Let's Encrypt Certificate Authority Expiring soon

costanzo

The following CA/Certificate entries are expiring:
Certificate Authority: Acmecert: O=Let's Encrypt, CN=Let's Encrypt Authority X3, C=US (5eafeb7f6b77c): Expiring soon, in 27 days @ 2021-02-18 03:01:00

How do I resolve this? Using latest ACME package.

Thanks in advance!

--- Update

The fix is to just delete the expiring cert. Let's Encrypt is using a newer CA, "R3" now to sign their certs. Thanks @Gertjan for pointing this out.

gguglielmi

Did you just upgrade to pfSense 2.5? I just got the same notification after upgrading to version 2.5.
I have an appliance still on 2.4.5p1, but with a similar configuration and using the same Let's Encrypt account, and is not showing this notification, even if the "expiry date" is the same.

cmonster12uk

Got exactly the same here. Started flagging up as soon as upgraded to 21.02.

Gertjan

@costanzo said in Let's Encrypt Certificate Authority Expiring soon:

How do I resolve this? Using latest ACME package.

Check this page :

Is the first option checked ?
If not, then ok, the non renewal is what you want.
If checked : Install the cron package.

Visit this page :

Btw : the cron package is a very lightwheight package that dies nothing but enabling you to see -and edit if needed - in the GUI the exiting cron jobs.

Do you have a :

If so, ok.
Now its time to check the "acme" log file.

Use your favourite access : In order of (my) preference : SFTP - SSH - Console and if you don't have these, use the :

( and for the next time : make SFTP - SSH - Console work, as it is not optional (IMHO)).

The file your looking for is here : /tmp/acme/your-domain.tld/acme_issuecert.log
where your-domain.tld is your domain.

This file tells you when acme is executing.
Typically, each day - see the cron line above for the time.

The answer to your question is in this file.

gguglielmi

@gertjan On my installation the first option is activated, the cron entry is the same as yours, but the folder "/tmp/acme/" doesn't exist at all!
Instead on the appliance that is still on 2.4.5p1 the folder exists and i can see the logs.
Maybe this is the problem?
But i have no idea how to fix it.

Gertjan

@gguglielmi said in Let's Encrypt Certificate Authority Expiring soon:

but the folder "/tmp/acme/" doesn't exist at all!
Instead on the appliance that is still on 2.4.5p1 the folder exists and i can see the logs.
Maybe this is the problem?

I 'forgot' to mention that the /tmp/ is emptied on every reboot ^^
No big deal.All OS's do this (except Windows ..... where it becomes a real junk yard over time)

Just do this :

== Hit the Renew button.

and everything -acme directory, log file, etc will get recreated.

If it's a cert renewal fail, you should also a 'partial' (less details) in the GUI acme screen.

Btw : you are aware of the fact that you can't hit the Renew button more then 5 times a day (LetsEncrypted usage condition ...).
So, hit it ones, see it fail. Consult the log - repair the issue (post results, tell what dns method you're using etc) and then dry run a test - and do the final Renew to see it work, or have it renewed during the cron job, as you have 27 days left and the issue will get cleared in less time ^^

gguglielmi

@gertjan said in Let's Encrypt Certificate Authority Expiring soon:

@gguglielmi said in Let's Encrypt Certificate Authority Expiring soon:

but the folder "/tmp/acme/" doesn't exist at all!
Instead on the appliance that is still on 2.4.5p1 the folder exists and i can see the logs.
Maybe this is the problem?

I 'forgot' to mention that the /tmp/ is emptied on every reboot ^^
No big deal.All OS's do this (except Windows ..... where it becomes a real junk yard over time)

Right, i totally overlooked this detail.

I renewed one certificate, and it renewed successfully, but i still see the CA expiring in 27 days.

The strange thing is that the expiring CA is showing 0 certificates, and i have a second let's encrypt CA that has all of them.

On the appliance with pfSense 2.4.5 i still have both CA, the expiring one has all the certificates that expired between december 2020 and january 2021. And as with the upgraded appliance all the current certificates are on the "new" CA.

Maybe is something that acme is doing by itself, but for some reason on 2.5 pfSense reports an error and on 2.4.5 not?

mbentley

So what has happened is that the Let's Encrypt intermediate CA certificate is expiring. That is the certificate identified by CN=Let's Encrypt Authority X3. The good news is that they are on top of things over at Let's Encrypt and have issued a new intermediate certificate from which your server certificates are generated. That replacement intermediate certificate is identified by CN=R3 so as long as you have that listed, your system will be able to connect the chain of trust from the Root CA -> Intermediate certificate -> your server certificate (which is generated by the acme plugin).

Basically, it is nothing to work about as long as you have the R3 cert. All new certificates as of sometime in December (by my tests) are all being generated by the new R3 intermediate so basically anyone should be in a good state with a certificate from the new intermediate. You can confirm this by looking on the Certificates tab and looking at the value in the Issuer column for your server certificate. It should say something like Acmecert: O=Let's Encrypt, CN=R3, C=US.

It doesn't have anything to do with a pfSense version or a plugin version - the timing is just a coincidence.

Gertjan

@gguglielmi said in Let's Encrypt Certificate Authority Expiring soon:

I renewed one certificate, and it renewed successfully, but i still see the CA expiring in 27 days.

Ah, that one. I have the same 'old' intermediate certificate(s) :

in my 'store'.
This is how I took care of it :

as the newer R3 is used now :

You should read about this https://letsencrypt.org/certificates/-- where they cam from, what they mean, how they are used :) It's a real good story, and you are actually uses this technique everywhere.

gguglielmi

@mbentley said in Let's Encrypt Certificate Authority Expiring soon:

It doesn't have anything to do with a pfSense version or a plugin version - the timing is just a coincidence.

The only strange thing is that on 2.5.0 this causes a notification, but on 2.4.5 not.
Maybe is something that they added in the new version and that i haven't read yet in the changelog.

@gertjan said in Let's Encrypt Certificate Authority Expiring soon:

https://letsencrypt.org/certificates/

I literally just finished reading it!

So the "old" one is safe to delete it, that's the important thing!

Thanks to everyone!