Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Acme/letsencrypt renewed certificates not saved in certmanager, Call hook error

    Scheduled Pinned Locked Moved
    ACME
    5
    11
    3.0k
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • jimpJ
      jimp Rebel Alliance Developer Netgate
      last edited by

      Do you still have two buttons there on that cert entry: One for Issue, one for Renew?

      With DNS-Manual you have to hit issue, then find/update the TXT, then renew after the DNS entries are in place.

      Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

      Need help fast? Netgate Global Support!

      Do not Chat/PM for help!

      1 Reply Last reply Reply Quote 0
      • K
        keson
        last edited by

        Yes, I do both options.
        And I use them as described in the documentation…
        The issue generates the TXT record for my DNS and the RENEW then generates the certificates, which I can download from /tmp/acme/NalzoviceRDP//rdp.domov-nalzovice.cz/rdp.domov-nalzovice.cz.key and /tmp/acme/NalzoviceRDP//rdp.domov-nalzovice.cz/rdp.domov-nalzovice.cz.cer

        When I do this and when I upload the key and certificate manually to the cert. manager, the certificate shows up there...
        But it is quite some work as I need to first set the admin interface back to self signed certificate, then I get the "delete" icon on my current LetsEncrypt certificate, then I import it and then I set the admin interface back to the new certificate.

        I understand from the documentation, that this should not be necessary and it should all happen automatically...

        P.S. i have freed my port 80 so that next time (in 30 or 60 days) I will try to use the automated process as this DNS-manual way is kind of time consuming :)

        So to recap the answer - the process of getting the certificate renewed works until the last point - it does not get automatically uploaded to the cert. manager and the "status" of the certificate does not update with new "valid to" date.

        1 Reply Last reply Reply Quote 0
        • jimpJ
          jimp Rebel Alliance Developer Netgate
          last edited by

          Hmm, ok. I don't have any set to manual at the moment but I'll try to get one setup. It should populate that automatically when the renewal action happens.

          Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

          Need help fast? Netgate Global Support!

          Do not Chat/PM for help!

          1 Reply Last reply Reply Quote 0
          • K
            keson
            last edited by

            Well, it is not a burning issue for me, I just spotted this misbehaviour and as you can read on the thread I mentioned, I am not the only one. Perhaps using the standalone http server will be the way to go next time. I just do want to share my experience with others and perhaps help with getting this resolved - I can do whatever is needed when someone has an idea to test. Ready to help :)

            1 Reply Last reply Reply Quote 0
            • jimpJ
              jimp Rebel Alliance Developer Netgate
              last edited by

              There is an updated ACME package on 2.4.3, you could upgrade to a 2.4.3 snapshot and try it there.

              Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

              Need help fast? Netgate Global Support!

              Do not Chat/PM for help!

              1 Reply Last reply Reply Quote 0
              • X
                xpatriot
                last edited by

                I ran into the same issue Creating a manual cert for my internal web sites but found a circumvention that worked for me.

                1. Use Method webroot local folder so that you can add a root folder of " /tmp/haproxy_chroot/.well-known/acme-challenge/"
                2. Change the method to DNS-Manual and save.
                3. Issue the cert and update DNS with correct TXT fields provided from issue
                4. Hit renew and verify that everything went well but fails with the Call hook error.
                5. Change the method back to webroot local folder again and save.
                6. Issue/Renew

                I then had a valid cert to use.

                1 Reply Last reply Reply Quote 0
                • jimpJ
                  jimp Rebel Alliance Developer Netgate
                  last edited by

                  I'm able to reproduce this here but there is an even easier workaround (at least on 2.4.3):

                  • Click Issue
                  • Fix your DNS with the new TXT record
                  • Click Renew
                  • Click Issue again

                  The auth is still valid so the second renew goes through and you get the cert imported as expected.

                  I found the source of the call hook error but even getting rid of that it still isn't importing. I'm still digging at why, but in the meantime it's easy to get around.

                  Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

                  Need help fast? Netgate Global Support!

                  Do not Chat/PM for help!

                  1 Reply Last reply Reply Quote 0
                  • jimpJ
                    jimp Rebel Alliance Developer Netgate
                    last edited by

                    ok I figured out why, somewhere along the way the "renew" action in acme.sh stopped running the reloadcmd.sh script which imports the cert back into pfSense. That particular "renew" action is only invoked for DNS-Manual entries, so I added a check to run it in just that case if it successfully obtained a certificate. It works for me.

                    I only pushed that change to ACME on 2.4.3 at the moment, it will come to the other branches as soon as I push out this pending major update for ACME v2. I was waiting for Let's Encrypt's ACME v2 servers to go online this week but they pushed back that date so shrug

                    So for now, if you upgrade to 2.4.3 and get ACME package version 0.2.0.4 which will go up with the next snapshot run, it will be fixed. You can try manually applying the changes yourself in the meantime as a quick fix:  https://github.com/pfsense/FreeBSD-ports/commit/a6f630edae775ad4b3619858baa910809297c2d0

                    Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

                    Need help fast? Netgate Global Support!

                    Do not Chat/PM for help!

                    1 Reply Last reply Reply Quote 0
                    • maverickwsM
                      maverickws
                      last edited by

                      Hi there,

                      I'm sorry I know this topic is quite old but I am using the ACME package on my pfSense and I came across this error today.
                      pfSense v2.4.4-RELEASE-p3
                      ACME Package v.0.5.8

                      Steps to reproduce:

                      • Click Issue
                      • Edit your DNS TXT record accordingly
                      • Click Renew

                      Expected results:
                      Certificate renewal completed successfully

                      Observed results:
                      An error "Call hook error" is thrown, without any further info on the logs.
                      You must hit renew a second time for the certificate to be updated.

                      Logs:

                      [Thu Jul 11 19:22:13 WEST 2019] readlink exists=0
[Thu Jul 11 19:22:13 WEST 2019] dirname exists=0
[Thu Jul 11 19:22:13 WEST 2019] Lets find script dir.
[Thu Jul 11 19:22:13 WEST 2019] _SCRIPT_='/usr/local/pkg/acme/acme.sh'
[Thu Jul 11 19:22:13 WEST 2019] _script='/usr/local/pkg/acme/acme.sh'
[Thu Jul 11 19:22:13 WEST 2019] _script_home='/usr/local/pkg/acme'
[Thu Jul 11 19:22:13 WEST 2019] Using config home:/tmp/acme/fw-cert/
[Thu Jul 11 19:22:13 WEST 2019] APP
[Thu Jul 11 19:22:13 WEST 2019] 3:LOG_FILE='/tmp/acme/fw-cert/acme_issuecert.log'
[Thu Jul 11 19:22:13 WEST 2019] APP
[Thu Jul 11 19:22:13 WEST 2019] 4:LOG_LEVEL='3'
[Thu Jul 11 19:22:13 WEST 2019] LE_WORKING_DIR='/tmp/acme/fw-cert/'
[Thu Jul 11 19:22:13 WEST 2019] Using config home:/tmp/acme/fw-cert/
[Thu Jul 11 19:22:13 WEST 2019] ACME_DIRECTORY='https://acme-v02.api.letsencrypt.org/directory'
[Thu Jul 11 19:22:13 WEST 2019] _ACME_SERVER_HOST='acme-v02.api.letsencrypt.org'
[Thu Jul 11 19:22:13 WEST 2019] CA_CONF='/tmp/acme/fw-cert//ca/acme-v02.api.letsencrypt.org/ca.conf'
[Thu Jul 11 19:22:13 WEST 2019] DOMAIN_PATH='/tmp/acme/fw-cert//fw.mydomain.com'
[Thu Jul 11 19:22:13 WEST 2019] Renew: 'fw.mydomain.com'
[Thu Jul 11 19:22:13 WEST 2019] Le_API
[Thu Jul 11 19:22:13 WEST 2019] _main_domain='fw.mydomain.com'
[Thu Jul 11 19:22:13 WEST 2019] _alt_domains='no'
[Thu Jul 11 19:22:13 WEST 2019] 'dns' contains 'dns'
[Thu Jul 11 19:22:13 WEST 2019] Using ACME_DIRECTORY: https://acme-v02.api.letsencrypt.org/directory
[Thu Jul 11 19:22:13 WEST 2019] _init api for server: https://acme-v02.api.letsencrypt.org/directory
[Thu Jul 11 19:22:13 WEST 2019] GET
[Thu Jul 11 19:22:13 WEST 2019] url='https://acme-v02.api.letsencrypt.org/directory'
[Thu Jul 11 19:22:13 WEST 2019] timeout=
[Thu Jul 11 19:22:13 WEST 2019] curl exists=0
[Thu Jul 11 19:22:13 WEST 2019] wget exists=127
[Thu Jul 11 19:22:13 WEST 2019] _CURL='curl -L --silent --dump-header /tmp/acme/fw-cert//http.header  -g '
[Thu Jul 11 19:22:15 WEST 2019] ret='0'
[Thu Jul 11 19:22:15 WEST 2019] response='{
  "XXeBADlFCPs": "https://community.letsencrypt.org/t/adding-random-entries-to-the-directory/33417",
  "keyChange": "https://acme-v02.api.letsencrypt.org/acme/key-change",
  "meta": {
    "caaIdentities": [
      "letsencrypt.org"
    ],
    "termsOfService": "https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf",
    "website": "https://letsencrypt.org"
  },
  "newAccount": "https://acme-v02.api.letsencrypt.org/acme/new-acct",
  "newNonce": "https://acme-v02.api.letsencrypt.org/acme/new-nonce",
  "newOrder": "https://acme-v02.api.letsencrypt.org/acme/new-order",
  "revokeCert": "https://acme-v02.api.letsencrypt.org/acme/revoke-cert"
}'
[Thu Jul 11 19:22:15 WEST 2019] ACME_KEY_CHANGE='https://acme-v02.api.letsencrypt.org/acme/key-change'
[Thu Jul 11 19:22:15 WEST 2019] ACME_NEW_AUTHZ
[Thu Jul 11 19:22:15 WEST 2019] ACME_NEW_ORDER='https://acme-v02.api.letsencrypt.org/acme/new-order'
[Thu Jul 11 19:22:15 WEST 2019] ACME_NEW_ACCOUNT='https://acme-v02.api.letsencrypt.org/acme/new-acct'
[Thu Jul 11 19:22:15 WEST 2019] ACME_REVOKE_CERT='https://acme-v02.api.letsencrypt.org/acme/revoke-cert'
[Thu Jul 11 19:22:15 WEST 2019] ACME_AGREEMENT='https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf'
[Thu Jul 11 19:22:15 WEST 2019] ACME_NEW_NONCE='https://acme-v02.api.letsencrypt.org/acme/new-nonce'
[Thu Jul 11 19:22:15 WEST 2019] ACME_VERSION='2'
[Thu Jul 11 19:22:15 WEST 2019] Le_NextRenewTime='1567962357'
[Thu Jul 11 19:22:15 WEST 2019] OK
[Thu Jul 11 19:22:15 WEST 2019] 1:Le_Domain='fw.mydomain.com'
[Thu Jul 11 19:22:15 WEST 2019] OK
[Thu Jul 11 19:22:15 WEST 2019] 2:Le_Alt='no'
[Thu Jul 11 19:22:15 WEST 2019] OK
[Thu Jul 11 19:22:15 WEST 2019] 3:Le_Webroot='dns'
[Thu Jul 11 19:22:15 WEST 2019] OK
[Thu Jul 11 19:22:15 WEST 2019] 4:Le_PreHook=''
[Thu Jul 11 19:22:15 WEST 2019] OK
[Thu Jul 11 19:22:15 WEST 2019] 5:Le_PostHook=''
[Thu Jul 11 19:22:15 WEST 2019] OK
[Thu Jul 11 19:22:15 WEST 2019] 6:Le_RenewHook=''
[Thu Jul 11 19:22:15 WEST 2019] _on_before_issue
[Thu Jul 11 19:22:15 WEST 2019] _chk_main_domain='fw.mydomain.com'
[Thu Jul 11 19:22:15 WEST 2019] _chk_alt_domains
[Thu Jul 11 19:22:15 WEST 2019] 'dns' does not contain 'no'
[Thu Jul 11 19:22:15 WEST 2019] Le_LocalAddress
[Thu Jul 11 19:22:15 WEST 2019] d='fw.mydomain.com'
[Thu Jul 11 19:22:15 WEST 2019] Check for domain='fw.mydomain.com'
[Thu Jul 11 19:22:15 WEST 2019] _currentRoot='dns'
[Thu Jul 11 19:22:15 WEST 2019] d
[Thu Jul 11 19:22:15 WEST 2019] 'dns' does not contain 'apache'
[Thu Jul 11 19:22:15 WEST 2019] _saved_account_key_hash='jR06iKbCw94E0U9X2mveGPwhxNAF7yBSUrUj7bS8jmk='
[Thu Jul 11 19:22:15 WEST 2019] base64 single line.
[Thu Jul 11 19:22:15 WEST 2019] _saved_account_key_hash is not changed, skip register account.
[Thu Jul 11 19:22:15 WEST 2019] Read key length:
[Thu Jul 11 19:22:15 WEST 2019] _createcsr
[Thu Jul 11 19:22:15 WEST 2019] domain='fw.mydomain.com'
[Thu Jul 11 19:22:15 WEST 2019] domainlist
[Thu Jul 11 19:22:15 WEST 2019] csrkey='/tmp/acme/fw-cert//fw.mydomain.com/fw.mydomain.com.key'
[Thu Jul 11 19:22:15 WEST 2019] csr='/tmp/acme/fw-cert//fw.mydomain.com/fw.mydomain.com.csr'
[Thu Jul 11 19:22:15 WEST 2019] csrconf='/tmp/acme/fw-cert//fw.mydomain.com/fw.mydomain.com.csr.conf'
[Thu Jul 11 19:22:15 WEST 2019] Single domain='fw.mydomain.com'
[Thu Jul 11 19:22:15 WEST 2019] _is_idn_d='fw.mydomain.com'
[Thu Jul 11 19:22:15 WEST 2019] _idn_temp
[Thu Jul 11 19:22:15 WEST 2019] _is_idn_d='fw.mydomain.com'
[Thu Jul 11 19:22:15 WEST 2019] _idn_temp
[Thu Jul 11 19:22:15 WEST 2019] _csr_cn='fw.mydomain.com'
[Thu Jul 11 19:22:15 WEST 2019] OK
[Thu Jul 11 19:22:15 WEST 2019] 7:Le_Keylength=''
[Thu Jul 11 19:22:15 WEST 2019] Getting domain auth token for each domain
[Thu Jul 11 19:22:15 WEST 2019] _is_idn_d='fw.mydomain.com'
[Thu Jul 11 19:22:15 WEST 2019] _idn_temp
[Thu Jul 11 19:22:15 WEST 2019] d
[Thu Jul 11 19:22:15 WEST 2019] _identifiers='{"type":"dns","value":"fw.mydomain.com"}'
[Thu Jul 11 19:22:15 WEST 2019] url='https://acme-v02.api.letsencrypt.org/acme/new-order'
[Thu Jul 11 19:22:15 WEST 2019] payload='{"identifiers": [{"type":"dns","value":"fw.mydomain.com"}]}'
[Thu Jul 11 19:22:15 WEST 2019] RSA key
[Thu Jul 11 19:22:15 WEST 2019] pub_exp='010001'
[Thu Jul 11 19:22:15 WEST 2019] base64 single line.[Thu Jul 11 19:22:15 WEST 2019] 
xxd exists=127
[Thu Jul 11 19:22:15 WEST 2019] _URGLY_PRINTF='1'
[Thu Jul 11 19:22:15 WEST 2019] e='AQAB'
[Thu Jul 11 19:22:15 WEST 2019] modulus=''
[Thu Jul 11 19:22:15 WEST 2019] xxd exists=127
[Thu Jul 11 19:22:15 WEST 2019] base64 single line.
[Thu Jul 11 19:22:15 WEST 2019] _URGLY_PRINTF='1'
[Thu Jul 11 19:22:16 WEST 2019] n=''
[Thu Jul 11 19:22:16 WEST 2019] jwk='{"e": "AQAB", "kty": "RSA", "n": ""}'
[Thu Jul 11 19:22:16 WEST 2019] JWK_HEADER='{"alg": "RS256", "jwk": {"e": "AQAB", "kty": "RSA", "n": ""}}'
[Thu Jul 11 19:22:16 WEST 2019] base64 single line.
[Thu Jul 11 19:22:16 WEST 2019] payload64=''
[Thu Jul 11 19:22:16 WEST 2019] _request_retry_times='1'
[Thu Jul 11 19:22:16 WEST 2019] Get nonce with HEAD. ACME_NEW_NONCE='https://acme-v02.api.letsencrypt.org/acme/new-nonce'
[Thu Jul 11 19:22:16 WEST 2019] HEAD
[Thu Jul 11 19:22:16 WEST 2019] _post_url='https://acme-v02.api.letsencrypt.org/acme/new-nonce'
[Thu Jul 11 19:22:16 WEST 2019] body
[Thu Jul 11 19:22:16 WEST 2019] _postContentType='application/jose+json'
[Thu Jul 11 19:22:16 WEST 2019] curl exists=0
[Thu Jul 11 19:22:16 WEST 2019] wget exists=127
[Thu Jul 11 19:22:16 WEST 2019] _CURL='curl -L --silent --dump-header /tmp/acme/fw-cert//http.header  -g '
[Thu Jul 11 19:22:17 WEST 2019] _ret='0'
[Thu Jul 11 19:22:17 WEST 2019] _headers='HTTP/1.1 200 OK
Server: nginx
Link: <https://acme-v02.api.letsencrypt.org/directory>;rel="index"
Replay-Nonce: 
X-Frame-Options: DENY
Strict-Transport-Security: max-age=604800
Content-Length: 0
Expires: Thu, 11 Jul 2019 18:22:17 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Thu, 11 Jul 2019 18:22:17 GMT
Connection: keep-alive
^M'
[Thu Jul 11 19:22:17 WEST 2019] _CACHED_NONCE=''
[Thu Jul 11 19:22:17 WEST 2019] nonce=''
[Thu Jul 11 19:22:17 WEST 2019] protected='{"nonce": "", "url": "https://acme-v02.api.letsencrypt.org/acme/new-order", "alg": "RS256", "kid": "https://acme-v02.api.letsencrypt.org/acme/acct/00131007"}'
[Thu Jul 11 19:22:17 WEST 2019] base64 single line.
[Thu Jul 11 19:22:17 WEST 2019] protected64=''
[Thu Jul 11 19:22:17 WEST 2019] base64 single line.
[Thu Jul 11 19:22:17 WEST 2019] _sig_t=''
[Thu Jul 11 19:22:17 WEST 2019] sig=''
[Thu Jul 11 19:22:17 WEST 2019] body='{"protected": "", "payload": "", "signature": ""}'
[Thu Jul 11 19:22:17 WEST 2019] POST
[Thu Jul 11 19:22:17 WEST 2019] _post_url='https://acme-v02.api.letsencrypt.org/acme/new-order'
[Thu Jul 11 19:22:17 WEST 2019] body='{"protected": "", "payload": "", "signature": ""}'
[Thu Jul 11 19:22:17 WEST 2019] _postContentType='application/jose+json'
[Thu Jul 11 19:22:17 WEST 2019] Http already initialized.
[Thu Jul 11 19:22:17 WEST 2019] _CURL='curl -L --silent --dump-header /tmp/acme/fw-cert//http.header  -g '
[Thu Jul 11 19:22:18 WEST 2019] _ret='0'
[Thu Jul 11 19:22:18 WEST 2019] responseHeaders='HTTP/1.1 100 Continue
Expires: Thu, 11 Jul 2019 18:22:18 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache

HTTP/1.1 201 Created
Server: nginx
Content-Type: application/json
Content-Length: 376
Boulder-Requester: 00131007
Link: <https://acme-v02.api.letsencrypt.org/directory>;rel="index"
Location: https://acme-v02.api.letsencrypt.org/acme/order/00131007/700001337
Replay-Nonce:
X-Frame-Options: DENY
Strict-Transport-Security: max-age=604800
Expires: Thu, 11 Jul 2019 18:22:18 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Thu, 11 Jul 2019 18:22:18 GMT
Connection: keep-alive
^M'
[Thu Jul 11 19:22:18 WEST 2019] code='201'
[Thu Jul 11 19:22:18 WEST 2019] original='{
  "status": "ready",
  "expires": "2019-07-18T18:22:18.588852588Z",
  "identifiers": [
    {
      "type": "dns",
      "value": "fw.mydomain.com"
    }
  ],
  "authorizations": [
    "https://acme-v02.api.letsencrypt.org/acme/authz/minez"
  ],
  "finalize": "https://acme-v02.api.letsencrypt.org/acme/finalize/00131007/700001337"
}'
[Thu Jul 11 19:22:18 WEST 2019] response='{"status":"ready","expires":"2019-07-18T18:22:18.588852588Z","identifiers":[{"type":"dns","value":"fw.mydomain.com"}],"authorizations":["https://acme-v02.api.letsencrypt.org/acme/authz/minez"],"finalize":"https://acme-v02.api.letsencrypt.org/acme/finalize/00131007/700001337"}'
[Thu Jul 11 19:22:18 WEST 2019] Le_LinkOrder='https://acme-v02.api.letsencrypt.org/acme/order/00131007/700001337'
[Thu Jul 11 19:22:18 WEST 2019] Le_OrderFinalize='https://acme-v02.api.letsencrypt.org/acme/finalize/00131007/700001337'
[Thu Jul 11 19:22:18 WEST 2019] OK
[Thu Jul 11 19:22:18 WEST 2019] 8:Le_OrderFinalize='https://acme-v02.api.letsencrypt.org/acme/finalize/00131007/700001337'
[Thu Jul 11 19:22:18 WEST 2019] _authorizations_seg='https://acme-v02.api.letsencrypt.org/acme/authz/minez'
[Thu Jul 11 19:22:18 WEST 2019] _authz_url='https://acme-v02.api.letsencrypt.org/acme/authz/minez'
[Thu Jul 11 19:22:18 WEST 2019] url='https://acme-v02.api.letsencrypt.org/acme/authz/minez'
[Thu Jul 11 19:22:18 WEST 2019] payload
[Thu Jul 11 19:22:18 WEST 2019] Use cached jwk for file: /tmp/acme/fw-cert//ca/acme-v02.api.letsencrypt.org/account.key
[Thu Jul 11 19:22:18 WEST 2019] base64 single line.
[Thu Jul 11 19:22:18 WEST 2019] payload64
[Thu Jul 11 19:22:18 WEST 2019] _request_retry_times='1'
[Thu Jul 11 19:22:18 WEST 2019] Use _CACHED_NONCE=''
[Thu Jul 11 19:22:18 WEST 2019] nonce=''
[Thu Jul 11 19:22:18 WEST 2019] protected='{"nonce": "", "url": "https://acme-v02.api.letsencrypt.org/acme/authz/minez", "alg": "RS256", "kid": "https://acme-v02.api.letsencrypt.org/acme/acct/00131007"}'
[Thu Jul 11 19:22:18 WEST 2019] base64 single line.
[Thu Jul 11 19:22:18 WEST 2019] protected64=''
[Thu Jul 11 19:22:18 WEST 2019] base64 single line.
[Thu Jul 11 19:22:18 WEST 2019] _sig_t=''
[Thu Jul 11 19:22:18 WEST 2019] sig=''
[Thu Jul 11 19:22:18 WEST 2019] body='{"protected": "", "payload": "", "signature": ""}'
[Thu Jul 11 19:22:18 WEST 2019] POST
[Thu Jul 11 19:22:18 WEST 2019] _post_url='https://acme-v02.api.letsencrypt.org/acme/authz/minez'
[Thu Jul 11 19:22:18 WEST 2019] body='{"protected": "", "payload": "", "signature": ""}'
[Thu Jul 11 19:22:18 WEST 2019] _postContentType='application/jose+json'
[Thu Jul 11 19:22:18 WEST 2019] Http already initialized.
[Thu Jul 11 19:22:18 WEST 2019] _CURL='curl -L --silent --dump-header /tmp/acme/fw-cert//http.header  -g '
[Thu Jul 11 19:22:20 WEST 2019] _ret='0'
[Thu Jul 11 19:22:20 WEST 2019] responseHeaders='HTTP/1.1 100 Continue
Expires: Thu, 11 Jul 2019 18:22:19 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache

HTTP/1.1 200 OK
Server: nginx
Content-Type: application/json
Content-Length: 1011
Boulder-Requester: 00131007
Link: <https://acme-v02.api.letsencrypt.org/directory>;rel="index"
Replay-Nonce:
X-Frame-Options: DENY
Strict-Transport-Security: max-age=604800
Expires: Thu, 11 Jul 2019 18:22:20 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Thu, 11 Jul 2019 18:22:20 GMT
Connection: keep-alive
^M'
[Thu Jul 11 19:22:20 WEST 2019] code='200'
[Thu Jul 11 19:22:20 WEST 2019] original='{
  "identifier": {
    "type": "dns",
    "value": "fw.mydomain.com"
  },
  "status": "valid",
  "expires": "2019-08-10T17:05:51Z",
  "challenges": [
    {
      "type": "http-01",
      "status": "pending",
      "url": "https://acme-v02.api.letsencrypt.org/acme/challenge/minez/18142621372",
      "token": ""
    },
    {
      "type": "tls-alpn-01",
      "status": "pending",
      "url": "https://acme-v02.api.letsencrypt.org/acme/challenge/minez/18142621374",
      "token": ""
    },
    {
      "type": "dns-01",
      "status": "valid",
      "url": "https://acme-v02.api.letsencrypt.org/acme/challenge/minez/18142621394",
      "token": "",
      "validationRecord": [
        {
          "hostname": "fw.mydomain.com"
        }
      ]
    }
  ]
}'
[Thu Jul 11 19:22:20 WEST 2019] response='{"identifier":{"type":"dns","value":"fw.mydomain.com"},"status":"valid","expires":"2019-08-10T17:05:51Z","challenges":[{"type":"http-01","status":"pending","url":"https://acme-v02.api.letsencrypt.org/acme/challenge/minez/18142621372","token":""},{"type":"tls-alpn-01","status":"pending","url":"https://acme-v02.api.letsencrypt.org/acme/challenge/minez/18142621374","token":""},{"type":"dns-01","status":"valid","url":"https://acme-v02.api.letsencrypt.org/acme/challenge/minez/18142621394","token":"","validationRecord":[{"hostname":"fw.mydomain.com"}]}]}'
[Thu Jul 11 19:22:20 WEST 2019] response='{"identifier":{"type":"dns","value":"fw.mydomain.com"},"status":"valid","expires":"2019-08-10T17:05:51Z","challenges":[{"type":"http-01","status":"pending","url":"https://acme-v02.api.letsencrypt.org/acme/challenge/minez/18142621372","token":""},{"type":"tls-alpn-01","status":"pending","url":"https://acme-v02.api.letsencrypt.org/acme/challenge/minez/18142621374","token":""},{"type":"dns-01","status":"valid","url":"https://acme-v02.api.letsencrypt.org/acme/challenge/minez/18142621394","token":"","validationRecord":[{"hostname":"fw.mydomain.com"}]}]}'
[Thu Jul 11 19:22:20 WEST 2019] _d='fw.mydomain.com'
[Thu Jul 11 19:22:20 WEST 2019] _authorizations_map='fw.mydomain.com,{"identifier":{"type":"dns","value":"fw.mydomain.com"},"status":"valid","expires":"2019-08-10T17:05:51Z","challenges":[{"type":"http-01","status":"pending","url":"https://acme-v02.api.letsencrypt.org/acme/challenge/minez/18142621372","token":""},{"type":"tls-alpn-01","status":"pending","url":"https://acme-v02.api.letsencrypt.org/acme/challenge/minez/18142621374","token":""},{"type":"dns-01","status":"valid","url":"https://acme-v02.api.letsencrypt.org/acme/challenge/minez/18142621394","token":"","validationRecord":[{"hostname":"fw.mydomain.com"}]}]}
'
[Thu Jul 11 19:22:20 WEST 2019] d='fw.mydomain.com'
[Thu Jul 11 19:22:20 WEST 2019] Getting webroot for domain='fw.mydomain.com'
[Thu Jul 11 19:22:20 WEST 2019] _w='dns'
[Thu Jul 11 19:22:20 WEST 2019] _currentRoot='dns'
[Thu Jul 11 19:22:20 WEST 2019] _is_idn_d='fw.mydomain.com'
[Thu Jul 11 19:22:20 WEST 2019] _idn_temp
[Thu Jul 11 19:22:20 WEST 2019] response='{"identifier":{"type":"dns","value":"fw.mydomain.com"},"status":"valid","expires":"2019-08-10T17:05:51Z","challenges":[{"type":"http-01","status":"pending","url":"https://acme-v02.api.letsencrypt.org/acme/challenge/minez/18142621372","token":""},{"type":"tls-alpn-01","status":"pending","url":"https://acme-v02.api.letsencrypt.org/acme/challenge/minez/18142621374","token":""},{"type":"dns-01","status":"valid","url":"https://acme-v02.api.letsencrypt.org/acme/challenge/minez/18142621394","token":"","validationRecord":[{"hostname":"fw.mydomain.com"}]}]}'
[Thu Jul 11 19:22:20 WEST 2019] base64 single line.
[Thu Jul 11 19:22:20 WEST 2019] entry='"type":"dns-01","status":"valid","url":"https://acme-v02.api.letsencrypt.org/acme/challenge/minez/18142621394","token":"","validationRecord":[{"hostname":"fw.mydomain.com"'
[Thu Jul 11 19:22:20 WEST 2019] token=''
[Thu Jul 11 19:22:20 WEST 2019] uri='https://acme-v02.api.letsencrypt.org/acme/challenge/minez/18142621394'
[Thu Jul 11 19:22:20 WEST 2019] keyauthorization='.'
[Thu Jul 11 19:22:20 WEST 2019] fw.mydomain.com is already verified.
[Thu Jul 11 19:22:20 WEST 2019] keyauthorization='verified_ok'
[Thu Jul 11 19:22:20 WEST 2019] dvlist='fw.mydomain.com#verified_ok#https://acme-v02.api.letsencrypt.org/acme/challenge/minez/18142621394#dns-01#dns'
[Thu Jul 11 19:22:20 WEST 2019] d
[Thu Jul 11 19:22:20 WEST 2019] vlist='fw.mydomain.com#verified_ok#https://acme-v02.api.letsencrypt.org/acme/challenge/minez/18142621394#dns-01#dns,'
[Thu Jul 11 19:22:20 WEST 2019] d='fw.mydomain.com'
[Thu Jul 11 19:22:20 WEST 2019] fw.mydomain.com is already verified, skip dns-01.
[Thu Jul 11 19:22:20 WEST 2019] ok, let's start to verify
[Thu Jul 11 19:22:20 WEST 2019] fw.mydomain.com is already verified, skip dns-01.
[Thu Jul 11 19:22:20 WEST 2019] pid
[Thu Jul 11 19:22:20 WEST 2019] No need to restore nginx, skip.
[Thu Jul 11 19:22:20 WEST 2019] _clearupdns
[Thu Jul 11 19:22:20 WEST 2019] dns_entries
[Thu Jul 11 19:22:20 WEST 2019] skip dns.
[Thu Jul 11 19:22:20 WEST 2019] Verify finished, start to sign.
[Thu Jul 11 19:22:20 WEST 2019] i='2'
[Thu Jul 11 19:22:20 WEST 2019] j='16'
[Thu Jul 11 19:22:20 WEST 2019] Lets finalize the order, Le_OrderFinalize: https://acme-v02.api.letsencrypt.org/acme/finalize/00131007/700001337
[Thu Jul 11 19:22:20 WEST 2019] url='https://acme-v02.api.letsencrypt.org/acme/finalize/00131007/700001337'
[Thu Jul 11 19:22:20 WEST 2019] payload='{"csr": ""}'
[Thu Jul 11 19:22:20 WEST 2019] Use cached jwk for file: /tmp/acme/fw-cert//ca/acme-v02.api.letsencrypt.org/account.key
[Thu Jul 11 19:22:20 WEST 2019] base64 single line.
[Thu Jul 11 19:22:20 WEST 2019] payload64=''
[Thu Jul 11 19:22:20 WEST 2019] _request_retry_times='1'
[Thu Jul 11 19:22:20 WEST 2019] Use _CACHED_NONCE=''
[Thu Jul 11 19:22:20 WEST 2019] nonce=''
[Thu Jul 11 19:22:20 WEST 2019] protected='{"nonce": "", "url": "https://acme-v02.api.letsencrypt.org/acme/finalize/00131007/700001337", "alg": "RS256", "kid": "https://acme-v02.api.letsencrypt.org/acme/acct/00131007"}'
[Thu Jul 11 19:22:20 WEST 2019] base64 single line.
[Thu Jul 11 19:22:20 WEST 2019] protected64=''
[Thu Jul 11 19:22:20 WEST 2019] base64 single line.
[Thu Jul 11 19:22:20 WEST 2019] _sig_t=''
[Thu Jul 11 19:22:20 WEST 2019] sig=''
[Thu Jul 11 19:22:20 WEST 2019] body='{"protected": "", "payload": "", "signature": ""}'
[Thu Jul 11 19:22:20 WEST 2019] POST
[Thu Jul 11 19:22:20 WEST 2019] _post_url='https://acme-v02.api.letsencrypt.org/acme/finalize/00131007/700001337'
[Thu Jul 11 19:22:20 WEST 2019] body='{"protected": "", "payload": "", "signature": ""}'
[Thu Jul 11 19:22:20 WEST 2019] _postContentType='application/jose+json'
[Thu Jul 11 19:22:20 WEST 2019] Http already initialized.
[Thu Jul 11 19:22:20 WEST 2019] _CURL='curl -L --silent --dump-header /tmp/acme/fw-cert//http.header  -g '
[Thu Jul 11 19:22:22 WEST 2019] _ret='0'
[Thu Jul 11 19:22:22 WEST 2019] responseHeaders='HTTP/1.1 100 Continue
Expires: Thu, 11 Jul 2019 18:22:21 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache

HTTP/1.1 200 OK
Server: nginx
Content-Type: application/json
Content-Length: 470
Boulder-Requester: 00131007
Link: <https://acme-v02.api.letsencrypt.org/directory>;rel="index"
Location: https://acme-v02.api.letsencrypt.org/acme/order/00131007/700001337
Replay-Nonce:
X-Frame-Options: DENY
Strict-Transport-Security: max-age=604800
Expires: Thu, 11 Jul 2019 18:22:22 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Thu, 11 Jul 2019 18:22:22 GMT
Connection: keep-alive
^M'
[Thu Jul 11 19:22:22 WEST 2019] code='200'
[Thu Jul 11 19:22:22 WEST 2019] original='{
  "status": "valid",
  "expires": "2019-07-18T18:22:18Z",
  "identifiers": [
    {
      "type": "dns",
      "value": "fw.mydomain.com"
    }
  ],
  "authorizations": [
    "https://acme-v02.api.letsencrypt.org/acme/authz/minez"
  ],
  "finalize": "https://acme-v02.api.letsencrypt.org/acme/finalize/00131007/700001337",
  "certificate": "https://acme-v02.api.letsencrypt.org/acme/cert/01A02s03e04R05T06y07or08Qwe09Rt10Y11"
}'
[Thu Jul 11 19:22:22 WEST 2019] response='{"status":"valid","expires":"2019-07-18T18:22:18Z","identifiers":[{"type":"dns","value":"fw.mydomain.com"}],"authorizations":["https://acme-v02.api.letsencrypt.org/acme/authz/minez"],"finalize":"https://acme-v02.api.letsencrypt.org/acme/finalize/00131007/700001337","certificate":"https://acme-v02.api.letsencrypt.org/acme/cert/01A02s03e04R05T06y07or08Qwe09Rt10Y11"}'
[Thu Jul 11 19:22:22 WEST 2019] OK
[Thu Jul 11 19:22:22 WEST 2019] 10:Le_LinkOrder='https://acme-v02.api.letsencrypt.org/acme/order/00131007/700001337'
[Thu Jul 11 19:22:22 WEST 2019] Order status is valid.
[Thu Jul 11 19:22:22 WEST 2019] Le_LinkCert='https://acme-v02.api.letsencrypt.org/acme/cert/01A02s03e04R05T06y07or08Qwe09Rt10Y11'
[Thu Jul 11 19:22:22 WEST 2019] Download cert, Le_LinkCert: https://acme-v02.api.letsencrypt.org/acme/cert/01A02s03e04R05T06y07or08Qwe09Rt10Y11
[Thu Jul 11 19:22:22 WEST 2019] url='https://acme-v02.api.letsencrypt.org/acme/cert/01A02s03e04R05T06y07or08Qwe09Rt10Y11'
[Thu Jul 11 19:22:22 WEST 2019] payload
[Thu Jul 11 19:22:22 WEST 2019] Use cached jwk for file: /tmp/acme/fw-cert//ca/acme-v02.api.letsencrypt.org/account.key
[Thu Jul 11 19:22:22 WEST 2019] base64 single line.
[Thu Jul 11 19:22:22 WEST 2019] payload64
[Thu Jul 11 19:22:22 WEST 2019] _request_retry_times='1'
[Thu Jul 11 19:22:22 WEST 2019] Use _CACHED_NONCE=''
[Thu Jul 11 19:22:22 WEST 2019] nonce=''
[Thu Jul 11 19:22:22 WEST 2019] protected='{"nonce": "", "url": "https://acme-v02.api.letsencrypt.org/acme/cert/01A02s03e04R05T06y07or08Qwe09Rt10Y11", "alg": "RS256", "kid": "https://acme-v02.api.letsencrypt.org/acme/acct/00131007"}'
[Thu Jul 11 19:22:22 WEST 2019] base64 single line.
[Thu Jul 11 19:22:22 WEST 2019] protected64=''
[Thu Jul 11 19:22:22 WEST 2019] base64 single line.
[Thu Jul 11 19:22:22 WEST 2019] _sig_t=''
[Thu Jul 11 19:22:22 WEST 2019] sig=''
[Thu Jul 11 19:22:22 WEST 2019] body='{"protected": "", "payload": "", "signature": ""}'
[Thu Jul 11 19:22:22 WEST 2019] POST
[Thu Jul 11 19:22:22 WEST 2019] _post_url='https://acme-v02.api.letsencrypt.org/acme/cert/01A02s03e04R05T06y07or08Qwe09Rt10Y11'
[Thu Jul 11 19:22:22 WEST 2019] body='{"protected": "", "payload": "", "signature": ""}'
[Thu Jul 11 19:22:22 WEST 2019] _postContentType='application/jose+json'
[Thu Jul 11 19:22:22 WEST 2019] Http already initialized.
[Thu Jul 11 19:22:22 WEST 2019] _CURL='curl -L --silent --dump-header /tmp/acme/fw-cert//http.header  -g '
[Thu Jul 11 19:22:24 WEST 2019] _ret='0'
[Thu Jul 11 19:22:24 WEST 2019] responseHeaders='HTTP/1.1 100 Continue
Expires: Thu, 11 Jul 2019 18:22:23 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache

HTTP/1.1 200 OK
Server: nginx
Content-Type: application/pem-certificate-chain
Content-Length: 3571
Link: <https://acme-v02.api.letsencrypt.org/directory>;rel="index"
Replay-Nonce:
X-Frame-Options: DENY
Strict-Transport-Security: max-age=604800
Expires: Thu, 11 Jul 2019 18:22:24 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Thu, 11 Jul 2019 18:22:24 GMT
Connection: keep-alive
^M'
[Thu Jul 11 19:22:24 WEST 2019] code='200'
[Thu Jul 11 19:22:24 WEST 2019] original='-----BEGIN CERTIFICATE-----

-----END CERTIFICATE-----

-----BEGIN CERTIFICATE-----

-----END CERTIFICATE-----'
[Thu Jul 11 19:22:24 WEST 2019] response='-----BEGIN CERTIFICATE-----

-----END CERTIFICATE-----

-----BEGIN CERTIFICATE-----

-----END CERTIFICATE-----'
[Thu Jul 11 19:22:24 WEST 2019] Found cert chain
[Thu Jul 11 19:22:24 WEST 2019] _end_n='31'
[Thu Jul 11 19:22:24 WEST 2019] Le_LinkCert='https://acme-v02.api.letsencrypt.org/acme/cert/01A02s03e04R05T06y07or08Qwe09Rt10Y11'
[Thu Jul 11 19:22:24 WEST 2019] OK
[Thu Jul 11 19:22:24 WEST 2019] 11:Le_LinkCert='https://acme-v02.api.letsencrypt.org/acme/cert/01A02s03e04R05T06y07or08Qwe09Rt10Y11'
[Thu Jul 11 19:22:24 WEST 2019] Cert success.
[Thu Jul 11 19:22:24 WEST 2019] Your cert is in  /tmp/acme/fw-cert//fw.mydomain.com/fw.mydomain.com.cer 
[Thu Jul 11 19:22:24 WEST 2019] Your cert key is in  /tmp/acme/fw-cert//fw.mydomain.com/fw.mydomain.com.key 
[Thu Jul 11 19:22:24 WEST 2019] APP
[Thu Jul 11 19:22:24 WEST 2019] 5:USER_PATH='/etc:/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/bin/'
[Thu Jul 11 19:22:24 WEST 2019] v2 chain.
[Thu Jul 11 19:22:24 WEST 2019] The intermediate CA cert is in  /tmp/acme/fw-cert//fw.mydomain.com/ca.cer 
[Thu Jul 11 19:22:24 WEST 2019] And the full chain certs is there:  /tmp/acme/fw-cert//fw.mydomain.com/fullchain.cer 
[Thu Jul 11 19:22:24 WEST 2019] OK
[Thu Jul 11 19:22:24 WEST 2019] 12:Le_CertCreateTime='1562869344'
[Thu Jul 11 19:22:24 WEST 2019] OK
[Thu Jul 11 19:22:24 WEST 2019] 13:Le_CertCreateTimeStr='Thu Jul 11 18:22:24 UTC 2019'
[Thu Jul 11 19:22:24 WEST 2019] OK
[Thu Jul 11 19:22:24 WEST 2019] 14:Le_NextRenewTimeStr='Mon Sep  9 18:22:24 UTC 2019'
[Thu Jul 11 19:22:24 WEST 2019] OK
[Thu Jul 11 19:22:24 WEST 2019] 15:Le_NextRenewTime='1567966944'
[Thu Jul 11 19:22:24 WEST 2019] _on_issue_success
[Thu Jul 11 19:22:24 WEST 2019] 'dns' contains 'dns'
[Thu Jul 11 19:22:24 WEST 2019] It seems that you are using dns manual mode. please take care: The dns manual mode can not renew automatically, you must issue it again manually. You'd better use the other modes instead.
[Thu Jul 11 19:22:24 WEST 2019] Call hook error.

                      Obfuscated a few lines.
                      This actually caused my some hassle ... looking at this thread I figured this issue would be already fixed. Any thoughts?

                      1 Reply Last reply Reply Quote 0
                      • R
                        riahc3 Banned
                        last edited by

                        Im suffering a similar bug but I use the webroot FTP option.

                        Manually hit the renew button and I see the certificate is renewed BUT it isnt applied on the HTTPS side of my pfSense.

                        2.4.4-RELEASE-p1

                        acme security 0.5.8

                        1 Reply Last reply Reply Quote 0
                        • First post
                          Last post