Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    New user failing to issue certificate

    Scheduled Pinned Locked Moved ACME
    5 Posts 2 Posters 1.1k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • F
      Flemmingss
      last edited by Flemmingss

      Hi.

      I have tried to follow this guide to set up ACME (And HAProxy)
      First I just did it with duckdns.org, and the certificate was issued, but it gave me not-secure when accessing stuff.mydomain.duckdns.org, I found out I needed my own top level domain, so I bought a domain at namesilo.com

      But I am not able to issue...

      • Removed Certificates and Account keys from ACME
      • Remove all TXT at NameSilo
      • Rebooted pfSense
      • Added new Account key
      • Created new Certificate
      • Clicked Issue
      • Still did not work, but I get a _acme-challenge TXT at NameSilo. Last renewed date still Thu, 01 Jan 1970 01:00:00 +0100
      • waited 3 days and tried new issue, same problem.

      This is the log I get:

      Jul 15 03:36:33	ACME		[Wed Jul 15 03:33:47 CEST 2020] Not valid yet, let's wait 10 seconds and check next one.
      Jul 15 03:36:33	ACME		[Wed Jul 15 03:33:58 CEST 2020] Let's wait 10 seconds and check again.
      Jul 15 03:36:33	ACME		[Wed Jul 15 03:34:09 CEST 2020] Checking mydomain.top for _acme-challenge.mydomain.top
      Jul 15 03:36:33	ACME		[Wed Jul 15 03:34:14 CEST 2020] Not valid yet, let's wait 10 seconds and check next one.
      Jul 15 03:36:33	ACME		[Wed Jul 15 03:34:25 CEST 2020] Let's wait 10 seconds and check again.
      Jul 15 03:36:33	ACME		[Wed Jul 15 03:34:35 CEST 2020] Checking mydomain.top for _acme-challenge.mydomain.top
      Jul 15 03:36:33	ACME		[Wed Jul 15 03:34:35 CEST 2020] Not valid yet, let's wait 10 seconds and check next one.
      Jul 15 03:36:33	ACME		[Wed Jul 15 03:34:46 CEST 2020] Let's wait 10 seconds and check again.
      Jul 15 03:36:33	ACME		[Wed Jul 15 03:34:56 CEST 2020] Checking mydomain.top for _acme-challenge.mydomain.top
      Jul 15 03:36:33	ACME		[Wed Jul 15 03:34:56 CEST 2020] Not valid yet, let's wait 10 seconds and check next one.
      Jul 15 03:36:33	ACME		[Wed Jul 15 03:35:07 CEST 2020] Let's wait 10 seconds and check again.
      Jul 15 03:36:33	ACME		[Wed Jul 15 03:35:17 CEST 2020] Checking mydomain.top for _acme-challenge.mydomain.top
      Jul 15 03:36:33	ACME		[Wed Jul 15 03:35:18 CEST 2020] Not valid yet, let's wait 10 seconds and check next one.
      Jul 15 03:36:33	ACME		[Wed Jul 15 03:35:29 CEST 2020] Let's wait 10 seconds and check again.
      Jul 15 03:36:33	ACME		[Wed Jul 15 03:35:39 CEST 2020] Checking mydomain.top for _acme-challenge.mydomain.top
      Jul 15 03:36:33	ACME		[Wed Jul 15 03:35:39 CEST 2020] Not valid yet, let's wait 10 seconds and check next one.
      Jul 15 03:36:33	ACME		[Wed Jul 15 03:35:49 CEST 2020] Let's wait 10 seconds and check again.
      Jul 15 03:36:33	ACME		[Wed Jul 15 03:35:59 CEST 2020] Checking mydomain.top for _acme-challenge.mydomain.top
      Jul 15 03:36:33	ACME		[Wed Jul 15 03:36:00 CEST 2020] Not valid yet, let's wait 10 seconds and check next one.
      Jul 15 03:36:33	ACME		[Wed Jul 15 03:36:11 CEST 2020] Let's wait 10 seconds and check again.
      Jul 15 03:36:33	ACME		[Wed Jul 15 03:36:21 CEST 2020] Checking mydomain.top for _acme-challenge.mydomain.top
      Jul 15 03:36:33	ACME		[Wed Jul 15 03:36:21 CEST 2020] Domain mydomain.top '_acme-challenge.mydomain.top' success.
      Jul 15 03:36:33	ACME		[Wed Jul 15 03:36:21 CEST 2020] All success, let's return
      Jul 15 03:36:33	ACME		[Wed Jul 15 03:36:21 CEST 2020] Verifying: *.mydomain.top
      Jul 15 03:36:33	ACME		[Wed Jul 15 03:36:24 CEST 2020] It seems the CA server is busy now, let's wait and retry. Sleeping 1 seconds.
      Jul 15 03:36:33	ACME		[Wed Jul 15 03:36:29 CEST 2020] Removing DNS records.
      Jul 15 03:36:33	ACME		[Wed Jul 15 03:36:29 CEST 2020] Removing txt: exXXXXXXXXXXXXXXXX-8XXXXXXXXXXXXXXXXXXp-Fr8 for domain: _acme-challenge.mydomain.top
      Jul 15 03:36:33	ACME		[Wed Jul 15 03:36:32 CEST 2020] Successfully retrieved the record id for ACME challenge.
      Jul 15 03:36:33	ACME		[Wed Jul 15 03:36:33 CEST 2020] Successfully removed the TXT record.
      Jul 15 03:36:33	ACME		[Wed Jul 15 03:36:33 CEST 2020] Removed: Success
      Jul 15 03:36:33	ACME		[Wed Jul 15 03:36:29 CEST 2020] *.mydomain.top:Verify error:Incorrect TXT record
      Jul 15 03:36:33	ACME		[Wed Jul 15 03:36:33 CEST 2020] Please check log file for more details: /tmp/acme/LE_Root_Cert/acme_issuecert.log
      Jul 15 03:36:33	php		ACME, Failed to renew certificate for LE_Root_Cert
      

      This is my config:
      01d23a7c-8755-4ede-8a8c-0791e9bd7660-image.png

      Do anyone have an idea?

      1 Reply Last reply Reply Quote 0
      • GertjanG
        Gertjan
        last edited by Gertjan

        Ones these
        04fa6199-0fd0-4743-bab8-33144a4db755-image.png
        .... the _acme-challenge TXT records - are used, they become useless / stale. Delete them.

        Check this part :

        Jul 15 03:36:33 ACME [Wed Jul 15 03:36:29 CEST 2020] Removing txt: exXXXXXXXXXXXXXXXX-8XXXXXXXXXXXXXXXXXXp-Fr8 for domain: _acme-challenge.mydomain.top
        Jul 15 03:36:33 ACME [Wed Jul 15 03:36:32 CEST 2020] Successfully retrieved the record id for ACME challenge.
        Jul 15 03:36:33 ACME [Wed Jul 15 03:36:33 CEST 2020] Successfully removed the TXT record.
        Jul 15 03:36:33 ACME [Wed Jul 15 03:36:33 CEST 2020] Removed: Success

        the logs says it removed the _acme-challenge.mydomain.top record, but did it really do so - which one was deleted ?

        Also, for a wild card domain you should have two "Domainname", like "mydomain.top" and *.mydomain.top".
        See the original doc : Wildcard Domain Step-By-Step

        No "help me" PM's please. Use the forum, the community will thank you.
        Edit : and where are the logs ??

        F 1 Reply Last reply Reply Quote 0
        • F
          Flemmingss @Gertjan
          last edited by

          @Gertjan Thanks for your answer. The screenshot is some days old and before I deleted the TXT's.
          Now I checked my domain, there is no TXT records, just the two CNAME record I have made myself.

          I tried again now and _acme-challenge TXT mbyXXXXXXXF1k are created at NameSilo.
          And I see this (same as before):
          4cde02d5-11f6-4f3c-93c5-717b34d4907a-image.png
          And nothing in the logs. So I tried Issue again and I got this:

          664dcae2-c797-4412-81bd-cb6b10609605-image.png
          Still nothing in the logs

          BTW: I don't think I understood the wildcard thing.
          My goal is to be able to access all servers behind my pfsense with SSL. server1.domain.top and server2.domain.top ect.

          GertjanG 1 Reply Last reply Reply Quote 0
          • GertjanG
            Gertjan @Flemmingss
            last edited by

            @Flemmingss said in New user failing to issue certificate:

            Still nothing in the logs

            Yes, here is it :
            30c07827-2bc4-45b3-8a0b-a9fec78ed60c-image.png

            which means : if the challenge TXT record isn't added, letenscrypt can't verify, etc etc.

            No "help me" PM's please. Use the forum, the community will thank you.
            Edit : and where are the logs ??

            F 1 Reply Last reply Reply Quote 0
            • F
              Flemmingss @Gertjan
              last edited by

              @Gertjan
              Hmm. I desabled my "HTTP to HTTPS" NAT rule (created as in the video i posted), and it worked.

              LE_Root_Cert
              Renewing certificate 
              account: LE_Cert 
              server: letsencrypt-staging-2 
              
              /usr/local/pkg/acme/acme.sh  --issue  -d '*.XXX.top' --dns 'dns_namesilo'  --home '/tmp/acme/LE_Root_Cert/' --accountconf '/tmp/acme/LE_Root_Cert/accountconf.conf' --force --reloadCmd '/tmp/acme/LE_Root_Cert/reloadcmd.sh' --log-level 3 --log '/tmp/acme/LE_Root_Cert/acme_issuecert.log'
              Array
              (
                  [path] => /etc:/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/bin/
                  [PATH] => /etc:/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/bin/
                  [Namesilo_Key] => 74XXXX30
              )
              [Fri Jul 17 18:21:16 CEST 2020] Single domain='*.XXX.top'
              [Fri Jul 17 18:21:16 CEST 2020] Getting domain auth token for each domain
              [Fri Jul 17 18:21:18 CEST 2020] Getting webroot for domain='*.XXX.top'
              [Fri Jul 17 18:21:18 CEST 2020] Adding txt value: GXCXXXtQY for domain:  _acme-challenge.XXX.top
              [Fri Jul 17 18:21:20 CEST 2020] Successfully added TXT record, ready for validation.
              [Fri Jul 17 18:21:20 CEST 2020] The txt record is added: Success.
              [Fri Jul 17 18:21:20 CEST 2020] Let's check each dns records now. Sleep 20 seconds first.
              [Fri Jul 17 18:21:40 CEST 2020] Checking XXX.top for _acme-challenge.XXX.top
              [Fri Jul 17 18:21:41 CEST 2020] Domain XXX.top '_acme-challenge.XXX.top' success.
              [Fri Jul 17 18:21:41 CEST 2020] All success, let's return
              [Fri Jul 17 18:21:41 CEST 2020] Verifying: *.XXX.top
              [Fri Jul 17 18:21:44 CEST 2020] Success
              [Fri Jul 17 18:21:44 CEST 2020] Removing DNS records.
              [Fri Jul 17 18:21:44 CEST 2020] Removing txt: GXXXXQY for domain: _acme-challenge.XXX.top
              [Fri Jul 17 18:21:46 CEST 2020] Successfully retrieved the record id for ACME challenge.
              [Fri Jul 17 18:21:47 CEST 2020] Successfully removed the TXT record.
              [Fri Jul 17 18:21:47 CEST 2020] Removed: Success
              [Fri Jul 17 18:21:47 CEST 2020] Verify finished, start to sign.
              [Fri Jul 17 18:21:47 CEST 2020] Lets finalize the order, Le_OrderFinalize: https://acme-staging-v02.api.letsencrypt.org/acme/finalize/14XXX77
              [Fri Jul 17 18:21:48 CEST 2020] Download cert, Le_LinkCert: https://acme-staging-v02.api.letsencrypt.org/acme/cert/faXXXdc
              [Fri Jul 17 18:21:49 CEST 2020] Cert success.
              -----BEGIN CERTIFICATE-----
              MIIXXX
              XXXX
              XXXXM4s=
              -----END CERTIFICATE-----
              [Fri Jul 17 18:21:49 CEST 2020] Your cert is in  /tmp/acme/LE_Root_Cert//*.XXX.top/*.XXX.top.cer 
              [Fri Jul 17 18:21:49 CEST 2020] Your cert key is in  /tmp/acme/LE_Root_Cert//*.XXX.top/*.XXX.top.key 
              [Fri Jul 17 18:21:49 CEST 2020] The intermediate CA cert is in  /tmp/acme/LE_Root_Cert//*.XXX.top/ca.cer 
              [Fri Jul 17 18:21:49 CEST 2020] And the full chain certs is there:  /tmp/acme/LE_Root_Cert//*.XXX.top/fullchain.cer 
              [Fri Jul 17 18:21:49 CEST 2020] Run reload cmd: /tmp/acme/LE_Root_Cert/reloadcmd.sh
              
              IMPORT CERT LE_Root_Cert, /tmp/acme/LE_Root_Cert/*.XXX.top/*.XXX.top.key, /tmp/acme/LE_Root_Cert/*.XXX.top/*.XXX.top.cer
              update cert![Fri Jul 17 18:21:49 CEST 2020] Reload success
              

              However, I changed from staging to production, and it did not work. Same as before

              1 Reply Last reply Reply Quote 0
              • First post
                Last post
              Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.