Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Letsencrypt and acme devepment package version > 0.5.8

    Scheduled Pinned Locked Moved ACME
    10 Posts 4 Posters 560 Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • R
      rainbowHash
      last edited by rainbowHash

      Hello netgate i have the following question. I am using [hosting.de](link url) for my domain names.
      I am trying to issue an certificate following the video that i view from Jim Pingle from the netgate handhouts.

      The problem is that it looks look to be with the latest package version 0.5.8 i.e. after issuing the acount keys without any problem with the letsencrypt staging servers , i am trying to issue the certificate with [hosting.de](link url) API key and using the [https://secure.hosting.de](link url) as an endpoint.

      It seems that in the HTTP request the parameter "templateId" is missing. that is the feedback i got from the domain provider. The provider advised me to upgrade to the latest acme shell (however I am not sure if that is possible at all in pfSense) which should be fixed in development version but i am unable to find a the development version of that acme.sh for netgate.

      I susspect the problem is this bug here:
      [https://github.com/Neilpang/acme.sh/issues/2058](link url)

      Can you please let me know if there is any existing procedure to upgrade the acme.sh 0.5.8.

      if someone is interested here is the error logs below:

      ################################################################
      Mon Aug 5 14:40:14 CEST 2019] Single domain='testDomain.com'
      [Mon Aug 5 14:40:14 CEST 2019] Getting domain auth token for each domain
      [Mon Aug 5 14:40:14 CEST 2019] Getting webroot for domain='testDomain.com'
      [Mon Aug 5 14:40:14 CEST 2019] Getting new-authz for domain='testDomain.com'
      [Mon Aug 5 14:40:16 CEST 2019] The new-authz request is ok.
      [Mon Aug 5 14:40:16 CEST 2019] Found domain api file: /usr/local/pkg/acme/dnsapi/dns_hostingde.sh
      [Mon Aug 5 14:40:16 CEST 2019] Getting ZoneConfig
      [Mon Aug 5 14:40:17 CEST 2019] Retrieved zone data.
      [Mon Aug 5 14:40:17 CEST 2019] Adding record to zone
      [Mon Aug 5 14:40:17 CEST 2019] UNKNOWN API ERROR
      [Mon Aug 5 14:40:17 CEST 2019] Error add txt for domain:_acme-challenge.testDomain.com
      [Mon Aug 5 14:40:17 CEST 2019] Please check log file for more details: /tmp/acme/FirewallGUICert/acme_issuecert.log
      ################################################################
      

      the problem should be the ""templateId":" part here that it is empty.

      ################################################################
      [Mon Aug  5 14:18:08 CEST 2019] zoneStatus '"active"'
      [Mon Aug  5 14:18:08 CEST 2019] Result of zoneStatus: '"active"'
      [Mon Aug  5 14:18:08 CEST 2019] POST
      [Mon Aug  5 14:18:08 CEST 2019] _post_url='https://secure.hosting.de/api/dns/v1/json/zoneUpdate'
      [Mon Aug  5 14:18:08 CEST 2019] body='{"authToken":"XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX","zoneConfig":{"id":"190803pqralmdfnizvm","name":"testDomain.com","type":"NATIVE","dnsServerGroupId":null,"dnsSecMode":"off","emailAddress":"hostmaster@testDomain.com","soaValues":{"expire":3600000,"negativeTtl":900,"refresh":86400,"retry":7200,"ttl":86400},"templateValues":{"templateId":,"templateName":,"templateReplacements":{"ipv4Replacement":,"ipv6Replacement":,"mailIpv4Replacement":,"mailIpv6Replacement":},"tieToTemplate":}},"recordsToAdd":[{"name":"_acme-challenge.testDomain.com","type":"TXT","content":"\"Pcaz2w1zV9I26CZmcCBm3OdJaI0dGa08zt-2YjuDCiQ\"","ttl":3600}]}'
      [Mon Aug  5 14:18:08 CEST 2019] _postContentType
      [Mon Aug  5 14:18:08 CEST 2019] curl exists=0
      [Mon Aug  5 14:18:08 CEST 2019] wget exists=127
      [Mon Aug  5 14:18:08 CEST 2019] _CURL='curl -L --silent --dump-header /tmp/acme/FirewallGUICert//http.header  -g '
      [Mon Aug  5 14:18:08 CEST 2019] _ret='0'
      [Mon Aug  5 14:18:08 CEST 2019] Calling zoneUpdate: '{"authToken":"XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX","zoneConfig":{"id":"190803pqralmdfnizvm","name":"testDomain.com","type":"NATIVE","dnsServerGroupId":null,"dnsSecMode":"off","emailAddress":"hostmaster@testDomain.com","soaValues":{"expire":3600000,"negativeTtl":900,"refresh":86400,"retry":7200,"ttl":86400},"templateValues":{"templateId":,"templateName":,"templateReplacements":{"ipv4Replacement":,"ipv6Replacement":,"mailIpv4Replacement":,"mailIpv6Replacement":},"tieToTemplate":}},"recordsToAdd":[{"name":"_acme-challenge.testDomain.com","type":"TXT","content":"\"Pcaz2w1zV9I26CZmcCBm3OdJaI0dGa08zt-2YjuDCiQ\"","ttl":3600}]}' 'https://secure.hosting.de/api/dns/v1/json/zoneUpdate'
      [Mon Aug  5 14:18:08 CEST 2019] Result of zoneUpdate: '{
          "errors": [
              {
                  "code": 11001,
                  "contextObject": "",
                  "contextPath": "",
                  "details": [
                      {
                          "key": "parse error",
                          "value": "illegal value"
                      },
                      {
                          "key": "request",
                          "value": "zoneUpdate"
                      }
                  ],
                  "text": "The request document is invalid in zoneUpdate request.",
                  "value": "request"
              }
          ],
          "metadata": {
              "clientTransactionId": "",
              "serverTransactionId": "20190805121808531-dnsrobot-robots1-711-0"
          },
          "status": "error",
          "warnings": [
          ]
      }'
      ################################################################
      

      many thanks in advanced

      GertjanG 1 Reply Last reply Reply Quote 0
      • GertjanG
        Gertjan @rainbowHash
        last edited by Gertjan

        @rainbowHash said in Letsencrypt and acme devepment package version > 0.5.8:

        I susspect the problem is this bug here:
        [https://github.com/Neilpang/acme.sh/issues/2058](link url)
        Can you please let me know if there is any existing procedure to upgrade the acme.sh 0.5.8.

        That issue "2058" has been solved by a patch.
        This patch / version is present in the package that uses acme. At least, the two lines are ok for me.
        https://github.com/Neilpang/acme.sh/pull/2207/commits/64e53927880732978cf3702b6afa792156ae4db3

        No "help me" PM's please. Use the forum, the community will thank you.
        Edit : and where are the logs ??

        1 Reply Last reply Reply Quote 0
        • R
          rainbowHash
          last edited by rainbowHash

          Hello Gertjan,

          many thanks for the quick feedback, i did not expected that it will be that fast. You mentioned that the issue 2052 is already fixed. Maybe i have some misunderstanding here but is the acme.sh not shipped together with PfSense. I would like to upgrade that if possible. So far i was only able to install packages. I am not sure if the acme.sh is part of the acme package. I suppose that that is indeed the case. But if that is the case and the error is already fixed why i am getting here. I just upgraded the box to development version 2.5 but the package version there is the same. This might be an easy question here but what do i need to upgrade in this case?

          1 Reply Last reply Reply Quote 0
          • GertjanG
            Gertjan
            last edited by

            Check here : /usr/local/pkg/acme : there you will find the 2.8.1 version of acme.sh - that's the one you find here : https://github.com/Neilpang/acme.sh (2.8.2 as of today).
            So, pfSense uses a rather recent version.
            The "dnsapi" folder that contains all the dns api scripts is also directly taken from https://github.com/Neilpang/acme.sh/tree/master/dnsapi

            No "help me" PM's please. Use the forum, the community will thank you.
            Edit : and where are the logs ??

            1 Reply Last reply Reply Quote 0
            • jimpJ
              jimp Rebel Alliance Developer Netgate
              last edited by

              Update to the ACME pkg 0.6, it should be available momentarily.

              Remember: Upvote with the πŸ‘ button for any user/post you find to be helpful, informative, or deserving of recognition!

              Need help fast? Netgate Global Support!

              Do not Chat/PM for help!

              1 Reply Last reply Reply Quote 0
              • R
                rainbowHash
                last edited by

                I was able to fix this problem by simply updating the file dns_hostingde.sh from the acme.sh from github. After that i rebooted the PfSense box and I was able to issue fake certificates with the staging server as well as i was able to issue read wildcard certificates with the production server of i.e. v2.
                Many thanks for the help to everyone.

                PS: Just one note ,for some reason while i was trying to copy a file to the Pfsense box over scp to the directory /usr/local/pkg/acme, the box locked me for some time. First i was not sure then i repeated and got locked again. I guess this is some kind of security feature. Thus i had to create the file with vi and paste the content from the clipboard i.e. from dns_hostingde.sh. Then it all worked.

                1 Reply Last reply Reply Quote 0
                • DerelictD
                  Derelict LAYER 8 Netgate
                  last edited by

                  Pretty unsound advice there.

                  You are now subject to updates breaking what you have done.

                  You were probably using incorrect credentials and getting locked out by sshlockout.

                  Chattanooga, Tennessee, USA
                  A comprehensive network diagram is worth 10,000 words and 15 conference calls.
                  DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
                  Do Not Chat For Help! NO_WAN_EGRESS(TM)

                  1 Reply Last reply Reply Quote 0
                  • R
                    rainbowHash
                    last edited by

                    Derelict, thank you for your comment. This might be indeed maybe not the best solution what i had done but i just needed this to work thus i did this way. I will now try the update to pkg 0.6 what jimp suggested and surely that will work. About the copy over scp , i do not thing i make a mistake in the password there since i am using public key and i always login automatically to the box so that should not be the reason why i was getting locked out. Since i have a snapshot of the the vanilla installation before i went to 2.5 i can test it now one more time. I will go to that snapshot and try scp , then i will update to 2.5 and try scp again and let you know. I suspects this is related to the upgrade to the development version to 2.5.

                    1 Reply Last reply Reply Quote 0
                    • DerelictD
                      Derelict LAYER 8 Netgate
                      last edited by

                      I suspect it was getting ssh lockout triggered. There will be system logs to this effect.

                      Chattanooga, Tennessee, USA
                      A comprehensive network diagram is worth 10,000 words and 15 conference calls.
                      DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
                      Do Not Chat For Help! NO_WAN_EGRESS(TM)

                      1 Reply Last reply Reply Quote 0
                      • R
                        rainbowHash
                        last edited by rainbowHash

                        I just reverted back from Version "2.5.0.a.20190806.1707 i" to the snapshot using 2.4.4-RELEASE-p3 (amd64) version. I upgraded the acme to version 0.6_1 and tried to issue a certificate with the staging servers of letsencript. Everything works well without no problem at all !!!

                        Then i tired a copy of some file to the tmp of PfSense i.e.

                        scp test1.txt root@192.168.87.1:/tmp/

                        the file got copies and its content to tmp. All good there.

                        Now i need to upgrade to 2.5.0.a.20190806.1707 again and see if i will be able to replicate the problem with the file copy.

                        1 Reply Last reply Reply Quote 0
                        • First post
                          Last post
                        Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.