Letsencrypt and acme devepment package version > 0.5.8



  • Hello netgate i have the following question. I am using [hosting.de](link url) for my domain names.
    I am trying to issue an certificate following the video that i view from Jim Pingle from the netgate handhouts.

    The problem is that it looks look to be with the latest package version 0.5.8 i.e. after issuing the acount keys without any problem with the letsencrypt staging servers , i am trying to issue the certificate with [hosting.de](link url) API key and using the [https://secure.hosting.de](link url) as an endpoint.

    It seems that in the HTTP request the parameter "templateId" is missing. that is the feedback i got from the domain provider. The provider advised me to upgrade to the latest acme shell (however I am not sure if that is possible at all in pfSense) which should be fixed in development version but i am unable to find a the development version of that acme.sh for netgate.

    I susspect the problem is this bug here:
    [https://github.com/Neilpang/acme.sh/issues/2058](link url)

    Can you please let me know if there is any existing procedure to upgrade the acme.sh 0.5.8.

    if someone is interested here is the error logs below:

    ################################################################
    Mon Aug 5 14:40:14 CEST 2019] Single domain='testDomain.com'
    [Mon Aug 5 14:40:14 CEST 2019] Getting domain auth token for each domain
    [Mon Aug 5 14:40:14 CEST 2019] Getting webroot for domain='testDomain.com'
    [Mon Aug 5 14:40:14 CEST 2019] Getting new-authz for domain='testDomain.com'
    [Mon Aug 5 14:40:16 CEST 2019] The new-authz request is ok.
    [Mon Aug 5 14:40:16 CEST 2019] Found domain api file: /usr/local/pkg/acme/dnsapi/dns_hostingde.sh
    [Mon Aug 5 14:40:16 CEST 2019] Getting ZoneConfig
    [Mon Aug 5 14:40:17 CEST 2019] Retrieved zone data.
    [Mon Aug 5 14:40:17 CEST 2019] Adding record to zone
    [Mon Aug 5 14:40:17 CEST 2019] UNKNOWN API ERROR
    [Mon Aug 5 14:40:17 CEST 2019] Error add txt for domain:_acme-challenge.testDomain.com
    [Mon Aug 5 14:40:17 CEST 2019] Please check log file for more details: /tmp/acme/FirewallGUICert/acme_issuecert.log
    ################################################################
    

    the problem should be the ""templateId":" part here that it is empty.

    ################################################################
    [Mon Aug  5 14:18:08 CEST 2019] zoneStatus '"active"'
    [Mon Aug  5 14:18:08 CEST 2019] Result of zoneStatus: '"active"'
    [Mon Aug  5 14:18:08 CEST 2019] POST
    [Mon Aug  5 14:18:08 CEST 2019] _post_url='https://secure.hosting.de/api/dns/v1/json/zoneUpdate'
    [Mon Aug  5 14:18:08 CEST 2019] body='{"authToken":"XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX","zoneConfig":{"id":"190803pqralmdfnizvm","name":"testDomain.com","type":"NATIVE","dnsServerGroupId":null,"dnsSecMode":"off","emailAddress":"hostmaster@testDomain.com","soaValues":{"expire":3600000,"negativeTtl":900,"refresh":86400,"retry":7200,"ttl":86400},"templateValues":{"templateId":,"templateName":,"templateReplacements":{"ipv4Replacement":,"ipv6Replacement":,"mailIpv4Replacement":,"mailIpv6Replacement":},"tieToTemplate":}},"recordsToAdd":[{"name":"_acme-challenge.testDomain.com","type":"TXT","content":"\"Pcaz2w1zV9I26CZmcCBm3OdJaI0dGa08zt-2YjuDCiQ\"","ttl":3600}]}'
    [Mon Aug  5 14:18:08 CEST 2019] _postContentType
    [Mon Aug  5 14:18:08 CEST 2019] curl exists=0
    [Mon Aug  5 14:18:08 CEST 2019] wget exists=127
    [Mon Aug  5 14:18:08 CEST 2019] _CURL='curl -L --silent --dump-header /tmp/acme/FirewallGUICert//http.header  -g '
    [Mon Aug  5 14:18:08 CEST 2019] _ret='0'
    [Mon Aug  5 14:18:08 CEST 2019] Calling zoneUpdate: '{"authToken":"XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX","zoneConfig":{"id":"190803pqralmdfnizvm","name":"testDomain.com","type":"NATIVE","dnsServerGroupId":null,"dnsSecMode":"off","emailAddress":"hostmaster@testDomain.com","soaValues":{"expire":3600000,"negativeTtl":900,"refresh":86400,"retry":7200,"ttl":86400},"templateValues":{"templateId":,"templateName":,"templateReplacements":{"ipv4Replacement":,"ipv6Replacement":,"mailIpv4Replacement":,"mailIpv6Replacement":},"tieToTemplate":}},"recordsToAdd":[{"name":"_acme-challenge.testDomain.com","type":"TXT","content":"\"Pcaz2w1zV9I26CZmcCBm3OdJaI0dGa08zt-2YjuDCiQ\"","ttl":3600}]}' 'https://secure.hosting.de/api/dns/v1/json/zoneUpdate'
    [Mon Aug  5 14:18:08 CEST 2019] Result of zoneUpdate: '{
        "errors": [
            {
                "code": 11001,
                "contextObject": "",
                "contextPath": "",
                "details": [
                    {
                        "key": "parse error",
                        "value": "illegal value"
                    },
                    {
                        "key": "request",
                        "value": "zoneUpdate"
                    }
                ],
                "text": "The request document is invalid in zoneUpdate request.",
                "value": "request"
            }
        ],
        "metadata": {
            "clientTransactionId": "",
            "serverTransactionId": "20190805121808531-dnsrobot-robots1-711-0"
        },
        "status": "error",
        "warnings": [
        ]
    }'
    ################################################################
    

    many thanks in advanced



  • @rainbowHash said in Letsencrypt and acme devepment package version > 0.5.8:

    I susspect the problem is this bug here:
    [https://github.com/Neilpang/acme.sh/issues/2058](link url)
    Can you please let me know if there is any existing procedure to upgrade the acme.sh 0.5.8.

    That issue "2058" has been solved by a patch.
    This patch / version is present in the package that uses acme. At least, the two lines are ok for me.
    https://github.com/Neilpang/acme.sh/pull/2207/commits/64e53927880732978cf3702b6afa792156ae4db3



  • Hello Gertjan,

    many thanks for the quick feedback, i did not expected that it will be that fast. You mentioned that the issue 2052 is already fixed. Maybe i have some misunderstanding here but is the acme.sh not shipped together with PfSense. I would like to upgrade that if possible. So far i was only able to install packages. I am not sure if the acme.sh is part of the acme package. I suppose that that is indeed the case. But if that is the case and the error is already fixed why i am getting here. I just upgraded the box to development version 2.5 but the package version there is the same. This might be an easy question here but what do i need to upgrade in this case?



  • Check here : /usr/local/pkg/acme : there you will find the 2.8.1 version of acme.sh - that's the one you find here : https://github.com/Neilpang/acme.sh (2.8.2 as of today).
    So, pfSense uses a rather recent version.
    The "dnsapi" folder that contains all the dns api scripts is also directly taken from https://github.com/Neilpang/acme.sh/tree/master/dnsapi


  • Rebel Alliance Developer Netgate

    Update to the ACME pkg 0.6, it should be available momentarily.



  • I was able to fix this problem by simply updating the file dns_hostingde.sh from the acme.sh from github. After that i rebooted the PfSense box and I was able to issue fake certificates with the staging server as well as i was able to issue read wildcard certificates with the production server of i.e. v2.
    Many thanks for the help to everyone.

    PS: Just one note ,for some reason while i was trying to copy a file to the Pfsense box over scp to the directory /usr/local/pkg/acme, the box locked me for some time. First i was not sure then i repeated and got locked again. I guess this is some kind of security feature. Thus i had to create the file with vi and paste the content from the clipboard i.e. from dns_hostingde.sh. Then it all worked.


  • LAYER 8 Netgate

    Pretty unsound advice there.

    You are now subject to updates breaking what you have done.

    You were probably using incorrect credentials and getting locked out by sshlockout.



  • Derelict, thank you for your comment. This might be indeed maybe not the best solution what i had done but i just needed this to work thus i did this way. I will now try the update to pkg 0.6 what jimp suggested and surely that will work. About the copy over scp , i do not thing i make a mistake in the password there since i am using public key and i always login automatically to the box so that should not be the reason why i was getting locked out. Since i have a snapshot of the the vanilla installation before i went to 2.5 i can test it now one more time. I will go to that snapshot and try scp , then i will update to 2.5 and try scp again and let you know. I suspects this is related to the upgrade to the development version to 2.5.


  • LAYER 8 Netgate

    I suspect it was getting ssh lockout triggered. There will be system logs to this effect.



  • I just reverted back from Version "2.5.0.a.20190806.1707 i" to the snapshot using 2.4.4-RELEASE-p3 (amd64) version. I upgraded the acme to version 0.6_1 and tried to issue a certificate with the staging servers of letsencript. Everything works well without no problem at all !!!

    Then i tired a copy of some file to the tmp of PfSense i.e.

    scp test1.txt root@192.168.87.1:/tmp/

    the file got copies and its content to tmp. All good there.

    Now i need to upgrade to 2.5.0.a.20190806.1707 again and see if i will be able to replicate the problem with the file copy.


Log in to reply