• Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login
Netgate Discussion Forum
  • Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login

files.pfsense.org : Lets Encrypt certificate has expired

Scheduled Pinned Locked Moved General pfSense Questions
12 Posts 4 Posters 1.2k Views
Loading More Posts
  • Oldest to Newest
  • Newest to Oldest
  • Most Votes
Reply
  • Reply as topic
Log in to reply
This topic has been deleted. Only users with topic management privileges can see it.
  • G
    Gertjan @monotypeTattoo
    last edited by Gertjan Jan 28, 2021, 2:06 PM Jan 28, 2021, 2:02 PM

    edit : Oops.

    Re read the question - and found out I was reading something else.

    I pulled the same cert :

    b5a1c51b-2cc4-44d0-82a4-953027d062a5-image.png

    are we not looking at the same site, for example : https://www.pfsense.org ?

    No "help me" PM's please. Use the forum, the community will thank you.
    Edit : and where are the logs ??

    J 1 Reply Last reply Jan 28, 2021, 2:11 PM Reply Quote 0
    • J
      johnpoz LAYER 8 Global Moderator @Gertjan
      last edited by Jan 28, 2021, 2:11 PM

      @gertjan said in files.pfsense.org : Lets Encrypt certificate has expired:

      are we not looking at the same site, for example : https://www.pfsense.org ?

      Check site https://files.pfsense.org/

      An intelligent man is sometimes forced to be drunk to spend time with his fools
      If you get confused: Listen to the Music Play
      Please don't Chat/PM me for help, unless mod related
      SG-4860 24.11 | Lab VMs 2.8, 24.11

      G 1 Reply Last reply Jan 28, 2021, 3:11 PM Reply Quote 1
      • G
        Gertjan @johnpoz
        last edited by Jan 28, 2021, 3:11 PM

        Is also *.pfsense.org is ok for me.

        No "help me" PM's please. Use the forum, the community will thank you.
        Edit : and where are the logs ??

        J 1 Reply Last reply Jan 28, 2021, 3:12 PM Reply Quote 0
        • J
          johnpoz LAYER 8 Global Moderator @Gertjan
          last edited by johnpoz Jan 28, 2021, 3:14 PM Jan 28, 2021, 3:12 PM

          I don't know the details of how they have this setup.. But I would guess some servers got the new cert on on 1/5 and others have not.. Which is why only specific urls showing the old cert.

          I sent a PM to Steve - sure they will get it fixed up soon enough..

          One of the flaws in having to update every 90 days, and automation - sometimes it doesn't always work as planned/desgined.

          An intelligent man is sometimes forced to be drunk to spend time with his fools
          If you get confused: Listen to the Music Play
          Please don't Chat/PM me for help, unless mod related
          SG-4860 24.11 | Lab VMs 2.8, 24.11

          G 1 Reply Last reply Jan 28, 2021, 3:35 PM Reply Quote 0
          • G
            Gertjan @johnpoz
            last edited by Jan 28, 2021, 3:35 PM

            @johnpoz said in files.pfsense.org : Lets Encrypt certificate has expired:

            flawed ..... update every 90 days automation

            90 ....
            More often will create the same problems .... more often ;)
            Less often and people forget how to debug, draw conclusions and repair fast. Also : Letsenscypt also has to deal with the ones that want to 'burn' (revocate) their certs ... at least now they can keep a 90 days max list instead of a classic two years list, reducing browser cert validity checking. Knowing how many certs they have outstanding these days and you'll get the picture.
            And "automation " shouldn't be related to "forgetting about it".

            I've got several 'original' acme script running (several devices) , and two with pfSense using the pfSense package.
            And the unbeatable combination : no DNS registrar on the other side that changes the 'something' some times. The DNS name server of my domains is me using RFC2136.
            It's rock solid. I don't make calendar entries any more (on phone) to check things every 60 days. I just get a mail with "acme => done = > my domain".

            No "help me" PM's please. Use the forum, the community will thank you.
            Edit : and where are the logs ??

            J 1 Reply Last reply Jan 28, 2021, 4:10 PM Reply Quote 0
            • J
              johnpoz LAYER 8 Global Moderator @Gertjan
              last edited by Jan 28, 2021, 4:10 PM

              @gertjan said in files.pfsense.org : Lets Encrypt certificate has expired:

              I just get a mail with "acme => done = > my domain".

              Well clearly they do not have that setup, or they are not looking at the error emails :)

              This has happened before - same sort of issue..

              An intelligent man is sometimes forced to be drunk to spend time with his fools
              If you get confused: Listen to the Music Play
              Please don't Chat/PM me for help, unless mod related
              SG-4860 24.11 | Lab VMs 2.8, 24.11

              1 Reply Last reply Reply Quote 0
              • S
                stephenw10 Netgate Administrator
                last edited by Jan 28, 2021, 4:32 PM

                Looks good now. Anyone still seeing this?

                J 1 Reply Last reply Jan 28, 2021, 4:37 PM Reply Quote 0
                • J
                  johnpoz LAYER 8 Global Moderator @stephenw10
                  last edited by Jan 28, 2021, 4:37 PM

                  @stephenw10

                  Looks good here.

                  An intelligent man is sometimes forced to be drunk to spend time with his fools
                  If you get confused: Listen to the Music Play
                  Please don't Chat/PM me for help, unless mod related
                  SG-4860 24.11 | Lab VMs 2.8, 24.11

                  G 1 Reply Last reply Jan 28, 2021, 11:05 PM Reply Quote 1
                  • G
                    Gertjan @johnpoz
                    last edited by Jan 28, 2021, 11:05 PM

                    It didn't get better for me (was already good).

                    @johnpoz said in files.pfsense.org : Lets Encrypt certificate has expired:

                    do not have that setup

                    The pfSense acme package has the "action" list, where you can set up .... actions.
                    Like send a mail when it's done. But, it strikes me now, it does so when thing went well.
                    I should have something to show up start to go wrong.
                    ( some one behinds me propose me : "use two tv sets and dial into CNN and Fox news", this is french humor as best as it gets).
                    I should be cooking a script that runs one a week that 'reads' a cert, extracts its end date/time, minus the actual date/time and if less then 2 weeks or so : sends a mail.

                    /root: openssl x509 -enddate -noout -in /tmp/acme/my-domain/my-domain/my-domain.cer
                    notAfter=Apr 13 21:55:05 2021 GMT
                    

                    plus some other shell whatever script and done.

                    Anyway, @stephenw10 , @ monotypeTattoo I'll drop a copy here when I get it done.

                    No "help me" PM's please. Use the forum, the community will thank you.
                    Edit : and where are the logs ??

                    J 1 Reply Last reply Jan 28, 2021, 11:28 PM Reply Quote 0
                    • J
                      johnpoz LAYER 8 Global Moderator @Gertjan
                      last edited by Jan 28, 2021, 11:28 PM

                      Keep in mind that cert might of updated just fine, but the service using the cert maybe just didn't update.. Your using some httpd to serve up file, even if you update the cert on the machine - you have prob have to tell whatever httpd your using to reload the new cert..

                      An intelligent man is sometimes forced to be drunk to spend time with his fools
                      If you get confused: Listen to the Music Play
                      Please don't Chat/PM me for help, unless mod related
                      SG-4860 24.11 | Lab VMs 2.8, 24.11

                      1 Reply Last reply Reply Quote 0
                      • G
                        Gertjan
                        last edited by Jan 29, 2021, 7:17 AM

                        echo | openssl s_client -servername domain.tld -connect domain.tld:443 | openssl x509 -noout -enddate | grep 'notAfter' > date.txt
                        

                        The file date.txt should contain a date and time in the future :

                        notAfter=Apr  3 01:17:16 2021 GMT
                        

                        No "help me" PM's please. Use the forum, the community will thank you.
                        Edit : and where are the logs ??

                        1 Reply Last reply Reply Quote 0
                        12 out of 12
                        • First post
                          12/12
                          Last post
                        Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.
                          This community forum collects and processes your personal information.
                          consent.not_received