New user failing to issue certificate

Flemmingss

Hi.

I have tried to follow this guide to set up ACME (And HAProxy)
First I just did it with duckdns.org, and the certificate was issued, but it gave me not-secure when accessing stuff.mydomain.duckdns.org, I found out I needed my own top level domain, so I bought a domain at namesilo.com

But I am not able to issue...

• Removed Certificates and Account keys from ACME
• Remove all TXT at NameSilo
• Rebooted pfSense
• Added new Account key
• Created new Certificate
• Clicked Issue
• Still did not work, but I get a _acme-challenge TXT at NameSilo. Last renewed date still Thu, 01 Jan 1970 01:00:00 +0100
• waited 3 days and tried new issue, same problem.

This is the log I get:

Jul 15 03:36:33	ACME		[Wed Jul 15 03:33:47 CEST 2020] Not valid yet, let's wait 10 seconds and check next one.
Jul 15 03:36:33	ACME		[Wed Jul 15 03:33:58 CEST 2020] Let's wait 10 seconds and check again.
Jul 15 03:36:33	ACME		[Wed Jul 15 03:34:09 CEST 2020] Checking mydomain.top for _acme-challenge.mydomain.top
Jul 15 03:36:33	ACME		[Wed Jul 15 03:34:14 CEST 2020] Not valid yet, let's wait 10 seconds and check next one.
Jul 15 03:36:33	ACME		[Wed Jul 15 03:34:25 CEST 2020] Let's wait 10 seconds and check again.
Jul 15 03:36:33	ACME		[Wed Jul 15 03:34:35 CEST 2020] Checking mydomain.top for _acme-challenge.mydomain.top
Jul 15 03:36:33	ACME		[Wed Jul 15 03:34:35 CEST 2020] Not valid yet, let's wait 10 seconds and check next one.
Jul 15 03:36:33	ACME		[Wed Jul 15 03:34:46 CEST 2020] Let's wait 10 seconds and check again.
Jul 15 03:36:33	ACME		[Wed Jul 15 03:34:56 CEST 2020] Checking mydomain.top for _acme-challenge.mydomain.top
Jul 15 03:36:33	ACME		[Wed Jul 15 03:34:56 CEST 2020] Not valid yet, let's wait 10 seconds and check next one.
Jul 15 03:36:33	ACME		[Wed Jul 15 03:35:07 CEST 2020] Let's wait 10 seconds and check again.
Jul 15 03:36:33	ACME		[Wed Jul 15 03:35:17 CEST 2020] Checking mydomain.top for _acme-challenge.mydomain.top
Jul 15 03:36:33	ACME		[Wed Jul 15 03:35:18 CEST 2020] Not valid yet, let's wait 10 seconds and check next one.
Jul 15 03:36:33	ACME		[Wed Jul 15 03:35:29 CEST 2020] Let's wait 10 seconds and check again.
Jul 15 03:36:33	ACME		[Wed Jul 15 03:35:39 CEST 2020] Checking mydomain.top for _acme-challenge.mydomain.top
Jul 15 03:36:33	ACME		[Wed Jul 15 03:35:39 CEST 2020] Not valid yet, let's wait 10 seconds and check next one.
Jul 15 03:36:33	ACME		[Wed Jul 15 03:35:49 CEST 2020] Let's wait 10 seconds and check again.
Jul 15 03:36:33	ACME		[Wed Jul 15 03:35:59 CEST 2020] Checking mydomain.top for _acme-challenge.mydomain.top
Jul 15 03:36:33	ACME		[Wed Jul 15 03:36:00 CEST 2020] Not valid yet, let's wait 10 seconds and check next one.
Jul 15 03:36:33	ACME		[Wed Jul 15 03:36:11 CEST 2020] Let's wait 10 seconds and check again.
Jul 15 03:36:33	ACME		[Wed Jul 15 03:36:21 CEST 2020] Checking mydomain.top for _acme-challenge.mydomain.top
Jul 15 03:36:33	ACME		[Wed Jul 15 03:36:21 CEST 2020] Domain mydomain.top '_acme-challenge.mydomain.top' success.
Jul 15 03:36:33	ACME		[Wed Jul 15 03:36:21 CEST 2020] All success, let's return
Jul 15 03:36:33	ACME		[Wed Jul 15 03:36:21 CEST 2020] Verifying: *.mydomain.top
Jul 15 03:36:33	ACME		[Wed Jul 15 03:36:24 CEST 2020] It seems the CA server is busy now, let's wait and retry. Sleeping 1 seconds.
Jul 15 03:36:33	ACME		[Wed Jul 15 03:36:29 CEST 2020] Removing DNS records.
Jul 15 03:36:33	ACME		[Wed Jul 15 03:36:29 CEST 2020] Removing txt: exXXXXXXXXXXXXXXXX-8XXXXXXXXXXXXXXXXXXp-Fr8 for domain: _acme-challenge.mydomain.top
Jul 15 03:36:33	ACME		[Wed Jul 15 03:36:32 CEST 2020] Successfully retrieved the record id for ACME challenge.
Jul 15 03:36:33	ACME		[Wed Jul 15 03:36:33 CEST 2020] Successfully removed the TXT record.
Jul 15 03:36:33	ACME		[Wed Jul 15 03:36:33 CEST 2020] Removed: Success
Jul 15 03:36:33	ACME		[Wed Jul 15 03:36:29 CEST 2020] *.mydomain.top:Verify error:Incorrect TXT record
Jul 15 03:36:33	ACME		[Wed Jul 15 03:36:33 CEST 2020] Please check log file for more details: /tmp/acme/LE_Root_Cert/acme_issuecert.log
Jul 15 03:36:33	php		ACME, Failed to renew certificate for LE_Root_Cert

This is my config:

Do anyone have an idea?

Gertjan

Ones these

.... the _acme-challenge TXT records - are used, they become useless / stale. Delete them.

Check this part :

Jul 15 03:36:33 ACME [Wed Jul 15 03:36:29 CEST 2020] Removing txt: exXXXXXXXXXXXXXXXX-8XXXXXXXXXXXXXXXXXXp-Fr8 for domain: _acme-challenge.mydomain.top
Jul 15 03:36:33 ACME [Wed Jul 15 03:36:32 CEST 2020] Successfully retrieved the record id for ACME challenge.
Jul 15 03:36:33 ACME [Wed Jul 15 03:36:33 CEST 2020] Successfully removed the TXT record.
Jul 15 03:36:33 ACME [Wed Jul 15 03:36:33 CEST 2020] Removed: Success

the logs says it removed the _acme-challenge.mydomain.top record, but did it really do so - which one was deleted ?

Also, for a wild card domain you should have two "Domainname", like "mydomain.top" and *.mydomain.top".
See the original doc : Wildcard Domain Step-By-Step

Flemmingss

@Gertjan Thanks for your answer. The screenshot is some days old and before I deleted the TXT's.
Now I checked my domain, there is no TXT records, just the two CNAME record I have made myself.

I tried again now and _acme-challenge TXT mbyXXXXXXXF1k are created at NameSilo.
And I see this (same as before):

And nothing in the logs. So I tried Issue again and I got this:

Still nothing in the logs

BTW: I don't think I understood the wildcard thing.
My goal is to be able to access all servers behind my pfsense with SSL. server1.domain.top and server2.domain.top ect.

Gertjan

@Flemmingss said in New user failing to issue certificate:

Still nothing in the logs

Yes, here is it :

which means : if the challenge TXT record isn't added, letenscrypt can't verify, etc etc.

Flemmingss

@Gertjan
Hmm. I desabled my "HTTP to HTTPS" NAT rule (created as in the video i posted), and it worked.

LE_Root_Cert
Renewing certificate 
account: LE_Cert 
server: letsencrypt-staging-2 

/usr/local/pkg/acme/acme.sh  --issue  -d '*.XXX.top' --dns 'dns_namesilo'  --home '/tmp/acme/LE_Root_Cert/' --accountconf '/tmp/acme/LE_Root_Cert/accountconf.conf' --force --reloadCmd '/tmp/acme/LE_Root_Cert/reloadcmd.sh' --log-level 3 --log '/tmp/acme/LE_Root_Cert/acme_issuecert.log'
Array
(
    [path] => /etc:/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/bin/
    [PATH] => /etc:/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/bin/
    [Namesilo_Key] => 74XXXX30
)
[Fri Jul 17 18:21:16 CEST 2020] Single domain='*.XXX.top'
[Fri Jul 17 18:21:16 CEST 2020] Getting domain auth token for each domain
[Fri Jul 17 18:21:18 CEST 2020] Getting webroot for domain='*.XXX.top'
[Fri Jul 17 18:21:18 CEST 2020] Adding txt value: GXCXXXtQY for domain:  _acme-challenge.XXX.top
[Fri Jul 17 18:21:20 CEST 2020] Successfully added TXT record, ready for validation.
[Fri Jul 17 18:21:20 CEST 2020] The txt record is added: Success.
[Fri Jul 17 18:21:20 CEST 2020] Let's check each dns records now. Sleep 20 seconds first.
[Fri Jul 17 18:21:40 CEST 2020] Checking XXX.top for _acme-challenge.XXX.top
[Fri Jul 17 18:21:41 CEST 2020] Domain XXX.top '_acme-challenge.XXX.top' success.
[Fri Jul 17 18:21:41 CEST 2020] All success, let's return
[Fri Jul 17 18:21:41 CEST 2020] Verifying: *.XXX.top
[Fri Jul 17 18:21:44 CEST 2020] Success
[Fri Jul 17 18:21:44 CEST 2020] Removing DNS records.
[Fri Jul 17 18:21:44 CEST 2020] Removing txt: GXXXXQY for domain: _acme-challenge.XXX.top
[Fri Jul 17 18:21:46 CEST 2020] Successfully retrieved the record id for ACME challenge.
[Fri Jul 17 18:21:47 CEST 2020] Successfully removed the TXT record.
[Fri Jul 17 18:21:47 CEST 2020] Removed: Success
[Fri Jul 17 18:21:47 CEST 2020] Verify finished, start to sign.
[Fri Jul 17 18:21:47 CEST 2020] Lets finalize the order, Le_OrderFinalize: https://acme-staging-v02.api.letsencrypt.org/acme/finalize/14XXX77
[Fri Jul 17 18:21:48 CEST 2020] Download cert, Le_LinkCert: https://acme-staging-v02.api.letsencrypt.org/acme/cert/faXXXdc
[Fri Jul 17 18:21:49 CEST 2020] Cert success.
-----BEGIN CERTIFICATE-----
MIIXXX
XXXX
XXXXM4s=
-----END CERTIFICATE-----
[Fri Jul 17 18:21:49 CEST 2020] Your cert is in  /tmp/acme/LE_Root_Cert//*.XXX.top/*.XXX.top.cer 
[Fri Jul 17 18:21:49 CEST 2020] Your cert key is in  /tmp/acme/LE_Root_Cert//*.XXX.top/*.XXX.top.key 
[Fri Jul 17 18:21:49 CEST 2020] The intermediate CA cert is in  /tmp/acme/LE_Root_Cert//*.XXX.top/ca.cer 
[Fri Jul 17 18:21:49 CEST 2020] And the full chain certs is there:  /tmp/acme/LE_Root_Cert//*.XXX.top/fullchain.cer 
[Fri Jul 17 18:21:49 CEST 2020] Run reload cmd: /tmp/acme/LE_Root_Cert/reloadcmd.sh

IMPORT CERT LE_Root_Cert, /tmp/acme/LE_Root_Cert/*.XXX.top/*.XXX.top.key, /tmp/acme/LE_Root_Cert/*.XXX.top/*.XXX.top.cer
update cert![Fri Jul 17 18:21:49 CEST 2020] Reload success

However, I changed from staging to production, and it did not work. Same as before