New user failing to issue certificate



  • Hi.

    I have tried to follow this guide to set up ACME (And HAProxy)
    First I just did it with duckdns.org, and the certificate was issued, but it gave me not-secure when accessing stuff.mydomain.duckdns.org, I found out I needed my own top level domain, so I bought a domain at namesilo.com

    But I am not able to issue...

    • Removed Certificates and Account keys from ACME
    • Remove all TXT at NameSilo
    • Rebooted pfSense
    • Added new Account key
    • Created new Certificate
    • Clicked Issue
    • Still did not work, but I get a _acme-challenge TXT at NameSilo. Last renewed date still Thu, 01 Jan 1970 01:00:00 +0100
    • waited 3 days and tried new issue, same problem.

    This is the log I get:

    Jul 15 03:36:33	ACME		[Wed Jul 15 03:33:47 CEST 2020] Not valid yet, let's wait 10 seconds and check next one.
    Jul 15 03:36:33	ACME		[Wed Jul 15 03:33:58 CEST 2020] Let's wait 10 seconds and check again.
    Jul 15 03:36:33	ACME		[Wed Jul 15 03:34:09 CEST 2020] Checking mydomain.top for _acme-challenge.mydomain.top
    Jul 15 03:36:33	ACME		[Wed Jul 15 03:34:14 CEST 2020] Not valid yet, let's wait 10 seconds and check next one.
    Jul 15 03:36:33	ACME		[Wed Jul 15 03:34:25 CEST 2020] Let's wait 10 seconds and check again.
    Jul 15 03:36:33	ACME		[Wed Jul 15 03:34:35 CEST 2020] Checking mydomain.top for _acme-challenge.mydomain.top
    Jul 15 03:36:33	ACME		[Wed Jul 15 03:34:35 CEST 2020] Not valid yet, let's wait 10 seconds and check next one.
    Jul 15 03:36:33	ACME		[Wed Jul 15 03:34:46 CEST 2020] Let's wait 10 seconds and check again.
    Jul 15 03:36:33	ACME		[Wed Jul 15 03:34:56 CEST 2020] Checking mydomain.top for _acme-challenge.mydomain.top
    Jul 15 03:36:33	ACME		[Wed Jul 15 03:34:56 CEST 2020] Not valid yet, let's wait 10 seconds and check next one.
    Jul 15 03:36:33	ACME		[Wed Jul 15 03:35:07 CEST 2020] Let's wait 10 seconds and check again.
    Jul 15 03:36:33	ACME		[Wed Jul 15 03:35:17 CEST 2020] Checking mydomain.top for _acme-challenge.mydomain.top
    Jul 15 03:36:33	ACME		[Wed Jul 15 03:35:18 CEST 2020] Not valid yet, let's wait 10 seconds and check next one.
    Jul 15 03:36:33	ACME		[Wed Jul 15 03:35:29 CEST 2020] Let's wait 10 seconds and check again.
    Jul 15 03:36:33	ACME		[Wed Jul 15 03:35:39 CEST 2020] Checking mydomain.top for _acme-challenge.mydomain.top
    Jul 15 03:36:33	ACME		[Wed Jul 15 03:35:39 CEST 2020] Not valid yet, let's wait 10 seconds and check next one.
    Jul 15 03:36:33	ACME		[Wed Jul 15 03:35:49 CEST 2020] Let's wait 10 seconds and check again.
    Jul 15 03:36:33	ACME		[Wed Jul 15 03:35:59 CEST 2020] Checking mydomain.top for _acme-challenge.mydomain.top
    Jul 15 03:36:33	ACME		[Wed Jul 15 03:36:00 CEST 2020] Not valid yet, let's wait 10 seconds and check next one.
    Jul 15 03:36:33	ACME		[Wed Jul 15 03:36:11 CEST 2020] Let's wait 10 seconds and check again.
    Jul 15 03:36:33	ACME		[Wed Jul 15 03:36:21 CEST 2020] Checking mydomain.top for _acme-challenge.mydomain.top
    Jul 15 03:36:33	ACME		[Wed Jul 15 03:36:21 CEST 2020] Domain mydomain.top '_acme-challenge.mydomain.top' success.
    Jul 15 03:36:33	ACME		[Wed Jul 15 03:36:21 CEST 2020] All success, let's return
    Jul 15 03:36:33	ACME		[Wed Jul 15 03:36:21 CEST 2020] Verifying: *.mydomain.top
    Jul 15 03:36:33	ACME		[Wed Jul 15 03:36:24 CEST 2020] It seems the CA server is busy now, let's wait and retry. Sleeping 1 seconds.
    Jul 15 03:36:33	ACME		[Wed Jul 15 03:36:29 CEST 2020] Removing DNS records.
    Jul 15 03:36:33	ACME		[Wed Jul 15 03:36:29 CEST 2020] Removing txt: exXXXXXXXXXXXXXXXX-8XXXXXXXXXXXXXXXXXXp-Fr8 for domain: _acme-challenge.mydomain.top
    Jul 15 03:36:33	ACME		[Wed Jul 15 03:36:32 CEST 2020] Successfully retrieved the record id for ACME challenge.
    Jul 15 03:36:33	ACME		[Wed Jul 15 03:36:33 CEST 2020] Successfully removed the TXT record.
    Jul 15 03:36:33	ACME		[Wed Jul 15 03:36:33 CEST 2020] Removed: Success
    Jul 15 03:36:33	ACME		[Wed Jul 15 03:36:29 CEST 2020] *.mydomain.top:Verify error:Incorrect TXT record
    Jul 15 03:36:33	ACME		[Wed Jul 15 03:36:33 CEST 2020] Please check log file for more details: /tmp/acme/LE_Root_Cert/acme_issuecert.log
    Jul 15 03:36:33	php		ACME, Failed to renew certificate for LE_Root_Cert
    

    This is my config:
    01d23a7c-8755-4ede-8a8c-0791e9bd7660-image.png

    Do anyone have an idea?



  • Ones these
    04fa6199-0fd0-4743-bab8-33144a4db755-image.png
    .... the _acme-challenge TXT records - are used, they become useless / stale. Delete them.

    Check this part :

    Jul 15 03:36:33 ACME [Wed Jul 15 03:36:29 CEST 2020] Removing txt: exXXXXXXXXXXXXXXXX-8XXXXXXXXXXXXXXXXXXp-Fr8 for domain: _acme-challenge.mydomain.top
    Jul 15 03:36:33 ACME [Wed Jul 15 03:36:32 CEST 2020] Successfully retrieved the record id for ACME challenge.
    Jul 15 03:36:33 ACME [Wed Jul 15 03:36:33 CEST 2020] Successfully removed the TXT record.
    Jul 15 03:36:33 ACME [Wed Jul 15 03:36:33 CEST 2020] Removed: Success

    the logs says it removed the _acme-challenge.mydomain.top record, but did it really do so - which one was deleted ?

    Also, for a wild card domain you should have two "Domainname", like "mydomain.top" and *.mydomain.top".
    See the original doc : Wildcard Domain Step-By-Step



  • @Gertjan Thanks for your answer. The screenshot is some days old and before I deleted the TXT's.
    Now I checked my domain, there is no TXT records, just the two CNAME record I have made myself.

    I tried again now and _acme-challenge TXT mbyXXXXXXXF1k are created at NameSilo.
    And I see this (same as before):
    4cde02d5-11f6-4f3c-93c5-717b34d4907a-image.png
    And nothing in the logs. So I tried Issue again and I got this:

    664dcae2-c797-4412-81bd-cb6b10609605-image.png
    Still nothing in the logs

    BTW: I don't think I understood the wildcard thing.
    My goal is to be able to access all servers behind my pfsense with SSL. server1.domain.top and server2.domain.top ect.



  • @Flemmingss said in New user failing to issue certificate:

    Still nothing in the logs

    Yes, here is it :
    30c07827-2bc4-45b3-8a0b-a9fec78ed60c-image.png

    which means : if the challenge TXT record isn't added, letenscrypt can't verify, etc etc.



  • @Gertjan
    Hmm. I desabled my "HTTP to HTTPS" NAT rule (created as in the video i posted), and it worked.

    LE_Root_Cert
    Renewing certificate 
    account: LE_Cert 
    server: letsencrypt-staging-2 
    
    /usr/local/pkg/acme/acme.sh  --issue  -d '*.XXX.top' --dns 'dns_namesilo'  --home '/tmp/acme/LE_Root_Cert/' --accountconf '/tmp/acme/LE_Root_Cert/accountconf.conf' --force --reloadCmd '/tmp/acme/LE_Root_Cert/reloadcmd.sh' --log-level 3 --log '/tmp/acme/LE_Root_Cert/acme_issuecert.log'
    Array
    (
        [path] => /etc:/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/bin/
        [PATH] => /etc:/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/bin/
        [Namesilo_Key] => 74XXXX30
    )
    [Fri Jul 17 18:21:16 CEST 2020] Single domain='*.XXX.top'
    [Fri Jul 17 18:21:16 CEST 2020] Getting domain auth token for each domain
    [Fri Jul 17 18:21:18 CEST 2020] Getting webroot for domain='*.XXX.top'
    [Fri Jul 17 18:21:18 CEST 2020] Adding txt value: GXCXXXtQY for domain:  _acme-challenge.XXX.top
    [Fri Jul 17 18:21:20 CEST 2020] Successfully added TXT record, ready for validation.
    [Fri Jul 17 18:21:20 CEST 2020] The txt record is added: Success.
    [Fri Jul 17 18:21:20 CEST 2020] Let's check each dns records now. Sleep 20 seconds first.
    [Fri Jul 17 18:21:40 CEST 2020] Checking XXX.top for _acme-challenge.XXX.top
    [Fri Jul 17 18:21:41 CEST 2020] Domain XXX.top '_acme-challenge.XXX.top' success.
    [Fri Jul 17 18:21:41 CEST 2020] All success, let's return
    [Fri Jul 17 18:21:41 CEST 2020] Verifying: *.XXX.top
    [Fri Jul 17 18:21:44 CEST 2020] Success
    [Fri Jul 17 18:21:44 CEST 2020] Removing DNS records.
    [Fri Jul 17 18:21:44 CEST 2020] Removing txt: GXXXXQY for domain: _acme-challenge.XXX.top
    [Fri Jul 17 18:21:46 CEST 2020] Successfully retrieved the record id for ACME challenge.
    [Fri Jul 17 18:21:47 CEST 2020] Successfully removed the TXT record.
    [Fri Jul 17 18:21:47 CEST 2020] Removed: Success
    [Fri Jul 17 18:21:47 CEST 2020] Verify finished, start to sign.
    [Fri Jul 17 18:21:47 CEST 2020] Lets finalize the order, Le_OrderFinalize: https://acme-staging-v02.api.letsencrypt.org/acme/finalize/14XXX77
    [Fri Jul 17 18:21:48 CEST 2020] Download cert, Le_LinkCert: https://acme-staging-v02.api.letsencrypt.org/acme/cert/faXXXdc
    [Fri Jul 17 18:21:49 CEST 2020] Cert success.
    -----BEGIN CERTIFICATE-----
    MIIXXX
    XXXX
    XXXXM4s=
    -----END CERTIFICATE-----
    [Fri Jul 17 18:21:49 CEST 2020] Your cert is in  /tmp/acme/LE_Root_Cert//*.XXX.top/*.XXX.top.cer 
    [Fri Jul 17 18:21:49 CEST 2020] Your cert key is in  /tmp/acme/LE_Root_Cert//*.XXX.top/*.XXX.top.key 
    [Fri Jul 17 18:21:49 CEST 2020] The intermediate CA cert is in  /tmp/acme/LE_Root_Cert//*.XXX.top/ca.cer 
    [Fri Jul 17 18:21:49 CEST 2020] And the full chain certs is there:  /tmp/acme/LE_Root_Cert//*.XXX.top/fullchain.cer 
    [Fri Jul 17 18:21:49 CEST 2020] Run reload cmd: /tmp/acme/LE_Root_Cert/reloadcmd.sh
    
    IMPORT CERT LE_Root_Cert, /tmp/acme/LE_Root_Cert/*.XXX.top/*.XXX.top.key, /tmp/acme/LE_Root_Cert/*.XXX.top/*.XXX.top.cer
    update cert![Fri Jul 17 18:21:49 CEST 2020] Reload success
    

    However, I changed from staging to production, and it did not work. Same as before


Log in to reply