files.pfsense.org : Lets Encrypt certificate has expired

monotypeTattoo · Jan 28, 2021, 2:02 PM

Good Morning,

This morning our Snort Open AppId rules update failed getting updates from https://files.pfsense.org/openappid/.

	Snort AppID Open Text Rules md5 download failed.
	Server returned error code 0.
	Server error message was: SSL certificate problem: certificate has expired
	Snort AppID Open Text Rules will not be updated

This is the current certificate served by files.pfsense.org. I note that it SANed for pfsense.org which is serving up a non-expired certificate, albeit with differrent public key.

I believe we have had this problem before; Is there any monitoring on certificate validity for files.pfsense.org?

Thank you.

Gertjan · Jan 28, 2021, 2:06 PM

edit : Oops.

Re read the question - and found out I was reading something else.

I pulled the same cert :

are we not looking at the same site, for example : https://www.pfsense.org ?

johnpoz · Jan 28, 2021, 2:11 PM

@gertjan said in files.pfsense.org : Lets Encrypt certificate has expired:

are we not looking at the same site, for example : https://www.pfsense.org ?

Check site https://files.pfsense.org/

Gertjan · Jan 28, 2021, 3:11 PM

Is also *.pfsense.org is ok for me.

johnpoz · Jan 28, 2021, 3:14 PM

I don't know the details of how they have this setup.. But I would guess some servers got the new cert on on 1/5 and others have not.. Which is why only specific urls showing the old cert.

I sent a PM to Steve - sure they will get it fixed up soon enough..

One of the flaws in having to update every 90 days, and automation - sometimes it doesn't always work as planned/desgined.

Gertjan · Jan 28, 2021, 3:35 PM

@johnpoz said in files.pfsense.org : Lets Encrypt certificate has expired:

flawed ..... update every 90 days automation

90 ....
More often will create the same problems .... more often ;)
Less often and people forget how to debug, draw conclusions and repair fast. Also : Letsenscypt also has to deal with the ones that want to 'burn' (revocate) their certs ... at least now they can keep a 90 days max list instead of a classic two years list, reducing browser cert validity checking. Knowing how many certs they have outstanding these days and you'll get the picture.
And "automation " shouldn't be related to "forgetting about it".

I've got several 'original' acme script running (several devices) , and two with pfSense using the pfSense package.
And the unbeatable combination : no DNS registrar on the other side that changes the 'something' some times. The DNS name server of my domains is me using RFC2136.
It's rock solid. I don't make calendar entries any more (on phone) to check things every 60 days. I just get a mail with "acme => done = > my domain".

johnpoz · Jan 28, 2021, 4:10 PM

@gertjan said in files.pfsense.org : Lets Encrypt certificate has expired:

I just get a mail with "acme => done = > my domain".

Well clearly they do not have that setup, or they are not looking at the error emails :)

This has happened before - same sort of issue..

stephenw10 · Jan 28, 2021, 4:32 PM

Looks good now. Anyone still seeing this?

johnpoz · Jan 28, 2021, 4:37 PM

@stephenw10

Looks good here.

Gertjan · Jan 28, 2021, 11:05 PM

It didn't get better for me (was already good).

@johnpoz said in files.pfsense.org : Lets Encrypt certificate has expired:

do not have that setup

The pfSense acme package has the "action" list, where you can set up .... actions.
Like send a mail when it's done. But, it strikes me now, it does so when thing went well.
I should have something to show up start to go wrong.
( some one behinds me propose me : "use two tv sets and dial into CNN and Fox news", this is french humor as best as it gets).
I should be cooking a script that runs one a week that 'reads' a cert, extracts its end date/time, minus the actual date/time and if less then 2 weeks or so : sends a mail.

/root: openssl x509 -enddate -noout -in /tmp/acme/my-domain/my-domain/my-domain.cer
notAfter=Apr 13 21:55:05 2021 GMT

plus some other shell whatever script and done.

Anyway, @stephenw10 , @ monotypeTattoo I'll drop a copy here when I get it done.

johnpoz · Jan 28, 2021, 11:28 PM

Keep in mind that cert might of updated just fine, but the service using the cert maybe just didn't update.. Your using some httpd to serve up file, even if you update the cert on the machine - you have prob have to tell whatever httpd your using to reload the new cert..

Gertjan · Jan 29, 2021, 7:17 AM

echo | openssl s_client -servername domain.tld -connect domain.tld:443 | openssl x509 -noout -enddate | grep 'notAfter' > date.txt

The file date.txt should contain a date and time in the future :

notAfter=Apr  3 01:17:16 2021 GMT