ACME 0.5 update (TLS-ALPN, BuyPass, and more)

Gertjan

Was spam-hitting 'refresh packages' since.
Got it :

0_1547142533008_38e71191-e837-4a9f-92ab-516a3e543dde-image.png

Thanks !

edit
Wow ...
The version number took a hit :
0_1547142632498_2445385c-3e04-4642-987a-eb86f1eaf567-image.png

edit again : never mind : saw the change log.

jimp

I bugged Namecheap since my API access still had not been approved and they manually approved it. I tested the Namecheap API code and found a bug. It is fixed in pkg version 0.5.1 which will show up to install shortly.

With that, I was able to successfully obtain a certificate using the Namecheap DNS API.

Gertjan

I'm using 0.5.1 fro several days now, works great.

I noticed one big visual change. Before, when acme finished (manually, me hitting the button) renewing, I saw this huge big green text bloc with 'log results'.
Now, all I see is this :

0_1547542286469_abe3ac6a-8542-434c-84d5-32d454a66399-image.png

which means : "all ok". Right ?

jimp

I still get the same green text box output I did before, at least with the methods I used/tested (nsupdate and namecheap). Are you sure nothing changed in your browser? Any different ad/script blockers?

bigbrett

This post is deleted!

bigbrett

I have been trying to issue certs with the TLS-ALPN method, but getting failures:

"type": "tls-alpn-01",
"status": "invalid",
"error": {
"type": "urn:acme:error:connection",
"detail": "Timeout during connect (likely firewall problem)",
"status": 400

Firewall setings are good but i looked through the logs as I see the line to start the server with openssl:

openssl s_server -www -cert /tmp/acme/example.com-cert//xample.com/tls.validation.cert -key /tmp/acme/example.com-cert//xample.com/tls.validation.key -accept 443 -4 -alpn acme-tls/1

When running this manually I get :

unknown option -4
usage: s_server [args ...]

editing acme.sh:2174: __S_OPENSSL="$__S_OPENSSL -4"

to acme.sh:2174: __S_OPENSSL="$__S_OPENSSL"

and certificates are issued fine

Gertjan

@bigbrett said in ACME 0.5 update (TLS-ALPN, BuyPass, and more):

When running this manually I get :

So, locally, it passes.
But LetsEnscrypt comes in from the outside, and it hit the wall.

bigbrett

No it is not firewall related at all but the fact that acme.sh is putting in the '-4' flag on the command line to start the TLS-ALPN server, which is not supported by the current openssl version.
The TLS-ALPN server does not in fact start so LE cannot connect to it, even though the firewall rules are correct. Maybe there needs to be a check to make sure the server is started successfully before proceeding?

Cheers,

Brett

jimp

I fixed this a different way (that didn't require editing acme.sh):

https://github.com/pfsense/FreeBSD-ports/commit/b7024a0b261280d456317f37c3e1deff8290d682

Should be up for download shortly.

bigbrett

great work as always :)