ACMEv2 is live!


  • Rebel Alliance Developer Netgate

    The wonderful crew at Let's Encrypt have officially released the ACMEv2 servers for production use!

    If you have the latest version of the ACME package on pfSense, 0.2.4, you can register a new key against the ACMEv2 production server and then use it to sign a key which includes wildcard domains.

    Wildcard validation requires a DNS-based method, and works similar to validating a regular domain. For example, to get a certificate for "*.example.com", you need to update a TXT record in DNS the same as you would for "example.com", which means the DNS record (and potentially key name) would be for "_acme-challenge.example.com".

    As a reminder unrelated to ACME, but wildcard certificates in general, the wildcard only helps for one level of subdomains deep. For example, ".example.com" will work for "host.example.com" but will NOT work for "host.sub.example.com". If your hosts are structured in this way, you will need a wildcard certificate for each sub zone, e.g. ".sub.example.com".

    For more information on how to use the ACME package on pfSense, see https://doc.pfsense.org/index.php/ACME_package

    EDIT: I just pushed version 0.2.5 to sync up with acme.sh bugfixes for issues found after the ACME v2 launch, plus a fix for the "No Key ID in JWS header" error seen by some users when first attempting to issue a wildcard certificate.



  • I generated a wildcard cert about an hour ago on 0.2.3, and a different wildcard on 0.2.4 just now. Both work great! Thanks jimp (and pfSense crew)!



  • I have generated a few myself.

    I will note every once in a while I was getting an error "Le_OrderFinalize not found" and even posted a bug report here thinking I found a workaround, turns out simply retrying after a min or so would let it work.

    EdIt: I will note the errors were with 0.2.3 I see there was a small change in 0.2.4 that may have resolved it.


  • Rebel Alliance Developer Netgate

    Yes, the fix in 0.2.4 should help there. It's also entirely possible the servers are a bit loaded due to the service just coming online, so retrying is a good idea as well if it fails. I had more than one attempt completely time out earlier just after the launch.


  • Rebel Alliance Developer Netgate

    @Napsterbater:

    I have generated a few myself.

    I will note every once in a while I was getting an error "Le_OrderFinalize not found" and even posted a bug report here thinking I found a workaround, turns out simply retrying after a min or so would let it work.

    EdIt: I will note the errors were with 0.2.3 I see there was a small change in 0.2.4 that may have resolved it.

    I pushed a fix in 0.2.5 that might address this as well, there was another way that sort of error could happen.



  • What wonderful news ! Yesterday, I just wondered when this package would be updated… but it was already ready ! :)

    So i tried this morning, first by generating a new certificate, but i had a (justified) error :

    "A wildcard 'Domainname' is present but the ACME Account key is not registered to an ACME v2 server."
    

    So i clicked on "Account keys" > "Add" to generate a new one… and then i had a (unexpected) php error :

    PHP ERROR: Type: 4096, File: /usr/local/www/classes/Form/Input.class.php, Line: 145, Message: Argument 2 passed to Form_Input::setHelp() must be of the type array, string given, called in /usr/local/www/acme/acme_accountkeys_edit.php on line 218 and defined
    

    Is that a direct error from pfSense or from the new ACME package ?

    Information : pfSense 2.3.5-RELEASE (i386)

    If you need more infos, i'm available.

    Thanks for your work !


  • Rebel Alliance Developer Netgate

    Appears to be a bug, I'll check it out and fix it up ASAP. Looks like it's a quirk in how the help text is processed on 2.3.x compared to 2.4.x


  • Rebel Alliance Developer Netgate

    @sowil:

    Is that a direct error from pfSense or from the new ACME package ?

    Information : pfSense 2.3.5-RELEASE (i386)

    You should see ACME package version 0.2.5_1 show up shortly, it contains a fix for this for 2.3.x users.

    Users on 2.4.x will see the update but it doesn't really matter for them, I bumped the version to keep it in line so my next batch of enhancements will be easier to merge across all branches.



  • Already available… Wuw, thank you !

    New account key created, new wildcard certificate generated... Per-fect ;)

    Thanks for the fast, good service !



  • The original topic for this said:

    If you have the latest version of the ACME package on pfSense, 0.2.4, …

    Sorry for the unfamiliarity! How do I get the latest ACME package on a 0.2.4 pfSense installation?

    Thanks!

    /Jeff


  • Rebel Alliance Developer Netgate

    @jeffc:

    Sorry for the unfamiliarity! How do I get the latest ACME package on a 0.2.4 pfSense installation?

    The latest version of pfSense is 2.4.2-p1 (or 2.3.5-p1).  The latest version of the ACME package is 0.2.5_1 (there were some changes after 0.2.4). You get it by visiting System > Packages. If the package is already installed, click the little upgrade icon next to the package name to update it. If the package is not installed, visit the Available Packages tab and install it from there.



  • @jimp : my first wildcard … I'm impressed. Great work !

    Btw : I guess it's time to open a child forum into the Packages forum for the acme package.



  • Dear All,

    Unfortunately, this does not work for everyone, yet.

    Two weeks ago, I did set up everything required to use the DNS-NSupdate / RFC 2136 method. I also tried with Let's Encrypt Staging ACME v2 and everything did work with and without wildcard certificates.

    Now, I does not work anymore, unfortunately. I always get the following error when requesting a v2 certificate (even for a domain not used before on that particular pfSense machine) with staging and production v2 (while it does work when changing to v1):

    [Sat Mar 17 23:10:46 CET 2018] Getting domain auth token for each domain
    [Sat Mar 17 23:10:49 CET 2018] Create new order error. Le_OrderFinalize not found. {"type":"urn:ietf:params:acme:error:malformed","detail":"Parse error reading JWS","status": 400}
    [Sat Mar 17 23:10:49 CET 2018] Please check log file for more details: /tmp/acme/…/acme_issuecert.log

    After that, the cert manager does contain "private key only" but no certificate.

    Does someone have advice on how to proceed?

    Regards,

    Michael



  • @michaelschefczyk:

    Dear All,

    Unfortunately, this does not work for everyone, yet.

    Two weeks ago, I did set up everything required to use the DNS-NSupdate / RFC 2136 method. I also tried with Let's Encrypt Staging ACME v2 and everything did work with and without wildcard certificates.

    Now, I does not work anymore, unfortunately. I always get the following error when requesting a v2 certificate (even for a domain not used before on that particular pfSense machine) with staging and production v2 (while it does work when changing to v1):

    [Sat Mar 17 23:10:46 CET 2018] Getting domain auth token for each domain
    [Sat Mar 17 23:10:49 CET 2018] Create new order error. Le_OrderFinalize not found. {"type":"urn:ietf:params:acme:error:malformed","detail":"Parse error reading JWS","status": 400}
    [Sat Mar 17 23:10:49 CET 2018] Please check log file for more details: /tmp/acme/…/acme_issuecert.log

    After that, the cert manager does contain "private key only" but no certificate.

    Does someone have advice on how to proceed?

    Regards,

    Michael

    That was the error I was getting, and retrying 2 or 3 times with a few minutes in between was all it took for it to work for me.



  • v0.2.5_1 still not work

    [Sat Mar 17 16:47:38 CST 2018] readlink exists=0
    [Sat Mar 17 16:47:38 CST 2018] dirname exists=0
    [Sat Mar 17 16:47:38 CST 2018] Lets find script dir.
    [Sat Mar 17 16:47:38 CST 2018] SCRIPT='/usr/local/pkg/acme/acme.sh'
    [Sat Mar 17 16:47:38 CST 2018] _script='/usr/local/pkg/acme/acme.sh'
    [Sat Mar 17 16:47:38 CST 2018] _script_home='/usr/local/pkg/acme'
    [Sat Mar 17 16:47:38 CST 2018] Using config home:/tmp/acme/xiao.net/
    [Sat Mar 17 16:47:38 CST 2018] APP
    [Sat Mar 17 16:47:38 CST 2018] 2:LOG_FILE='/tmp/acme/xiao.net/acme_issuecert.log'
    [Sat Mar 17 16:47:38 CST 2018] APP
    [Sat Mar 17 16:47:38 CST 2018] 3:LOG_LEVEL='3'
    [Sat Mar 17 16:47:38 CST 2018] LE_WORKING_DIR='/tmp/acme/xiao.net/'
    [Sat Mar 17 16:47:38 CST 2018] _main_domain='xiao.net'
    [Sat Mar 17 16:47:38 CST 2018] _alt_domains='.xiao.net'
    [Sat Mar 17 16:47:38 CST 2018] Using config home:/tmp/acme/xiao.net/
    [Sat Mar 17 16:47:38 CST 2018] ACME_DIRECTORY='https://acme-v02.api.letsencrypt.org/directory'
    [Sat Mar 17 16:47:38 CST 2018] _ACME_SERVER_HOST='acme-v02.api.letsencrypt.org'
    [Sat Mar 17 16:47:38 CST 2018] CA_CONF='/tmp/acme/xiao.net//ca/acme-v02.api.letsencrypt.org/ca.conf'
    [Sat Mar 17 16:47:38 CST 2018] DOMAIN_PATH='/tmp/acme/xiao.net//xiao.net'
    [Sat Mar 17 16:47:38 CST 2018] Using ACME_DIRECTORY: https://acme-v02.api.letsencrypt.org/directory
    [Sat Mar 17 16:47:38 CST 2018] _init api for server: https://acme-v02.api.letsencrypt.org/directory
    [Sat Mar 17 16:47:38 CST 2018] GET
    [Sat Mar 17 16:47:38 CST 2018] url='https://acme-v02.api.letsencrypt.org/directory'
    [Sat Mar 17 16:47:38 CST 2018] timeout=
    [Sat Mar 17 16:47:38 CST 2018] curl exists=0
    [Sat Mar 17 16:47:38 CST 2018] wget exists=127
    [Sat Mar 17 16:47:38 CST 2018] _CURL='curl -L –silent --dump-header /tmp/acme/xiao.net//http.header  -g '
    [Sat Mar 17 16:50:11 CST 2018] Please refer to https://curl.haxx.se/libcurl/c/libcurl-errors.html for error code: 7
    [Sat Mar 17 16:50:11 CST 2018] ret='7'
    [Sat Mar 17 16:50:11 CST 2018] response
    [Sat Mar 17 16:50:11 CST 2018] Can not init api.
    [Sat Mar 17 16:50:11 CST 2018] APP
    [Sat Mar 17 16:50:11 CST 2018] 1:Le_Domain='xiao.net'
    [Sat Mar 17 16:50:11 CST 2018] APP
    [Sat Mar 17 16:50:11 CST 2018] 2:Le_Alt='
    .xiao.net'
    [Sat Mar 17 16:50:11 CST 2018] APP
    [Sat Mar 17 16:50:11 CST 2018] 3:Le_Webroot='dns_nsupdate'
    [Sat Mar 17 16:50:11 CST 2018] APP
    [Sat Mar 17 16:50:11 CST 2018] 4:Le_PreHook=''
    [Sat Mar 17 16:50:11 CST 2018] APP
    [Sat Mar 17 16:50:11 CST 2018] 5:Le_PostHook=''
    [Sat Mar 17 16:50:11 CST 2018] APP
    [Sat Mar 17 16:50:11 CST 2018] 6:Le_RenewHook=''
    [Sat Mar 17 16:50:11 CST 2018] APP
    [Sat Mar 17 16:50:11 CST 2018] 7:Le_API='https://acme-v02.api.letsencrypt.org/directory'
    [Sat Mar 17 16:50:11 CST 2018] _on_before_issue
    [Sat Mar 17 16:50:11 CST 2018] _chk_main_domain='xiao.net'
    [Sat Mar 17 16:50:11 CST 2018] _chk_alt_domains='.xiao.net'
    [Sat Mar 17 16:50:11 CST 2018] 'dns_nsupdate' does not contain 'no'
    [Sat Mar 17 16:50:11 CST 2018] Le_LocalAddress
    [Sat Mar 17 16:50:11 CST 2018] d='xiao.net'
    [Sat Mar 17 16:50:11 CST 2018] Check for domain='xiao.net'
    [Sat Mar 17 16:50:11 CST 2018] _currentRoot='dns_nsupdate'
    [Sat Mar 17 16:50:11 CST 2018] d='
    .xiao.net'
    [Sat Mar 17 16:50:11 CST 2018] Check for domain='*.xiao.net'
    [Sat Mar 17 16:50:11 CST 2018] _currentRoot='dns_nsupdate'
    [Sat Mar 17 16:50:11 CST 2018] d
    [Sat Mar 17 16:50:11 CST 2018] 'dns_nsupdate' does not contain 'apache'
    [Sat Mar 17 16:50:11 CST 2018] config file is empty, can not read CA_KEY_HASH
    [Sat Mar 17 16:50:11 CST 2018] _saved_account_key_hash
    [Sat Mar 17 16:50:11 CST 2018] Using config home:/tmp/acme/xiao.net/
    [Sat Mar 17 16:50:11 CST 2018] ACME_DIRECTORY='https://acme-v02.api.letsencrypt.org/directory'
    [Sat Mar 17 16:50:11 CST 2018] _ACME_SERVER_HOST='acme-v02.api.letsencrypt.org'
    [Sat Mar 17 16:50:11 CST 2018] CA_CONF='/tmp/acme/xiao.net//ca/acme-v02.api.letsencrypt.org/ca.conf'
    [Sat Mar 17 16:50:11 CST 2018] _regAccount
    [Sat Mar 17 16:50:11 CST 2018] _init api for server: https://acme-v02.api.letsencrypt.org/directory
    [Sat Mar 17 16:50:11 CST 2018] GET
    [Sat Mar 17 16:50:11 CST 2018] url='https://acme-v02.api.letsencrypt.org/directory'
    [Sat Mar 17 16:50:11 CST 2018] timeout=
    [Sat Mar 17 16:50:11 CST 2018] curl exists=0
    [Sat Mar 17 16:50:11 CST 2018] wget exists=127
    [Sat Mar 17 16:50:11 CST 2018] _CURL='curl -L –silent --dump-header /tmp/acme/xiao.net//http.header  -g '
    [Sat Mar 17 16:50:26 CST 2018] ret='0'
    [Sat Mar 17 16:50:26 CST 2018] response='{
      "jRY5HULISn4": "https://community.letsencrypt.org/t/adding-random-entries-to-the-directory/33417",
      "keyChange": "https://acme-v02.api.letsencrypt.org/acme/key-change",
      "meta": {
        "termsOfService": "https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf"
      },
      "newAccount": "https://acme-v02.api.letsencrypt.org/acme/new-acct",
      "newNonce": "https://acme-v02.api.letsencrypt.org/acme/new-nonce",
      "newOrder": "https://acme-v02.api.letsencrypt.org/acme/new-order",
      "revokeCert": "https://acme-v02.api.letsencrypt.org/acme/revoke-cert"
    }'
    [Sat Mar 17 16:50:26 CST 2018] ACME_KEY_CHANGE='https://acme-v02.api.letsencrypt.org/acme/key-change'
    [Sat Mar 17 16:50:26 CST 2018] ACME_NEW_AUTHZ
    [Sat Mar 17 16:50:26 CST 2018] ACME_NEW_ORDER='https://acme-v02.api.letsencrypt.org/acme/new-order'
    [Sat Mar 17 16:50:26 CST 2018] ACME_NEW_ACCOUNT='https://acme-v02.api.letsencrypt.org/acme/new-acct'
    [Sat Mar 17 16:50:26 CST 2018] ACME_REVOKE_CERT='https://acme-v02.api.letsencrypt.org/acme/revoke-cert'
    [Sat Mar 17 16:50:26 CST 2018] ACME_AGREEMENT='https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf'
    [Sat Mar 17 16:50:26 CST 2018] ACME_NEW_NONCE='https://acme-v02.api.letsencrypt.org/acme/new-nonce'
    [Sat Mar 17 16:50:26 CST 2018] ACME_VERSION='2'
    [Sat Mar 17 16:50:26 CST 2018] RSA key
    [Sat Mar 17 16:50:26 CST 2018] pub_exp='010001'
    [Sat Mar 17 16:50:26 CST 2018] [Sat Mar 17 16:50:26 CST 2018] xxd exists=127base64 single line.

    [Sat Mar 17 16:50:26 CST 2018] _URGLY_PRINTF='1'
    [Sat Mar 17 16:50:26 CST 2018] e='AQAB'
    [Sat Mar 17 16:50:26 CST 2018] modulus='EAC24EE861DF7201F4517C9CCDEB57E419809E9A04096A4E7C4591D96E0F572CA0CB028D300FE4EEFD192688376610EA18099EF01FC7F6F5E7919EC316D609F227179F02560CEC651D1513F556EAE40714373742952DC8F080EF0131AD5E8AF9304FBB015A44FDCC68CC8090A032F95E5816B0937D6FF9BE62FD06B49DC02350828C4FF5EF5FFB908D2419AC50418E3FFF0645CED3CD7B04E683DAF4A81DE0B68504BDBDF738A6F7AAC70BE0BAC7B1E428CDE0DE62F7CFEF7A4F448E29CD2591C6D76CD15D0F690D192251C37DB18E43A8124E5CD3829E9A82F8B1CF79B11E65655CC01AE7359FA896F82DB72B205530055A86C705CD0C40D73D7313922B2C8A62AEDC0817F4978C762C208DE61A6A852A92D12EE76A1DA63AAD974EA46173B6BFBFE61B60AA3839A46809D24AACA4872653CB24C7F8EE669E038BDFB0CBE1135A22100E19C36DA423E1DB196D10F1E1DFE42C6DEE68582ECBA21E3C39F25EC7F5857651911DD09A6909030F01AAD15FD6369F'
    [Sat Mar 17 16:50:26 CST 2018] base64 single line.
    [Sat Mar 17 16:50:26 CST 2018] xxd exists=127
    [Sat Mar 17 16:50:26 CST 2018] _URGLY_PRINTF='1'
    [Sat Mar 17 16:50:26 CST 2018] n='6sJO6GHfcgH0UXyczetX5BmAnpoECWpOfEWR2W4PVyygywKNMA_k7v0ZJog3ZhDqGAme8B_H9vXnkZ7DFtYJ8icXnwJWDOxlHRUT9Vbq5AcUNzdClS3I8IDvATGtXor5ME-7AVpE_cxozICQoDL5XlgWsJN9b_m-Yv0GtJ3AI1CCjE_171_7kI0kGaxQQY4__wZFztPNewTmg9r0qB3gtoUEvb33OKb3qscP6g84vITwHDfIl4ocj-PzSJhroD87AdfC7iLjy9ueI-vmgkvI-t34XNqCMwD_oTrd_diMEf5zSSBjULH7hh4n74E6227L4LrHseQozeDeYvfP73pPRI4pzSWRxtds0V0PaQ0ZIlHDfbGOQ6gSTlzTgp6agvixz3mxHmVlXMAa5zWfqJb4LbcrIFUwBVqGxwXNDEDXPXMTkissimKu3AgX9JeMdiwgjeYaaoUqktEu52odpjqtl06kYXO2v7_mG2CqODmkaAnSSqykhyZTyyTH-O5mngOL37DL4RNaIhAOGcNtpCPh2xltEPHh3-Qsbe5oWC7Loh48OfJex_WFdlGRHdCaaQkDDwGq0V_WNp8'
    [Sat Mar 17 16:50:26 CST 2018] jwk='{"e": "AQAB", "kty": "RSA", "n": "6sJO6GHfcgH0UXyczetX5BmAnpoECWpOfEWR2W4PVyygywKNMA_k7v0ZJog3ZhDqGAme8B_H9vXnkZ7DFtYJ8icXnwJWDOxlHRUT9Vbq5AcUNzdClS3I8IDvATGtXor5ME-7AVpE_cxozICQoDL5XlgWsJN9b_m-Yv0GtJ3AI1CCjE_17133OKb3qscP6g84vITwHDfIl4ocj-qJM_M6awjeWTV82BP9JEg1lOosGYLef0QRhlJC48fL937l2DrYpDXs7VekOVMBl_MkNomCM6xu58_wwPL9v_RROx0bId4EIGPzSJhroD87AdfC7iLjy9ueI-vmgkvI-t34XNqCMwD_oTrd_diMEf5zSSBjULH7hh4n74E6227L4LrHseQozeDeYvfP73pPRI4pzSWRxtds0V0PaQ0ZIlHDfbGOQ6gSTlzTgp6agvixz3mxHmVlXMAa5zWfqJb4LbcrIFUwBVqGxwXNDEDXPXMTkissimKu3AgX9JeMdiwgjeYaaoUqktEu52odpjqtl06kYXO2v7_mG2CqODmkaAnSSqykhyZTyyTH-O5mngOL37DL4RNaIhAOGcNtpCPh2xltEPHh3-Qsbe5oWC7Loh48OfJex_WFdlGRHdCaaQkDDwGq0V_WNp8"}'
    [Sat Mar 17 16:50:26 CST 2018] JWK_HEADER='{"alg": "RS256", "jwk": {"e": "AQAB", "kty": "RSA", "n": "6sJO6GHfcgH0UXyczetX5BmAnpoECWpOfEWR2W4PVyygywKNMA_k7v0ZJog3ZhDqGAme8B_H9vXnkZ7DFtYJ8icXnwJWDOxlHRUT9Vbq5AcUNzdClS3I8IDvATGtXor5ME-7AVpE_cxozICQoDL5XlgWsJN9b_m-Yv0GtJ3AI1CCjE_17TwHDfIl4ocj-qJM_M6awjeWTV82BP9JEg1lOosGYLef0QRhlJC48fL937l2DrYpDXs7VekOVMBl_MkNomCM6xu58_wwPL9v_RROx0bId4EIGPzSJhroD87AdfC7iLjy9ueI-vmgkvI-t34XNqCMwD_oTrd_diMEf5zSSBjULH7hh4n74E6227L4LrHseQozeDeYvfP73pPRI4pzSWRxtds0V0PaQ0ZIlHDfbGOQ6gSTlzTgp6agvixz3mxHmVlXMAa5zWfqJb4LbcrIFUwBVqGxwXNDEDXPXMTkissimKu3AgX9JeMdiwgjeYaaoUqktEu52odpjqtl06kYXO2v7_mG2CqODmkaAnSSqykhyZTyyTH-O5mngOL37DL4RNaIhAOGcNtpCPh2xltEPHh3-Qsbe5oWC7Loh48OfJex_WFdlGRHdCaaQkDDwGq0V_WNp8"}}'
    [Sat Mar 17 16:50:26 CST 2018] Registering account
    [Sat Mar 17 16:50:26 CST 2018] url='https://acme-v02.api.letsencrypt.org/acme/new-acct'
    [Sat Mar 17 16:50:26 CST 2018] payload='{"termsOfServiceAgreed": true}'
    [Sat Mar 17 16:50:26 CST 2018] Use cached jwk for file: /tmp/acme/xiao.net//ca/acme-v02.api.letsencrypt.org/account.key
    [Sat Mar 17 16:50:26 CST 2018] base64 single line.
    [Sat Mar 17 16:50:26 CST 2018] payload64='eyJ0ZXJtc09mU2VydmljZUFncmVlZCI6IHRydWV9'
    [Sat Mar 17 16:50:26 CST 2018] _request_retry_times='0'
    [Sat Mar 17 16:50:26 CST 2018] Get nonce. ACME_NEW_NONCE='https://acme-v02.api.letsencrypt.org/acme/new-nonce'
    [Sat Mar 17 16:50:26 CST 2018] HEAD
    [Sat Mar 17 16:50:26 CST 2018] _post_url='https://acme-v02.api.letsencrypt.org/acme/new-nonce'
    [Sat Mar 17 16:50:26 CST 2018] body
    [Sat Mar 17 16:50:26 CST 2018] curl exists=0
    [Sat Mar 17 16:50:26 CST 2018] wget exists=127
    [Sat Mar 17 16:50:26 CST 2018] _CURL='curl -L –silent --dump-header /tmp/acme/xiao.net//http.header  -g  -H "Content-Type: application/jose+json" '
    [Sat Mar 17 16:51:44 CST 2018] _ret='0'
    [Sat Mar 17 16:51:44 CST 2018] _headers='HTTP/1.1 204 No Content
    Server: nginx
    Replay-Nonce: MxB-Epz9-0zC8EJKa970oigQcoNAGJfK6MzgM2ksMtg
    X-Frame-Options: DENY
    Strict-Transport-Security: max-age=604800
    Expires: Sat, 17 Mar 2018 08:51:44 GMT
    Cache-Control: max-age=0, no-cache, no-store
    Pragma: no-cache
    Date: Sat, 17 Mar 2018 08:51:44 GMT
    Connection: keep-alive

    '
    [Sat Mar 17 16:51:44 CST 2018] _CACHED_NONCE='MxB-Epz9-0zC8EJKa970oigQcoNAGJfK6MzgM2ksMtg'
    [Sat Mar 17 16:51:44 CST 2018] nonce='MxB-Epz9-0zC8EJKa970oigQcoNAGJfK6MzgM2ksMtg'
    [Sat Mar 17 16:51:44 CST 2018] protected='{"nonce": "MxB-Epz9-0zC8EJKa970oigQcoNAGJfK6MzgM2ksMtg", "url": "https://acme-v02.api.letsencrypt.org/acme/new-acct", "alg": "RS256", "jwk": {"e": "AQAB", "kty": "RSA", "n": "6sJO6GHfcgH0UXyczetX5BmAnpoECWpOfEWR2W4PVyygywKNMA_k7v0ZJog3ZhDqGAme8B_H9vXnkZ7DFtYJ8icXnwJWDOxlHRUT9Vbq5AcUNzdClS3I8IDvATGtXor5ME-7AVpE_cxozICQoDL5XlgWsJN9b_m-Yv0GtJ3AI1CCjE_171_7kI0kGaxQQY4__wZFztPNewTmg9r0qB3gtoUEvb33OKb3qscP6g84vITwHDfIl4ocj-qJM_M6awjeWTV82BP9JEg1lOosGYLef0QRhl0V0PaQ0ZIlHDfbGOQ6gSTlzTgp6agvixz3mxHmVlXMAa5zWfqJb4LbcrIFUwBVqGxwXNDEDXPXMTkissimKu3AgX9JeMdiwgjeYaaoUqktEu52odpjqtl06kYXO2v7_mG2CqODmkaAnSSqykhyZTyyTH-O5mngOL37DL4RNaIhAOGcNtpCPh2xltEPHh3-Qsbe5oWC7Loh48OfJex_WFdlGRHdCaaQkDDwGq0V_WNp8"}}'
    [Sat Mar 17 16:51:44 CST 2018] base64 single line.
    [Sat Mar 17 16:51:45 CST 2018] protected64='eyJub25jZSI6ICJNeEItRXB6OS0wekM4RUpLYTk3MG9pZ1Fjb05BR0pmSzZNemdNMmtzTXRnIiwgInVybCI6ICJodHRwczovL2FjbWUtdjAyLmFwaS5sZXRzZW5jcnlwdC5vcmcvYWNtZS9uZXctYWNjdCIsICJhbGciOiAiUlMyNTYiLCAiandrIjogeyJlIjogIkFRQUIiLCAia3R5IjogIlJTQSIsICJuIjogIjZzSk82R0hmY2dIMFVYeWN6ZXRYNUJtQW5wb0VDV3BPZkVXUjJXNFBWeXlneXdLTk1BX2s3djBaSm9nM1poRHFHQW1lOEJfSDl2WG5rWjdERnRZSjhpY1hud0pXRE94bEhSVVQ5VmJxNUFjVU56ZENsUzNJOElEdkFUR3RYb3I1TUUtN0FWcEVfY3hveklDUW9ETDVYbGdXc0pOOWJfbS1ZdjBHdEozQUkxQ0NqRV8xNzFfN2tJMGtHYXhRUVk0X193WkZ6dFBOZXdUbWc5cjBxQjNndG9VRXZiMzNPS2IzcXNjelNTQmpVTEg3aGg0bjc0RTYyMjdMNExySHNlUW96ZURlWXZmUDczcFBSSTRwelNXUnh0ZHMwVjBQYVEwWklsSERmYkdPUTZnU1RselRncDZhZ3ZpeHozbXhIbVZsWE1BYTV6V2ZxSmI0TGJjcklGVXdCVnFHeHdYTkRFRFhQWE1Ua2lzc2ltS3UzQWdYOUplTWRpd2dqZVlhYW9VcWt0RXU1Mm9kcGpxdGwwNmtZWE8ydjdfbUcyQ3FPRG1rYUFuU1NxeWtoeVpUeXlUSC1PNW1uZ09MMzdETDRSTmFJaEFPR2NOdHBDUGgyeGx0RVBIaDMtUXNiZTVvV0M3TG9oNDhPZkpleF9XRmRsR1JIZENhYVFrRER3R3EwVl9XTnA4In19'
    [Sat Mar 17 16:51:45 CST 2018] base64 single line.
    [Sat Mar 17 16:51:45 CST 2018] _sig_t='j07O97S0F4ASNHhZgdWd5KOQ6MsoKGNn6uI0knA/NDcQa0g12jNk97ZvrYWfHC9fzgxGj8dYCJF6zkxqihxjtB+VkyLx11LwscMK3o8KyceyagapWXvTJOCVyZgI6xqFQIKKK0m7sg09pR/47mbEecLq9t+Flmu/8uJFU8BcuR6pn5urFajR2mHjkyAa29h6cRbnOFlBl0euU8iH9KTcoE4FWW3HTgUNEOyH5fmqUasoVMfmVuv22MF4Q+vhTJrCQNQI0h9DQZp12W2i4LG2NyB48SxOSKMIZRY054KWinFZoCqhhdFquFAnPXT2b17cb3+UI323M5bRRShCxs43blYLzfE8muAqL+dh1nePdBIWJDoSp7epkFWiKPC9m/LSjTeQzBDEI56EuOCIS01uOSxx/SJEtKjwfqW7Z/Y3iBWDXW0LKtfm/xitvZAotdKFoqe7p67HxJMCrjlzEyAyp2h/VBmeLK+Whin6UG8IgH+IioB3SWXgtDOCUmwFuCaxx69bYwZGClu9PdmBbiokwqMfHYedZWlDyzLxteNLcQSs/03S79jnB0wlL9/7sPlaq2+R3x+cdVqy8r1u/QKk063yirdrKofYBvHyEod3F4rgLnKN1t0='
    [Sat Mar 17 16:51:45 CST 2018] sig='j07O97S0F4ASNHhZgdWd5KOQ6MsoKGNn6uI0knA_NDcQa0g12jNk97ZvrYWfHC9fzgxGj8dYCJF6zkxqihxjtB-VkyLx11LwscMK3o8KyceyagapWXvTJOCVyZgI6xqFQIKSKMIZRY054KWinFZoCqhhdFquFAnPXT2b17cb3-UI323M5bRRShCxs43blYLzfE8muAqL-dh1nePdBIWJDoSp7epkFWiKPC9m_LSjTeQzBDEI56EuOCIS01uOSxx_SJEtKjwfqW7Z_Y3iBWDXW0LKtfm_xitvZAotdKFoqe7p67HxJMCrjlzEyAyp2h_VBmeLK-Whin6UG8IgH-IioB3SWXgtDOCUmwFuCaxx69bYwZGClu9PdmBbiokwqMfHYedZWlDyzLxteNLcQSs_03S79jnB0wlL9_7sPlaq2-R3x-cdVqy8r1u_QKk063yirdrKofYBvHyEod3F4rgLnKN1t0'
    [Sat Mar 17 16:51:45 CST 2018] body='{"protected": "eyJub25jZSI6ICJNeEItRXB6OS0wekM4RUpLYTk3MG9pZ1Fjb05BR0pmSzZNemdNMmtzTXRnIiwgInVybCI6ICJodHRwczovL2FjbWUtdjAyLmFwaS5sZXRzZW5jcnlwdC5vcmcvYWNtZS9uZXctYWNjdCIsICJhbGciOiAiUlMyNTYiLCAiandrIjogeyJlIjogIkFRQUIiLCAia3R5IjogIlJTQSIsICJuIjogIjZzSk82R0hmY2dIMFVYeWN6ZXRYNUJtQW5wb0VDV3BPZkVXUjJXNFBWeXlneXdLTk1BX2s3djBaSm9nM1poRHFHQW1lOEJfSDl2WG5rWjdERnRZSjhpY1hud0pXRE94bEhSVVQ5VmJxNU0RTYyMjdMNExySHNlUW96ZURlWXZmUDczcFBSSTRwelNXUnh0ZHMwVjBQYVEwWklsSERmYkdPUTZnU1RselRncDZhZ3ZpeHozbXhIbVZsWE1BYTV6V2ZxSmI0TGJjcklGVXdCVnFHeHdYTkRFRFhQWE1Ua2lzc2ltS3UzQWdYOUplTWRpd2dqZVlhYW9VcWt0RXU1Mm9kcGpxdGwwNmtZWE8ydjdfbUcyQ3FPRG1rYUFuU1NxeWtoeVpUeXlUSC1PNW1uZ09MMzdETDRSTmFJaEFPR2NOdHBDUGgyeGx0RVBIaDMtUXNiZTVvV0M3TG9oNDhPZkpleF9XRmRsR1JIZENhYVFrRER3R3EwVl9XTnA4In19", "payload": "eyJ0ZXJtc09mU2VydmljZUFncmVlZCI6IHRydWV9", "signature": "j07O97S0F4ASNHhZgdWd5KOQ6MsoKGNn6uI0knA_NDcQa0g12jNk97ZvrYWfHC9fzgxGj8dYCJF6zkxqihxjtB-VkyLx11LwscMK3o8KyceyagapWXvTJOCVyZgI6xqFQIKKK0m7sg09pR_47mbEecLq9t-Flmu_8uJFU8BcuR6pn5urFajR2mHjkyAa29h6cRbnOFlBl0euU8iH9KTcoE4FWW3HTgUNEOyH5fmqUasoVMfmVuv22MF4Q-vhTJrCQNQI0h9Dqxqu90W1Eb5Nwp4KDOkMNV9R5fJoPZkzedA7coUaN5nadQZR46HtH9nNQZp12W2i4LG2NyB48SxOSKMIZRY054KWinFZoCqhhdFquFAnPXT2b17cb3-UI323M5bRRShCxs43blYLzfE8muAqL-dh1nePdBIWJDoSp7epkFWiKPC9m_LSjTeQzBDEI56EuOCIS01uOSxx_SJEtKjwfqW7Z_Y3iBWDXW0LKtfm_xitvZAotdKFoqe7p67HxJMCrjlzEyAyp2h_VBmeLK-Whin6UG8IgH-IioB3SWXgtDOCUmwFuCaxx69bYwZGClu9PdmBbiokwqMfHYedZWlDyzLxteNLcQSs_03S79jnB0wlL9_7sPlaq2-R3x-cdVqy8r1u_QKk063yirdrKofYBvHyEod3F4rgLnKN1t0"}'
    [Sat Mar 17 16:51:45 CST 2018] POST
    [Sat Mar 17 16:51:45 CST 2018] _post_url='https://acme-v02.api.letsencrypt.org/acme/new-acct'
    [Sat Mar 17 16:51:45 CST 2018] body='{"protected": "eyJub25jZSI6ICJNeEItRXB6OS0wekM4RUpLYTk3MG9pZ1Fjb05BR0pmSzZNemdNMmtzTXRnIiwgInVybCI6ICJodHRwczovL2FjbWUtdjAyLmFwaS5sZXRzZW5jcnlwdC5vcmcvYWNtZS9uZXctYWNjdCIsICJhbGciOiAiUlMyNTYiLCAiandrIjogeyJlIjogIkFRQUIiLCAia3R5IjogIlJTQSIsICJuIjogIjZzSk82R0hmY2dIMFVYeWN6ZXRYNUJtQW5wb0VDV3BPZkVXUjJXNFBWeXlneXdLTk1BX2s3djBaSm9nM1poRHFHQW1lOEJfSDl2WG5rWjdERnRZSjhpY1hud0pXRE94bEaGg0bjc0RTYyMjdMNExySHNlUW96ZURlWXZmUDczcFBSSTRwelNXUnh0ZHMwVjBQYVEwWklsSERmYkdPUTZnU1RselRncDZhZ3ZpeHozbXhIbVZsWE1BYTV6V2ZxSmI0TGJjcklGVXdCVnFHeHdYTkRFRFhQWE1Ua2lzc2ltS3UzQWdYOUplTWRpd2dqZVlhYW9VcWt0RXU1Mm9kcGpxdGwwNmtZWE8ydjdfbUcyQ3FPRG1rYUFuU1NxeWtoeVpUeXlUSC1PNW1uZ09MMzdETDRSTmFJaEFPR2NOdHBDUGgyeGx0RVBIaDMtUXNiZTVvV0M3TG9oNDhPZkpleF9XRmRsR1JIZENhYVFrRER3R3EwVl9XTnA4In19", "payload": "eyJ0ZXJtc09mU2VydmljZUFncmVlZCI6IHRydWV9", "signature": "j07O97S0F4ASNHhZgdWd5KOQ6MsoKGNn6uI0knA_NDcQa0g12jNk97ZvrYWfHC9fzgxGj8dYCJF6zkxqihxjtB-VkyLx11LwscMK3o8KyceyagapWXvTJOCVyZgI6xqFQIKKK0m7sg09pR_47mbEecLq9t-Flmu_8uJFU8BcuR6pn5urFajR2mHjkyAa29h6cRbnOFlBl0euU8iH9KTcoE4FWW3HTgUNEOyH5fmqUasoVMfmVuv22MF4Q-vhTJrCQNQI0h9Dqxqu90W1Eb5Nwp4KDOkMNV9R5fJoPZkzedA7coUaN5nadQZR46HtH9nNQZp12W2i4LG2NyB48SxOSKMIZRY054KWinFZoCqhhdFquFAnPXT2b17cb3-UI323M5bRRShCxs43blYLzfE8muAqL-dh1nePdBIWJDoSp7epkFWiKPC9m_LSjTeQzBDEI56EuOCIS01uOSxx_SJEtKjwfqW7Z_Y3iBWDXW0LKtfm_xitvZAotdKFoqe7p67HxJMCrjlzEyAyp2h_VBmeLK-Whin6UG8IgH-IioB3SWXgtDOCUmwFuCaxx69bYwZGClu9PdmBbiokwqMfHYedZWlDyzLxteNLcQSs_03S79jnB0wlL9_7sPlaq2-R3x-cdVqy8r1u_QKk063yirdrKofYBvHyEod3F4rgLnKN1t0"}'
    [Sat Mar 17 16:51:45 CST 2018] Http already initialized.
    [Sat Mar 17 16:51:45 CST 2018] _CURL='curl -L –silent --dump-header /tmp/acme/xiao.net//http.header  -g  -H "Content-Type: application/jose+json" '
    [Sat Mar 17 16:53:31 CST 2018] Please refer to https://curl.haxx.se/libcurl/c/libcurl-errors.html for error code: 52
    [Sat Mar 17 16:53:31 CST 2018] _ret='52'
    [Sat Mar 17 16:53:31 CST 2018] original
    [Sat Mar 17 16:53:31 CST 2018] responseHeaders
    [Sat Mar 17 16:53:31 CST 2018] response
    [Sat Mar 17 16:53:31 CST 2018] code
    [Sat Mar 17 16:53:31 CST 2018] Registered
    [Sat Mar 17 16:53:31 CST 2018] _accUri
    [Sat Mar 17 16:53:31 CST 2018] APP
    [Sat Mar 17 16:53:31 CST 2018] 1:ACCOUNT_URL=''
    [Sat Mar 17 16:53:31 CST 2018] base64 single line.
    [Sat Mar 17 16:53:31 CST 2018] Calc CA_KEY_HASH='74GXJ5o2fPNBjEtcXrjwFCN4mWwOVoairbac='
    [Sat Mar 17 16:53:31 CST 2018] APP
    [Sat Mar 17 16:53:31 CST 2018] 2:CA_KEY_HASH='74GXJ5o2fPNBjEtcXrjwFCNVoairbac='
    [Sat Mar 17 16:53:31 CST 2018] base64 single line.
    [Sat Mar 17 16:53:31 CST 2018] ACCOUNT_THUMBPRINT='UC3ABjg7BqgM9JkZy3Wf3N0LXVnErJrh5Kyw'
    [Sat Mar 17 16:53:31 CST 2018] Read key length:
    [Sat Mar 17 16:53:31 CST 2018] _createcsr
    [Sat Mar 17 16:53:31 CST 2018] domain='xiao.net'
    [Sat Mar 17 16:53:31 CST 2018] domainlist='.xiao.net'
    [Sat Mar 17 16:53:31 CST 2018] csrkey='/tmp/acme/xiao.net//xiao.net/xiao.net.key'
    [Sat Mar 17 16:53:31 CST 2018] csr='/tmp/acme/xiao.net//xiao.net/xiao.net.csr'
    [Sat Mar 17 16:53:31 CST 2018] csrconf='/tmp/acme/xiao.net//xiao.net/xiao.net.csr.conf'
    [Sat Mar 17 16:53:31 CST 2018] _is_idn_d='
    .xiao.net'
    [Sat Mar 17 16:53:31 CST 2018] _idn_temp
    [Sat Mar 17 16:53:31 CST 2018] domainlist='.xiao.net'
    [Sat Mar 17 16:53:31 CST 2018] Multi domain='DNS:xiao.net,DNS:
    .xiao.net'
    [Sat Mar 17 16:53:31 CST 2018] _is_idn_d='xiao.net'
    [Sat Mar 17 16:53:31 CST 2018] _idn_temp
    [Sat Mar 17 16:53:31 CST 2018] _csr_cn='xiao.net'
    [Sat Mar 17 16:53:31 CST 2018] APP
    [Sat Mar 17 16:53:31 CST 2018] 8:Le_Keylength=''
    [Sat Mar 17 16:53:31 CST 2018] Getting domain auth token for each domain
    [Sat Mar 17 16:53:31 CST 2018] d='.xiao.net'
    [Sat Mar 17 16:53:31 CST 2018] d
    [Sat Mar 17 16:53:31 CST 2018] _identifiers='{"type":"dns","value":"xiao.net"},{"type":"dns","value":"
    .xiao.net"}'
    [Sat Mar 17 16:53:31 CST 2018] url='https://acme-v02.api.letsencrypt.org/acme/new-order'
    [Sat Mar 17 16:53:31 CST 2018] payload='{"identifiers": [{"type":"dns","value":"xiao.net"},{"type":"dns","value":"*.xiao.net"}]}'
    [Sat Mar 17 16:53:31 CST 2018] Use cached jwk for file: /tmp/acme/xiao.net//ca/acme-v02.api.letsencrypt.org/account.key
    [Sat Mar 17 16:53:31 CST 2018] base64 single line.
    [Sat Mar 17 16:53:31 CST 2018] payload64='eyJpZGVudGlmaWVycyI6IFt7InR5cGUiOiJkbnMiLCJ2YWx1ZSI6InhpYW95dS5uZXQifSx7InR5cGUiOiJkbnMiLCJ2YWx1ZSI6IioueGlhb3l1Lm5ldCJ9XX0'
    [Sat Mar 17 16:53:31 CST 2018] _request_retry_times='0'
    [Sat Mar 17 16:53:31 CST 2018] Get nonce. ACME_NEW_NONCE='https://acme-v02.api.letsencrypt.org/acme/new-nonce'
    [Sat Mar 17 16:53:31 CST 2018] HEAD
    [Sat Mar 17 16:53:31 CST 2018] _post_url='https://acme-v02.api.letsencrypt.org/acme/new-nonce'
    [Sat Mar 17 16:53:31 CST 2018] body
    [Sat Mar 17 16:53:31 CST 2018] Http already initialized.
    [Sat Mar 17 16:53:31 CST 2018] _CURL='curl -L –silent --dump-header /tmp/acme/xiao.net//http.header  -g  -H "Content-Type: application/jose+json" '
    [Sat Mar 17 16:55:23 CST 2018] _ret='0'
    [Sat Mar 17 16:55:23 CST 2018] _headers='HTTP/1.1 204 No Content
    Server: nginx
    Replay-Nonce: YQ0-Z9KX2zzeWcdRBrBEMck1sOLRpHxf4vpPwmo64RM
    X-Frame-Options: DENY
    Strict-Transport-Security: max-age=604800
    Expires: Sat, 17 Mar 2018 08:55:23 GMT
    Cache-Control: max-age=0, no-cache, no-store
    Pragma: no-cache
    Date: Sat, 17 Mar 2018 08:55:23 GMT
    Connection: keep-alive

    '
    [Sat Mar 17 16:55:23 CST 2018] _CACHED_NONCE='YQ0-Z9KX2zzeWcdRBrRpHxf4vpPwmo64RM'
    [Sat Mar 17 16:55:23 CST 2018] nonce='YQ0-Z9KX2zzeWcdRBrBEHxf4vpPwmo64RM'
    [Sat Mar 17 16:55:23 CST 2018] Re-reading ACCOUNT_URL
    [Sat Mar 17 16:55:23 CST 2018] ACCOUNT_URL was empty!
    [Sat Mar 17 16:55:23 CST 2018] ACCOUNT_URL
    [Sat Mar 17 16:55:23 CST 2018] Cannot locate account URL.
    [Sat Mar 17 16:55:23 CST 2018] Create new order error.
    [Sat Mar 17 16:55:23 CST 2018] pid
    [Sat Mar 17 16:55:23 CST 2018] No need to restore nginx, skip.
    [Sat Mar 17 16:55:23 CST 2018] _clearupdns
    [Sat Mar 17 16:55:23 CST 2018] skip dns.
    [Sat Mar 17 16:55:23 CST 2018] _on_issue_err
    [Sat Mar 17 16:55:23 CST 2018] Please check log file for more details: /tmp/acme/xiao.net/acme_issuecert.log
    [Sat Mar 17 16:55:23 CST 2018] _chk_vlist



  • Works well here.

    Switched from a san cert generated from a web method to wildcard and dns txt validation.
    Also meant that i could remove a lot of rules in my HA proxy config


  • Rebel Alliance Developer Netgate

    I updated acme.sh from upstream and pushed out package version 0.2.6. If you still have problems on 0.2.6, please start separate threads.


Locked