Acme Certificates error:Invalid response



  • Hello
    I have a problem with the service Letsencrypt I tried everything without success
    Thank you for your help
    Method: Webroot local folder

    CA_pfsense_forgertien
    Renewing certificateaccount: CA_pfsense_forgertien
    server: letsencrypt-production

    /usr/local/pkg/acme/acme.sh –issue -d 'pirona.com' --home '/tmp/acme/CA_pfsense_forgertien/' --accountconf '/tmp/acme/CA_pfsense_forgertien/accountconf.conf' --force --reloadCmd '/tmp/acme/CA_pfsense_forgertien/reloadcmd.sh' --webroot pfSenseacme --log-level 3 --log '/tmp/acme/CA_pfsense_forgertien/acme_issuecert.log'

    Array
    (
    [path] => /etc:/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/bin/
    [PATH] => /etc:/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/bin/
    [folder] => /usr/local/www/.well-known/acme-challenge/
    )
    [Thu Mar 8 16:26:18 GMT 2018] Registering account
    [Thu Mar 8 16:26:19 GMT 2018] Already registered
    [Thu Mar 8 16:26:20 GMT 2018] ACCOUNT_THUMBPRINT='m8vYqBL4av_L-0EV55e-MWS4bVjaPuwWWCTPqDUjRzw'
    [Thu Mar 8 16:26:20 GMT 2018] Single domain='pirona.com'
    [Thu Mar 8 16:26:20 GMT 2018] Getting domain auth token for each domain
    [Thu Mar 8 16:26:20 GMT 2018] Getting webroot for domain='pirona.com'
    [Thu Mar 8 16:26:20 GMT 2018] Getting new-authz for domain='pirona.com'
    [Thu Mar 8 16:26:21 GMT 2018] The new-authz request is ok.
    [Thu Mar 8 16:26:21 GMT 2018] Verifying:pirona.com
    [Thu Mar 8 16:26:21 GMT 2018] Found domain http api file: /tmp/acme/CA_pfsense_forgertien//httpapi/pfSenseacme.sh

    challenge_response_put CA_pfsense_forgertien, pirona.com
    FOUND domainitemwebroot
    put token at: /usr/local/www/.well-known/acme-challenge//M5RxxXkv7jO1_Z-mU21ar7bcVYXbnhb_VYZaunm5y8Y
    [Thu Mar 8 16:26:25 GMT 2018] Found domain http api file: /tmp/acme/CA_pfsense_forgertien//httpapi/pfSenseacme.sh
    [Thu Mar 8 16:26:25 GMT 2018] pirona.com:Verify error:Invalid response from http://pirona.com/.well-known/acme-challenge/M5RxxXkv7jO1_Z-mU21ar7bcVYXbnhb_VYZaunm5y8Y:
    [Thu Mar 8 16:26:26 GMT 2018] Please check log file for more details: /tmp/acme/CA_pfsense_forgertien/acme_issuecert.log

    ![pro4545.pirona.com - Services Acme Certificate options Edit.png](/public/imported_attachments/1/pro4545.pirona.com - Services Acme Certificate options Edit.png)
    ![pro4545.pirona.com - Services Acme Certificate options Edit.png_thumb](/public/imported_attachments/1/pro4545.pirona.com - Services Acme Certificate options Edit.png_thumb)
    ![Screenshot-2018-3-8 pro4545 pirona com - Services Acme Certificate optionst.png](/public/imported_attachments/1/Screenshot-2018-3-8 pro4545 pirona com - Services Acme Certificate optionst.png)
    ![Screenshot-2018-3-8 pro4545 pirona com - Services Acme Certificate optionst.png_thumb](/public/imported_attachments/1/Screenshot-2018-3-8 pro4545 pirona com - Services Acme Certificate optionst.png_thumb)



  • pirona.com is for sale …
    Are you sure it's yours ? And if so, did acme really create http://pirona.com//usr/local/www/.well-known/acme-challenge//M5RxxXkv7jO1_Z-mU21ar7bcVYXbnhb_VYZaunm5y8Y (the web GUI webroot ????) - is your GUI really accessible like this http://pirona.com/.well-known/acme-challenge/M5RxxXkv7jO1_Z-mU21ar7bcVYXbnhb_VYZaunm5y8Y ??????

    You read https://doc.pfsense.org/index.php/ACME_package ?



  • @Gertjan:

    pirona.com is for sale …
    Are you sure it's yours ? And if so, did acme really create http://pirona.com//usr/local/www/.well-known/acme-challenge//M5RxxXkv7jO1_Z-mU21ar7bcVYXbnhb_VYZaunm5y8Y (the web GUI webroot ????) - is your GUI really accessible like this http://pirona.com/.well-known/acme-challenge/M5RxxXkv7jO1_Z-mU21ar7bcVYXbnhb_VYZaunm5y8Y ??????

    You read https://doc.pfsense.org/index.php/ACME_package ?

    the domain is not available on internet ,Should I have a real domain to validate the Acme certificate?


  • Rebel Alliance Developer Netgate

    Yes. It requires a real, valid domain name. And using webroot or standalone mode on pfSense requires that the domain name point to your WAN IP address and that your firewall expose port 80 and/or 443 (depending on the mode) to the world, which is not good.

    Get a real domain name, pick one of the providers that offers a DNS update method supported by the ACME package (there is a list in the certificate options), and then use that to update. You don't have to publicly expose anything on your firewall for DNS updates.