Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    FreeDNS ACME issue

    Scheduled Pinned Locked Moved
    ACME
    2
    3
    557
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • P
      phobeus
      last edited by phobeus

      Greetings, I'm totally new over here, but I've got issues with my freshly set up acme, it worked like once, or twice and suddenly stops.
      It looks, there's a problem with starting up standalone http server, I'm attaching my output

      ||NK-----K22
      Renewing certificate
      account: NK-----K22
      server: letsencrypt-staging-2

      /usr/local/pkg/acme/acme.sh --issue -d 'nk----.k22.su' --standalone --listen-v4 --httpport '6666' --home '/tmp/acme/NK-----K22/' --accountconf '/tmp/acme/NK-----K22/accountconf.conf' --force --reloadCmd '/tmp/acme/NK-----K22/reloadcmd.sh' --log-level 3 --log '/tmp/acme/NK-----K22/acme_issuecert.log'

      Array
      (
      [path] => /etc:/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/bin/
      [PATH] => /etc:/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/bin/
      [port] => 6666
      [ipv6] =>
      )
      [Fri Jul 26 09:25:59 CEST 2019] Standalone mode.
      [Fri Jul 26 09:25:59 CEST 2019] Single domain='nk----.k22.su'
      [Fri Jul 26 09:25:59 CEST 2019] Getting domain auth token for each domain
      [Fri Jul 26 09:26:01 CEST 2019] Getting webroot for domain='nk----.k22.su'
      [Fri Jul 26 09:26:01 CEST 2019] Verifying: n----.k22.su
      [Fri Jul 26 09:26:01 CEST 2019] Standalone mode server
      2019/07/26 09:26:03 socat[66497] E write(6, 0x80204d800, 126): Broken pipe
      2019/07/26 09:26:05 socat[84851] E write(6, 0x80204d800, 126): Broken pipe
      [Fri Jul 26 09:26:06 CEST 2019] nk----.k22.su:Verify error:Invalid response from http://nk----.k22.su/.well-known/acme-challenge/B-fYHCXfoUaDfP5ZmIUU4JbMH-tO_MGQkrIg0I1Y5AI [217.196.113.40]: 503
      [Fri Jul 26 09:26:06 CEST 2019] Please check log file for more details: /tmp/acme/NKVDCloud-K22/acme_issuecert.log||

      If anyone is willing to push me in any direction, I'll be glad. I'm using FreeDNS, so DNS verification isn't an option for me.

      1 Reply Last reply Reply Quote 0
      • kiokomanK
        kiokoman LAYER 8
        last edited by kiokoman

        @phobeus said in ACME 0.5.8 Breaks Letencrypt webroot local folder setup:

        .well-known/acme-challenge

        well you forgot to completely hide it..

        503 Service Unavailable
        No server is available to handle this request.

        socat[66497] E write(6, 0x80204d800, 126): Broken pipe

        check if you have the latest version of acme maybe something as changed and acme.sh does not work anymore as standalone

        ̿' ̿'\̵͇̿̿\з=(◕_◕)=ε/̵͇̿̿/'̿'̿ ̿
        Please do not use chat/PM to ask for help
        we must focus on silencing this @guest character. we must make up lies and alter the copyrights !
        Don't forget to Upvote with the 👍 button for any post you find to be helpful.

        P 1 Reply Last reply Reply Quote 0
        • P
          phobeus @kiokoman
          last edited by phobeus

          @kiokoman Yeah, you're right =) But anyway, I wasn't able to make some reasonable solution, so I've just created tiny VM guest with alpine linux, lighttpd and nfs-client, and I'm passing my .well-known challenge through "local webroot", but I'm putting there appropiate path for my NFS share + ballast ( </path/to/share>/.well-known/acme-challenge/ ). pfSense comes already preloaded with nfs, all I needed was just enable it through /etc/rc.d.local. HAProxy does rest of the job ( frontend for path match looks like that ---v )

          HAProxy Frontend rules ( I've got it implemented with http->https redirect, except for .well-known =3 I was pretty suprised it came on my mind )

          HAProxy Frontend rules

          So that's my hotfix solution, but I'm curious for any other ideas ))

          1 Reply Last reply Reply Quote 0
          • First post
            Last post