Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    ACME Setup Steps

    Scheduled Pinned Locked Moved ACME
    15 Posts 3 Posters 4.2k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • R
      rmonette
      last edited by

      Hello, Im interested in using certs from LetsEncrypt, and Id like to use the DNS validation method. Ive read this https://www.netgate.com/docs/pfsense/certificates/acme-general.html#validation-process, and I was wondering about sequencing/chain of events...Ive created my account key via the interface, and at this point, I wonder what's next. Was this:
      "the client obtains an authorization value from the server (authz)." generated when I created my account key? If so, where do I find it. From what I understand, I need it to create my DNS TXT record and add that value to my TXT record.

      My registrar is also OVH, so, when I get to the cert generation page and select DNS validation via OVH, Im asked to enter keys for the kyes/values:
      Application Key
      Application Secret
      Consumer Key
      Endpoint...

      Where do I get these values? Are they system generated, or all created by me?

      When my keys/domain are validated, do I need to restart the whole process for a production cert?

      When all this is done, will my cert be listed in the Cert Manager, and, will I be able to use with HAPROXY.

      R

      P 1 Reply Last reply Reply Quote 0
      • P
        PiBa @rmonette
        last edited by

        @rmonette said in ACME Setup Steps:

        Application Key
        Application Secret
        Consumer Key
        Endpoint...

        These values you likely need to get from your ovh dns management page, somewhere..

        As for when acme cert issuance is successful it will indeed show up on pfSense's certificate manager, and will be selectable from haproxy.

        1 Reply Last reply Reply Quote 0
        • GertjanG
          Gertjan
          last edited by Gertjan

          @rmonette said in ACME Setup Steps:

          Application Key
          Application Secret
          Consumer Key

          This comes from here : https://www.ovh.com ....
          To be more precise : goto the bottom of that page, look for :

          0_1537569843079_e3f24812-30cf-4163-b822-4370745f580a-image.png

          You end up here : https://api.ovh.com/
          Read First steps with the OVH API

          See also this https://github.com/Neilpang/acme.sh/wiki/How-to-use-OVH-domain-api and other links that Google produce wwhen you ask about pfSense, acme, OVH, API.

          Btw : All my domain names come from OVH, but I'm not using their DNS services. I use my own SYS server from OVH, a Debian server with bind. From there it's a RFC 2136 story. No need for API's - just me controlling everything from top to bottom.

          No "help me" PM's please. Use the forum, the community will thank you.
          Edit : and where are the logs ??

          R 1 Reply Last reply Reply Quote 0
          • R
            rmonette @Gertjan
            last edited by

            @gertjan : thank you for the suggestions. Ive been able to generate these keys and add them to the Pfsense. Its currently displaying in the cert manager, but in the Issuer column, it says "Private key only". Anything else I should do at this point? When setting this up, I also used the staging testing option (v2). Also, at this point, do I also have to create TXT records? if so, what should be the authz value?

            P 1 Reply Last reply Reply Quote 0
            • P
              PiBa @rmonette
              last edited by PiBa

              @rmonette
              The reason for putting these API keys and secrets, is so that acme package itself can create a TXT record. You would not need to do this manually..

              That the certificate private key is created, but does not yet have a public key part means that something failed during the issuance of the certificate.. Check the logfile from /tmp/acme or press the issue button, and read the log that it displays on screen. It should tell that its adding a TXT record to your dns, then the result of the acme servers trying to validate its existence.. It might be adding the record failed.?. or it took ovh to long to make the setting effective on their actual dns servers? (there is a delay setting that can mitigate such issue) does the log it mention any error?

              R 1 Reply Last reply Reply Quote 0
              • R
                rmonette @PiBa
                last edited by rmonette

                @piba
                Ok... this is what Ive done so far:

                1. Navigate to: https://eu.api.ovh.com/createApp/
                  1.1 Get AK, AS
                2. Log into FW, create account key
                3. Get the consumer key by requesting an authentication token from OVH: launch curl request:
                  curl -XPOST -H"X-Ovh-Application: APPLICATION_KEY -H "Content-type: application/json" https://eu.api.ovh.com/1.0/auth/credential -d '{"accessRules":[{"method": "GET","path": "/*"}],"redirection":"https://www.YYYY.com/"}'
                4. Get the return value from curl, and then, validate the returned url:
                  {"validationUrl":"https://eu.api.ovh.com/auth/?credentialToken=ZZZZZZ","consumerKey":"AAAAAA","state":"pendingValidation"}
                5. Once validated, enter values in ACME, and create cert request.

                That last step seems to be working correctly, as when I validate (click on) the url sent in the curl response, leads me to the OVH page, and asks me to log in, and then redirects me to the site.

                The API stuff seems to generate things as needed, but in the end, I get an "invalid domain" error message when requesting the cert via ACME. A few follow up details:
                Im trying to create a wildcard cert. the entry in put in the ACME form, was i the format of *.YYYY.COM

                This is the end output of the attempt:
                [Mon Sep 24 16:51:52 EDT 2018] Registering account
                [Mon Sep 24 16:51:53 EDT 2018] Already registered
                [Mon Sep 24 16:51:53 EDT 2018] ACCOUNT_THUMBPRINT='XXXXXX'
                [Mon Sep 24 16:51:53 EDT 2018] Single domain='.YYYY.com'
                [Mon Sep 24 16:51:53 EDT 2018] Getting domain auth token for each domain
                [Mon Sep 24 16:51:55 EDT 2018] Getting webroot for domain='
                .YYYY.com'
                [Mon Sep 24 16:51:55 EDT 2018] Found domain api file: /usr/local/pkg/acme/dnsapi/dns_ovh.sh
                [Mon Sep 24 16:51:55 EDT 2018] Using OVH endpoint: ovh-eu
                [Mon Sep 24 16:51:55 EDT 2018] Checking authentication
                [Mon Sep 24 16:51:56 EDT 2018] Consumer key is ok.
                [Mon Sep 24 16:51:59 EDT 2018] invalid domain
                [Mon Sep 24 16:51:59 EDT 2018] Error add txt for domain:_acme-challenge.YYYY.com
                [Mon Sep 24 16:51:59 EDT 2018] Please check log file for more details: /tmp/acme/YYYY-Testing/acme_issuecert.log.

                Finally, do I, or dont I need a firewall rule to open up the access? The guide seemed to indicate that I needed to open port 80...

                P 1 Reply Last reply Reply Quote 0
                • P
                  PiBa @rmonette
                  last edited by

                  @rmonette said in ACME Setup Steps:

                  Error add txt for domain:_acme-challenge.YYYY.com

                  When your using DNS-validation you do not need to open port 80 which would be http-validation. It however seems the script is failing to add the required txt record.. Can you try with a regular domain name perhaps? (not a wildcard)

                  Maybe you could try if a newer ovh api script works better.?. im not sure if something perhaps was changed/fixed in there? https://github.com/Neilpang/acme.sh/commits/master/dnsapi/dns_ovh.sh
                  It is 'likely' safe to copy just that single file above into the pfSense /usr/local/pkg/acme/dnsapi/ folder..

                  It looks like the script doesn't know how to get the root for your domain. I don't use ovh though so kinda hard to debug where it fails on exactly..

                  1 Reply Last reply Reply Quote 0
                  • R
                    rmonette
                    last edited by rmonette

                    Just wanted to follow up with this: Im not sure that the API from OVH is ready for prime time. Instead, I went with DNS-Manual, and everything worked.

                    I was able to generate a wild card cert, and when doing the initial issuance, I was able to get the [authz] key needed for the TXT record, which I then added to the DNS zone, and then waited a bit, and pressed "renew" in the cert tab. Once I did that, everything got added to the firewall's cert manager, and I was able to use it in HAProxy.

                    Im pretty sure I know the answer, but given that Im in manual mode, will I need to modify my TXT record every time I need to re-ssue the cert? The cron jobs will launch the process, but, I assume that it will also wipe my TXT authz value every time, and that I will need to modify that entry by hand everytime it is renewed.

                    Apart from having to renew/use the DNS-Manual approach, this is pretty sweet!

                    Thank to all for your comments/suggestions!

                    1 Reply Last reply Reply Quote 0
                    • GertjanG
                      Gertjan
                      last edited by Gertjan

                      That last part is exact.
                      The "authz" code from LetEnscrypt will change every time.
                      So, when renewing manually, the cron "automated" renew won't work for you.

                      Not that I ever worked with the OVH API to renew my certs, I do own OVH (SYS) servers, and a boatload of domain names at OVH.
                      The very same API is also used by their own Client Manager ( this one : https://www.ovh.com/auth/?action=gotomanager&from=https://www.ovh.com/fr/&ovhSubsidiary=fr ) and should work.
                      All certs for their clients that use their (OVH) hosted web services have cert now, and they use the same procedure, the same API.

                      What I want to say : persist, look up the doc, you will make it work.
                      Use this https://api.ovh.com/console/ to add a TXT record to one of your domains using the API, but you are direct command. You will find out what to communicate so that it will work.
                      See https://api.ovh.com/console/#/domain/zone/%7BzoneName%7D/record#POST

                      Btw : I'm renewing myself using the RFC 2136 using nsupdate, I'm managing my own domains on a bind DNS server on a dedicated server. Took me some time to set the whole thing up correctly (both side !).

                      No "help me" PM's please. Use the forum, the community will thank you.
                      Edit : and where are the logs ??

                      1 Reply Last reply Reply Quote 0
                      • GertjanG
                        Gertjan
                        last edited by

                        Update.

                        I've been toying with OVH, and for some good new :
                        I instructed acme/pfSense to obtain a certicate for "papy-team.fr", a domain that I rent @OVH.
                        Result :

                        0_1538054571716_d0d5a623-f729-4fe3-8880-08d87e885786-image.png

                        Ok, it a fake one, but the OVH-API works.

                        If you do it right, this will take you 120 seconds, take my word on it.

                        Go here : https://github.com/Neilpang/acme.sh/wiki/How-to-use-OVH-domain-api which is nothing more or less then the manual of the acme plugin from the writer : Neil.
                        Go to the bottom of the page.
                        Use one of these two :

                        OVH Europe: https://api.ovh.com/createToken/?GET=/domain/zone/mydomain.com/*&POST=/domain/zone/mydomain.com/*&PUT=/domain/zone/mydomain.com/*&GET=/domain/zone/mydomain.com&DELETE=/domain/zone/mydomain.com/record/*
                        OVH Canada: https://ca.api.ovh.com/createToken/?GET=/domain/zone/mydomain.com/*&POST=/domain/zone/mydomain.com/*&PUT=/domain/zone/mydomain.com/*&GET=/domain/zone/mydomain.com&DELETE=/domain/zone/mydomain.com/record/*
                        

                        De difficult part ; replace mydomain.com with "yourdomain.tld" - (5 times).

                        Use the URL .... just enter your NIC or login code, the password, the duration, a description or two and don't even touch the rights, they are set according the URL already.

                        0_1538055109662_7de3eed1-bada-473a-8523-9a6af456a0e2-image.png

                        .. and hit Create Keys.

                        You wind up with a :

                        0_1538055028247_e1e5dec0-eeb5-4fff-b6e0-fce73f28f38e-image.png

                        Copy the Application key and secret, and the Consumer Key into the acme settings, the Domain SAN list table.

                        Done.

                        As usual, to me 2 hours to understand that it can be done in 60 seconds ☺

                        No "help me" PM's please. Use the forum, the community will thank you.
                        Edit : and where are the logs ??

                        1 Reply Last reply Reply Quote 0
                        • R
                          rmonette
                          last edited by

                          @gertjan said in ACME Setup Steps:

                          https://api.ovh.com/createToken/?GET=/domain/zone/mydomain.com/&POST=/domain/zone/mydomain.com/&PUT=/domain/zone/mydomain.com/&GET=/domain/zone/mydomain.com&DELETE=/domain/zone/mydomain.com/record/

                          Yes! That worked for me as well. The cert is in the Cert Mgr. Quick question: is the TXT record supposed to stay in the DNS Zone? or, is it just needed to temporarily validate the request, when called by the script?

                          1 Reply Last reply Reply Quote 0
                          • GertjanG
                            Gertjan
                            last edited by

                            Well ... login yourself into the "Manager" (old name of the OVH client access), the one that adminstrates your domain name, and check your DNS zone, look up all the TXT records, it should be gone, because :
                            No more need for it. The next cert regeneration will produce another code anyway.
                            The acme OVH-APIplugin, as any other plugin, will wipe what it has added for the test.

                            No "help me" PM's please. Use the forum, the community will thank you.
                            Edit : and where are the logs ??

                            1 Reply Last reply Reply Quote 0
                            • R
                              rmonette
                              last edited by

                              Yep... That was the case (the entry was gone), I wasnt sure if it was a bug or deliberate: I wasnt sure if it was needed post validation. Thank you for clarifying.

                              1 Reply Last reply Reply Quote 0
                              • GertjanG
                                Gertjan
                                last edited by

                                Wildcards using the API OVH or more in general ?

                                I'm obtaining a wild card just fine using the pfSenese's acme package just fine.

                                0_1538840514714_ad8b7a48-f228-4147-bee5-9fd602f8ea05-image.png

                                No "help me" PM's please. Use the forum, the community will thank you.
                                Edit : and where are the logs ??

                                1 Reply Last reply Reply Quote 0
                                • R
                                  rmonette
                                  last edited by

                                  Im all set. I was able to create wild card certs (since Sept 27)

                                  1 Reply Last reply Reply Quote 0
                                  • First post
                                    Last post
                                  Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.