/order/00131007/700001337'
    [Thu Jul 11 19:22:18 WEST 2019] Le_OrderFinalize='https://acme-v02.api.letsencrypt.org/acme/finalize/00131007/700001337'
    [Thu Jul 11 19:22:18 WEST 2019] OK
    [Thu Jul 11 19:22:18 WEST 2019] 8:Le_OrderFinalize='https://acme-v02.api.letsencrypt.org/acme/finalize/00131007/700001337'
    [Thu Jul 11 19:22:18 WEST 2019] _authorizations_seg='https://acme-v02.api.letsencrypt.org/acme/authz/minez'
    [Thu Jul 11 19:22:18 WEST 2019] _authz_url='https://acme-v02.api.letsencrypt.org/acme/authz/minez'
    [Thu Jul 11 19:22:18 WEST 2019] url='https://acme-v02.api.letsencrypt.org/acme/authz/minez'
    [Thu Jul 11 19:22:18 WEST 2019] payload
    [Thu Jul 11 19:22:18 WEST 2019] Use cached jwk for file: /tmp/acme/fw-cert//ca/acme-v02.api.letsencrypt.org/account.key
    [Thu Jul 11 19:22:18 WEST 2019] base64 single line.
    [Thu Jul 11 19:22:18 WEST 2019] payload64
    [Thu Jul 11 19:22:18 WEST 2019] _request_retry_times='1'
    [Thu Jul 11 19:22:18 WEST 2019] Use _CACHED_NONCE=''
    [Thu Jul 11 19:22:18 WEST 2019] nonce=''
    [Thu Jul 11 19:22:18 WEST 2019] protected='{"nonce": "", "url": "https://acme-v02.api.letsencrypt.org/acme/authz/minez", "alg": "RS256", "kid": "https://acme-v02.api.letsencrypt.org/acme/acct/00131007"}'
    [Thu Jul 11 19:22:18 WEST 2019] base64 single line.
    [Thu Jul 11 19:22:18 WEST 2019] protected64=''
    [Thu Jul 11 19:22:18 WEST 2019] base64 single line.
    [Thu Jul 11 19:22:18 WEST 2019] _sig_t=''
    [Thu Jul 11 19:22:18 WEST 2019] sig=''
    [Thu Jul 11 19:22:18 WEST 2019] body='{"protected": "", "payload": "", "signature": ""}'
    [Thu Jul 11 19:22:18 WEST 2019] POST
    [Thu Jul 11 19:22:18 WEST 2019] _post_url='https://acme-v02.api.letsencrypt.org/acme/authz/minez'
    [Thu Jul 11 19:22:18 WEST 2019] body='{"protected": "", "payload": "", "signature": ""}'
    [Thu Jul 11 19:22:18 WEST 2019] _postContentType='application/jose+json'
    [Thu Jul 11 19:22:18 WEST 2019] Http already initialized.
    [Thu Jul 11 19:22:18 WEST 2019] _CURL='curl -L --silent --dump-header /tmp/acme/fw-cert//http.header  -g '
    [Thu Jul 11 19:22:20 WEST 2019] _ret='0'
    [Thu Jul 11 19:22:20 WEST 2019] responseHeaders='HTTP/1.1 100 Continue
    Expires: Thu, 11 Jul 2019 18:22:19 GMT
    Cache-Control: max-age=0, no-cache, no-store
    Pragma: no-cache
    
    HTTP/1.1 200 OK
    Server: nginx
    Content-Type: application/json
    Content-Length: 1011
    Boulder-Requester: 00131007
    Link: <https://acme-v02.api.letsencrypt.org/directory>;rel="index"
    Replay-Nonce:
    X-Frame-Options: DENY
    Strict-Transport-Security: max-age=604800
    Expires: Thu, 11 Jul 2019 18:22:20 GMT
    Cache-Control: max-age=0, no-cache, no-store
    Pragma: no-cache
    Date: Thu, 11 Jul 2019 18:22:20 GMT
    Connection: keep-alive
    ^M'
    [Thu Jul 11 19:22:20 WEST 2019] code='200'
    [Thu Jul 11 19:22:20 WEST 2019] original='{
      "identifier": {
        "type": "dns",
        "value": "fw.mydomain.com"
      },
      "status": "valid",
      "expires": "2019-08-10T17:05:51Z",
      "challenges": [
        {
          "type": "http-01",
          "status": "pending",
          "url": "https://acme-v02.api.letsencrypt.org/acme/challenge/minez/18142621372",
          "token": ""
        },
        {
          "type": "tls-alpn-01",
          "status": "pending",
          "url": "https://acme-v02.api.letsencrypt.org/acme/challenge/minez/18142621374",
          "token": ""
        },
        {
          "type": "dns-01",
          "status": "valid",
          "url": "https://acme-v02.api.letsencrypt.org/acme/challenge/minez/18142621394",
          "token": "",
          "validationRecord": [
            {
              "hostname": "fw.mydomain.com"
            }
          ]
        }
      ]
    }'
    [Thu Jul 11 19:22:20 WEST 2019] response='{"identifier":{"type":"dns","value":"fw.mydomain.com"},"status":"valid","expires":"2019-08-10T17:05:51Z","challenges":[{"type":"http-01","status":"pending","url":"https://acme-v02.api.letsencrypt.org/acme/challenge/minez/18142621372","token":""},{"type":"tls-alpn-01","status":"pending","url":"https://acme-v02.api.letsencrypt.org/acme/challenge/minez/18142621374","token":""},{"type":"dns-01","status":"valid","url":"https://acme-v02.api.letsencrypt.org/acme/challenge/minez/18142621394","token":"","validationRecord":[{"hostname":"fw.mydomain.com"}]}]}'
    [Thu Jul 11 19:22:20 WEST 2019] response='{"identifier":{"type":"dns","value":"fw.mydomain.com"},"status":"valid","expires":"2019-08-10T17:05:51Z","challenges":[{"type":"http-01","status":"pending","url":"https://acme-v02.api.letsencrypt.org/acme/challenge/minez/18142621372","token":""},{"type":"tls-alpn-01","status":"pending","url":"https://acme-v02.api.letsencrypt.org/acme/challenge/minez/18142621374","token":""},{"type":"dns-01","status":"valid","url":"https://acme-v02.api.letsencrypt.org/acme/challenge/minez/18142621394","token":"","validationRecord":[{"hostname":"fw.mydomain.com"}]}]}'
    [Thu Jul 11 19:22:20 WEST 2019] _d='fw.mydomain.com'
    [Thu Jul 11 19:22:20 WEST 2019] _authorizations_map='fw.mydomain.com,{"identifier":{"type":"dns","value":"fw.mydomain.com"},"status":"valid","expires":"2019-08-10T17:05:51Z","challenges":[{"type":"http-01","status":"pending","url":"https://acme-v02.api.letsencrypt.org/acme/challenge/minez/18142621372","token":""},{"type":"tls-alpn-01","status":"pending","url":"https://acme-v02.api.letsencrypt.org/acme/challenge/minez/18142621374","token":""},{"type":"dns-01","status":"valid","url":"https://acme-v02.api.letsencrypt.org/acme/challenge/minez/18142621394","token":"","validationRecord":[{"hostname":"fw.mydomain.com"}]}]}
    '
    [Thu Jul 11 19:22:20 WEST 2019] d='fw.mydomain.com'
    [Thu Jul 11 19:22:20 WEST 2019] Getting webroot for domain='fw.mydomain.com'
    [Thu Jul 11 19:22:20 WEST 2019] _w='dns'
    [Thu Jul 11 19:22:20 WEST 2019] _currentRoot='dns'
    [Thu Jul 11 19:22:20 WEST 2019] _is_idn_d='fw.mydomain.com'
    [Thu Jul 11 19:22:20 WEST 2019] _idn_temp
    [Thu Jul 11 19:22:20 WEST 2019] response='{"identifier":{"type":"dns","value":"fw.mydomain.com"},"status":"valid","expires":"2019-08-10T17:05:51Z","challenges":[{"type":"http-01","status":"pending","url":"https://acme-v02.api.letsencrypt.org/acme/challenge/minez/18142621372","token":""},{"type":"tls-alpn-01","status":"pending","url":"https://acme-v02.api.letsencrypt.org/acme/challenge/minez/18142621374","token":""},{"type":"dns-01","status":"valid","url":"https://acme-v02.api.letsencrypt.org/acme/challenge/minez/18142621394","token":"","validationRecord":[{"hostname":"fw.mydomain.com"}]}]}'
    [Thu Jul 11 19:22:20 WEST 2019] base64 single line.
    [Thu Jul 11 19:22:20 WEST 2019] entry='"type":"dns-01","status":"valid","url":"https://acme-v02.api.letsencrypt.org/acme/challenge/minez/18142621394","token":"","validationRecord":[{"hostname":"fw.mydomain.com"'
    [Thu Jul 11 19:22:20 WEST 2019] token=''
    [Thu Jul 11 19:22:20 WEST 2019] uri='https://acme-v02.api.letsencrypt.org/acme/challenge/minez/18142621394'
    [Thu Jul 11 19:22:20 WEST 2019] keyauthorization='.'
    [Thu Jul 11 19:22:20 WEST 2019] fw.mydomain.com is already verified.
    [Thu Jul 11 19:22:20 WEST 2019] keyauthorization='verified_ok'
    [Thu Jul 11 19:22:20 WEST 2019] dvlist='fw.mydomain.com#verified_ok#https://acme-v02.api.letsencrypt.org/acme/challenge/minez/18142621394#dns-01#dns'
    [Thu Jul 11 19:22:20 WEST 2019] d
    [Thu Jul 11 19:22:20 WEST 2019] vlist='fw.mydomain.com#verified_ok#https://acme-v02.api.letsencrypt.org/acme/challenge/minez/18142621394#dns-01#dns,'
    [Thu Jul 11 19:22:20 WEST 2019] d='fw.mydomain.com'
    [Thu Jul 11 19:22:20 WEST 2019] fw.mydomain.com is already verified, skip dns-01.
    [Thu Jul 11 19:22:20 WEST 2019] ok, let's start to verify
    [Thu Jul 11 19:22:20 WEST 2019] fw.mydomain.com is already verified, skip dns-01.
    [Thu Jul 11 19:22:20 WEST 2019] pid
    [Thu Jul 11 19:22:20 WEST 2019] No need to restore nginx, skip.
    [Thu Jul 11 19:22:20 WEST 2019] _clearupdns
    [Thu Jul 11 19:22:20 WEST 2019] dns_entries
    [Thu Jul 11 19:22:20 WEST 2019] skip dns.
    [Thu Jul 11 19:22:20 WEST 2019] Verify finished, start to sign.
    [Thu Jul 11 19:22:20 WEST 2019] i='2'
    [Thu Jul 11 19:22:20 WEST 2019] j='16'
    [Thu Jul 11 19:22:20 WEST 2019] Lets finalize the order, Le_OrderFinalize: https://acme-v02.api.letsencrypt.org/acme/finalize/00131007/700001337
    [Thu Jul 11 19:22:20 WEST 2019] url='https://acme-v02.api.letsencrypt.org/acme/finalize/00131007/700001337'
    [Thu Jul 11 19:22:20 WEST 2019] payload='{"csr": ""}'
    [Thu Jul 11 19:22:20 WEST 2019] Use cached jwk for file: /tmp/acme/fw-cert//ca/acme-v02.api.letsencrypt.org/account.key
    [Thu Jul 11 19:22:20 WEST 2019] base64 single line.
    [Thu Jul 11 19:22:20 WEST 2019] payload64=''
    [Thu Jul 11 19:22:20 WEST 2019] _request_retry_times='1'
    [Thu Jul 11 19:22:20 WEST 2019] Use _CACHED_NONCE=''
    [Thu Jul 11 19:22:20 WEST 2019] nonce=''
    [Thu Jul 11 19:22:20 WEST 2019] protected='{"nonce": "", "url": "https://acme-v02.api.letsencrypt.org/acme/finalize/00131007/700001337", "alg": "RS256", "kid": "https://acme-v02.api.letsencrypt.org/acme/acct/00131007"}'
    [Thu Jul 11 19:22:20 WEST 2019] base64 single line.
    [Thu Jul 11 19:22:20 WEST 2019] protected64=''
    [Thu Jul 11 19:22:20 WEST 2019] base64 single line.
    [Thu Jul 11 19:22:20 WEST 2019] _sig_t=''
    [Thu Jul 11 19:22:20 WEST 2019] sig=''
    [Thu Jul 11 19:22:20 WEST 2019] body='{"protected": "", "payload": "", "signature": ""}'
    [Thu Jul 11 19:22:20 WEST 2019] POST
    [Thu Jul 11 19:22:20 WEST 2019] _post_url='https://acme-v02.api.letsencrypt.org/acme/finalize/00131007/700001337'
    [Thu Jul 11 19:22:20 WEST 2019] body='{"protected": "", "payload": "", "signature": ""}'
    [Thu Jul 11 19:22:20 WEST 2019] _postContentType='application/jose+json'
    [Thu Jul 11 19:22:20 WEST 2019] Http already initialized.
    [Thu Jul 11 19:22:20 WEST 2019] _CURL='curl -L --silent --dump-header /tmp/acme/fw-cert//http.header  -g '
    [Thu Jul 11 19:22:22 WEST 2019] _ret='0'
    [Thu Jul 11 19:22:22 WEST 2019] responseHeaders='HTTP/1.1 100 Continue
    Expires: Thu, 11 Jul 2019 18:22:21 GMT
    Cache-Control: max-age=0, no-cache, no-store
    Pragma: no-cache
    
    HTTP/1.1 200 OK
    Server: nginx
    Content-Type: application/json
    Content-Length: 470
    Boulder-Requester: 00131007
    Link: <https://acme-v02.api.letsencrypt.org/directory>;rel="index"
    Location: https://acme-v02.api.letsencrypt.org/acme/order/00131007/700001337
    Replay-Nonce:
    X-Frame-Options: DENY
    Strict-Transport-Security: max-age=604800
    Expires: Thu, 11 Jul 2019 18:22:22 GMT
    Cache-Control: max-age=0, no-cache, no-store
    Pragma: no-cache
    Date: Thu, 11 Jul 2019 18:22:22 GMT
    Connection: keep-alive
    ^M'
    [Thu Jul 11 19:22:22 WEST 2019] code='200'
    [Thu Jul 11 19:22:22 WEST 2019] original='{
      "status": "valid",
      "expires": "2019-07-18T18:22:18Z",
      "identifiers": [
        {
          "type": "dns",
          "value": "fw.mydomain.com"
        }
      ],
      "authorizations": [
        "https://acme-v02.api.letsencrypt.org/acme/authz/minez"
      ],
      "finalize": "https://acme-v02.api.letsencrypt.org/acme/finalize/00131007/700001337",
      "certificate": "https://acme-v02.api.letsencrypt.org/acme/cert/01A02s03e04R05T06y07or08Qwe09Rt10Y11"
    }'
    [Thu Jul 11 19:22:22 WEST 2019] response='{"status":"valid","expires":"2019-07-18T18:22:18Z","identifiers":[{"type":"dns","value":"fw.mydomain.com"}],"authorizations":["https://acme-v02.api.letsencrypt.org/acme/authz/minez"],"finalize":"https://acme-v02.api.letsencrypt.org/acme/finalize/00131007/700001337","certificate":"https://acme-v02.api.letsencrypt.org/acme/cert/01A02s03e04R05T06y07or08Qwe09Rt10Y11"}'
    [Thu Jul 11 19:22:22 WEST 2019] OK
    [Thu Jul 11 19:22:22 WEST 2019] 10:Le_LinkOrder='https://acme-v02.api.letsencrypt.org/acme/order/00131007/700001337'
    [Thu Jul 11 19:22:22 WEST 2019] Order status is valid.
    [Thu Jul 11 19:22:22 WEST 2019] Le_LinkCert='https://acme-v02.api.letsencrypt.org/acme/cert/01A02s03e04R05T06y07or08Qwe09Rt10Y11'
    [Thu Jul 11 19:22:22 WEST 2019] Download cert, Le_LinkCert: https://acme-v02.api.letsencrypt.org/acme/cert/01A02s03e04R05T06y07or08Qwe09Rt10Y11
    [Thu Jul 11 19:22:22 WEST 2019] url='https://acme-v02.api.letsencrypt.org/acme/cert/01A02s03e04R05T06y07or08Qwe09Rt10Y11'
    [Thu Jul 11 19:22:22 WEST 2019] payload
    [Thu Jul 11 19:22:22 WEST 2019] Use cached jwk for file: /tmp/acme/fw-cert//ca/acme-v02.api.letsencrypt.org/account.key
    [Thu Jul 11 19:22:22 WEST 2019] base64 single line.
    [Thu Jul 11 19:22:22 WEST 2019] payload64
    [Thu Jul 11 19:22:22 WEST 2019] _request_retry_times='1'
    [Thu Jul 11 19:22:22 WEST 2019] Use _CACHED_NONCE=''
    [Thu Jul 11 19:22:22 WEST 2019] nonce=''
    [Thu Jul 11 19:22:22 WEST 2019] protected='{"nonce": "", "url": "https://acme-v02.api.letsencrypt.org/acme/cert/01A02s03e04R05T06y07or08Qwe09Rt10Y11", "alg": "RS256", "kid": "https://acme-v02.api.letsencrypt.org/acme/acct/00131007"}'
    [Thu Jul 11 19:22:22 WEST 2019] base64 single line.
    [Thu Jul 11 19:22:22 WEST 2019] protected64=''
    [Thu Jul 11 19:22:22 WEST 2019] base64 single line.
    [Thu Jul 11 19:22:22 WEST 2019] _sig_t=''
    [Thu Jul 11 19:22:22 WEST 2019] sig=''
    [Thu Jul 11 19:22:22 WEST 2019] body='{"protected": "", "payload": "", "signature": ""}'
    [Thu Jul 11 19:22:22 WEST 2019] POST
    [Thu Jul 11 19:22:22 WEST 2019] _post_url='https://acme-v02.api.letsencrypt.org/acme/cert/01A02s03e04R05T06y07or08Qwe09Rt10Y11'
    [Thu Jul 11 19:22:22 WEST 2019] body='{"protected": "", "payload": "", "signature": ""}'
    [Thu Jul 11 19:22:22 WEST 2019] _postContentType='application/jose+json'
    [Thu Jul 11 19:22:22 WEST 2019] Http already initialized.
    [Thu Jul 11 19:22:22 WEST 2019] _CURL='curl -L --silent --dump-header /tmp/acme/fw-cert//http.header  -g '
    [Thu Jul 11 19:22:24 WEST 2019] _ret='0'
    [Thu Jul 11 19:22:24 WEST 2019] responseHeaders='HTTP/1.1 100 Continue
    Expires: Thu, 11 Jul 2019 18:22:23 GMT
    Cache-Control: max-age=0, no-cache, no-store
    Pragma: no-cache
    
    HTTP/1.1 200 OK
    Server: nginx
    Content-Type: application/pem-certificate-chain
    Content-Length: 3571
    Link: <https://acme-v02.api.letsencrypt.org/directory>;rel="index"
    Replay-Nonce:
    X-Frame-Options: DENY
    Strict-Transport-Security: max-age=604800
    Expires: Thu, 11 Jul 2019 18:22:24 GMT
    Cache-Control: max-age=0, no-cache, no-store
    Pragma: no-cache
    Date: Thu, 11 Jul 2019 18:22:24 GMT
    Connection: keep-alive
    ^M'
    [Thu Jul 11 19:22:24 WEST 2019] code='200'
    [Thu Jul 11 19:22:24 WEST 2019] original='-----BEGIN CERTIFICATE-----
    
    -----END CERTIFICATE-----
    
    -----BEGIN CERTIFICATE-----
    
    -----END CERTIFICATE-----'
    [Thu Jul 11 19:22:24 WEST 2019] response='-----BEGIN CERTIFICATE-----
    
    -----END CERTIFICATE-----
    
    -----BEGIN CERTIFICATE-----
    
    -----END CERTIFICATE-----'
    [Thu Jul 11 19:22:24 WEST 2019] Found cert chain
    [Thu Jul 11 19:22:24 WEST 2019] _end_n='31'
    [Thu Jul 11 19:22:24 WEST 2019] Le_LinkCert='https://acme-v02.api.letsencrypt.org/acme/cert/01A02s03e04R05T06y07or08Qwe09Rt10Y11'
    [Thu Jul 11 19:22:24 WEST 2019] OK
    [Thu Jul 11 19:22:24 WEST 2019] 11:Le_LinkCert='https://acme-v02.api.letsencrypt.org/acme/cert/01A02s03e04R05T06y07or08Qwe09Rt10Y11'
    [Thu Jul 11 19:22:24 WEST 2019] Cert success.
    [Thu Jul 11 19:22:24 WEST 2019] Your cert is in  /tmp/acme/fw-cert//fw.mydomain.com/fw.mydomain.com.cer 
    [Thu Jul 11 19:22:24 WEST 2019] Your cert key is in  /tmp/acme/fw-cert//fw.mydomain.com/fw.mydomain.com.key 
    [Thu Jul 11 19:22:24 WEST 2019] APP
    [Thu Jul 11 19:22:24 WEST 2019] 5:USER_PATH='/etc:/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/bin/'
    [Thu Jul 11 19:22:24 WEST 2019] v2 chain.
    [Thu Jul 11 19:22:24 WEST 2019] The intermediate CA cert is in  /tmp/acme/fw-cert//fw.mydomain.com/ca.cer 
    [Thu Jul 11 19:22:24 WEST 2019] And the full chain certs is there:  /tmp/acme/fw-cert//fw.mydomain.com/fullchain.cer 
    [Thu Jul 11 19:22:24 WEST 2019] OK
    [Thu Jul 11 19:22:24 WEST 2019] 12:Le_CertCreateTime='1562869344'
    [Thu Jul 11 19:22:24 WEST 2019] OK
    [Thu Jul 11 19:22:24 WEST 2019] 13:Le_CertCreateTimeStr='Thu Jul 11 18:22:24 UTC 2019'
    [Thu Jul 11 19:22:24 WEST 2019] OK
    [Thu Jul 11 19:22:24 WEST 2019] 14:Le_NextRenewTimeStr='Mon Sep  9 18:22:24 UTC 2019'
    [Thu Jul 11 19:22:24 WEST 2019] OK
    [Thu Jul 11 19:22:24 WEST 2019] 15:Le_NextRenewTime='1567966944'
    [Thu Jul 11 19:22:24 WEST 2019] _on_issue_success
    [Thu Jul 11 19:22:24 WEST 2019] 'dns' contains 'dns'
    [Thu Jul 11 19:22:24 WEST 2019] It seems that you are using dns manual mode. please take care: The dns manual mode can not renew automatically, you must issue it again manually. You'd better use the other modes instead.
    [Thu Jul 11 19:22:24 WEST 2019] Call hook error.
    

    Obfuscated a few lines.
    This actually caused my some hassle ... looking at this thread I figured this issue would be already fixed. Any thoughts?



  • Im suffering a similar bug but I use the webroot FTP option.

    Manually hit the renew button and I see the certificate is renewed BUT it isnt applied on the HTTPS side of my pfSense.

    2.4.4-RELEASE-p1

    acme security 0.5.8


Log in to reply