ACME 0.5 update (TLS-ALPN, BuyPass, and more)


  • Rebel Alliance Developer Netgate

    New ACME pkg version 0.5 is on the way. It will be available with the next 2.4.5 snapshot run. If it tests OK, I'll make it available for 2.4.4 users.

    Included in the ACME 0.5 Update:

    • TLS-ALPN support, replaces old TLS-SNI support, binds to a local port (e.g. 443), similar to standalone for HTTP on port 80. If you must use this, bind to an alternate port and forward WAN:443 to the alternate port to avoid a conflict with the GUI web server.
    • New alternate certificate authority: BuyPass (experimental), to be used instead of Let's Encrypt. This CA has different policies than LE, for example the certificates are valid for 180 days instead of 90, and has a different chain of trust. It still uses the ACME protocol. See https://www.buypass.com/ssl/products/acme for more info.
    • New providers
      • Exoscale
      • Linode v4 API (split from existing Linode option code)
    • Various bug fixes from acme.sh upstream.

    In case you missed what was new in 0.4, see https://forum.netgate.com/topic/138729/acme-0-4-update

    I still want to try using the Namecheap code from 0.4 but though I applied for API access on December 18th and should only take two business days to be enabled, it has yet to be approved. I suspect the person over the API approvals has taken an extended holiday break.


  • Rebel Alliance Developer Netgate

    This will be rolling out to 2.4.4(-pX) users today.



  • Was spam-hitting 'refresh packages' since.
    Got it :

    0_1547142533008_38e71191-e837-4a9f-92ab-516a3e543dde-image.png

    Thanks !

    edit
    Wow ...
    The version number took a hit :
    0_1547142632498_2445385c-3e04-4642-987a-eb86f1eaf567-image.png

    edit again : never mind : saw the change log.


  • Rebel Alliance Developer Netgate

    I bugged Namecheap since my API access still had not been approved and they manually approved it. I tested the Namecheap API code and found a bug. It is fixed in pkg version 0.5.1 which will show up to install shortly.

    With that, I was able to successfully obtain a certificate using the Namecheap DNS API.



  • I'm using 0.5.1 fro several days now, works great.

    I noticed one big visual change. Before, when acme finished (manually, me hitting the button) renewing, I saw this huge big green text bloc with 'log results'.
    Now, all I see is this :

    0_1547542286469_abe3ac6a-8542-434c-84d5-32d454a66399-image.png

    which means : "all ok". Right ?


  • Rebel Alliance Developer Netgate

    I still get the same green text box output I did before, at least with the methods I used/tested (nsupdate and namecheap). Are you sure nothing changed in your browser? Any different ad/script blockers?