Please Help, Can't get ACME to work at all.

Skehardscooby

Hi Lads,

I've been over in the LE forums for the past couple of days but they aren't able to help.

I've the latest pfSense and have 3 plugins. (vm-tools, haproxy and acme)

Essentially i'm wanting to grab a wildcard cert for haproxy so SSL terminates at the FW and routes over port 80 to the backends. Nice and simple you may say.

Here's the kicker, i'm constantly getting the below output when requesting a cert, on either Staging or Prod.

Now i will say it worked once, then for whatever reason the VM was lost requiring a rebuild. The keys/certs were not saved before unfortunately.

DARGRANET.COM
Renewing certificate
account: DARGRANET.COM
server: letsencrypt-staging-2

/usr/local/pkg/acme/acme.sh --issue -d ‘*.DARGRANET.COM’ --dns ‘dns_he’ -d ‘DARGRANET.COM’ --dns ‘dns_he’ --home ‘/tmp/acme/DARGRANET.COM/’ --accountconf ‘/tmp/acme/DARGRANET.COM/accountconf.conf’ --force --reloadCmd ‘/tmp/acme/DARGRANET.COM/reloadcmd.sh’ --log-level 3 --log ‘/tmp/acme/DARGRANET.COM/acme_issuecert.log’

Array
(
[path] => /etc:/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/bin/
[PATH] => /etc:/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/bin/
[HE_Username] => skehardscooby
[HE_Password] => [redacted]
)
[Sat Jan 12 23:50:46 GMT 2019] Multi domain=‘DNS:.DARGRANET.COM,DNS:DARGRANET.COM’
[Sat Jan 12 23:50:46 GMT 2019] Getting domain auth token for each domain
[Sat Jan 12 23:50:49 GMT 2019] Getting webroot for domain=’.DARGRANET.COM’
[Sat Jan 12 23:50:49 GMT 2019] get to authz error.
[Sat Jan 12 23:50:49 GMT 2019] authorizations_map='dargranet.com,{“identifier”:{“type”:“dns”,“value”:“dargranet.com”},“status”:“pending”,“expires”:“2019-01-19T23:44:07Z”,“challenges”:[{“type”:“tls-alpn-01”,“status”:“pending”,“url”:"https://acme-staging-v02.api.letsencrypt.org/acme/challenge/WHix2xqNeQ7L94nbixD-obyIMwPK5yRL5pUPDS_Dos/221598685",“token”:“VusBetg-vFuY86_p7-lGymiFGEBVXf9YNBcUz4CG3mg”},{“type”:“dns-01”,“status”:“pending”,“url”:“https://acme-staging-v02.api.letsencrypt.org/acme/challenge/WHix2xqNeQ7L94nbixD_-obyIMwPK5yRL5pUPDS_Dos/221598686",“token”:“H-Q4YUwfjUdB7qOyqB9Vp6-P108o_d_nw3qnnZnNxl8”},{“type”:“http-01”,“status”:“pending”,“url”:“https://acme-staging-v02.api.letsencrypt.org/acme/challenge/WHix2xqNeQ7L94nbixD_-obyIMwPK5yRL5pUPDS_Dos/221598687”,“token”:"cUYzcBOnTb-QXH2VmX4dr0n2KwB5pvsw5X68_vLMC4o 1”}]}
*.dargranet.com,{“identifier”:{“type”:“dns”,“value”:“dargranet.com”},“status”:“pending”,“expires”:“2019-01-19T23:44:07Z”,“challenges”:[{“type”:“dns-01”,“status”:“pending”,“url”:“https://acme-staging-v02.api.letsencrypt.org/acme/challenge/I-m6Tlr78zBrfyi-79S4dMTl2pZE0gkzBr_ukgnG8v8/221598684",“token”:"-EO-UCBIcw16l9ntz3NZaEJWfZTVW4V0SKS0M1ebrcU"}],"wildcard”: true}
’
[Sat Jan 12 23:50:49 GMT 2019] Please check log file for more details: /tmp/acme/DARGRANET.COM/acme_issuecert.log

I've tried Hurricane Electric and cloudflare DNS to no avail. Even tried Manual DNS but i dont ever see the Challenge Key in the output.

Any advise would be grately appreciated.

Cheers

Richard

jimp

First, I don't expect it to make a difference (it shouldn't, but you never know), try putting the domain in all lower case instead of upper case.

Is the above output just what you see in the GUI? Or is that all you see in /tmp/acme/DARGRANET.COM/acme_issuecert.log? If you could post the entire contents of that acme_issuecert.log file as an attachment, it probably has more info inside that is useful in tracking down what went wrong.

Lastly, just to make sure it isn't some quirk with IPv6, go to System > Advanced, Networking tab, and check Prefer IPv4 over IPv6 and then try to issue the cert again.

Skehardscooby

@jimp well you wouldn't actually Ruddy believe it!

So I read your comments and thought yea the capitalisation shouldn't make any difference surely!

We we're wrong!!!!

I deleted the AK and Cert details I had.....

Reentered the details (all lowercase) pressed issue and waited....... 2 mins later booooom I have my certificate!

Seriously don't understand why it would make ANY DIFFERENCE but it does!

This works with staging and I'll try with PRODUCTION now.

Skehardscooby

Yep worked like a charm with production too.

Makes no sense what's so ever!

I would've never have thought changing from upper to lower case could make it fail!

Now we know.

I'll let the lads in the LE forums know this as well.

Thank you @jimp

jimp

After dealing with ACME for quite some time now, I've come to accept that it can be... quirky :-)