Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Let's Encrypt Certificate Authority Expiring soon

    Scheduled Pinned Locked Moved ACME
    10 Posts 5 Posters 6.8k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • C
      costanzo
      last edited by costanzo

      The following CA/Certificate entries are expiring:
      Certificate Authority: Acmecert: O=Let's Encrypt, CN=Let's Encrypt Authority X3, C=US (5eafeb7f6b77c): Expiring soon, in 27 days @ 2021-02-18 03:01:00

      How do I resolve this? Using latest ACME package.

      Thanks in advance!

      --- Update

      The fix is to just delete the expiring cert. Let's Encrypt is using a newer CA, "R3" now to sign their certs. Thanks @Gertjan for pointing this out.

      GertjanG 1 Reply Last reply Reply Quote 5
      • G
        gguglielmi
        last edited by

        Did you just upgrade to pfSense 2.5? I just got the same notification after upgrading to version 2.5.
        I have an appliance still on 2.4.5p1, but with a similar configuration and using the same Let's Encrypt account, and is not showing this notification, even if the "expiry date" is the same.

        1 Reply Last reply Reply Quote 0
        • C
          cmonster12uk
          last edited by

          Got exactly the same here. Started flagging up as soon as upgraded to 21.02.

          1 Reply Last reply Reply Quote 0
          • GertjanG
            Gertjan @costanzo
            last edited by

            @costanzo said in Let's Encrypt Certificate Authority Expiring soon:

            How do I resolve this? Using latest ACME package.

            Check this page :

            c73ed0c2-c14c-4ead-9550-b52d4f8dae72-image.png

            Is the first option checked ?
            If not, then ok, the non renewal is what you want.
            If checked : Install the cron package.

            Visit this page :

            2d6936a8-dbe8-415a-ae04-a799842e77de-image.png

            Btw : the cron package is a very lightwheight package that dies nothing but enabling you to see -and edit if needed - in the GUI the exiting cron jobs.

            Do you have a :

            74cf3943-1e0e-4605-b0c1-e5892af7b892-image.png

            If so, ok.
            Now its time to check the "acme" log file.

            Use your favourite access : In order of (my) preference : SFTP - SSH - Console and if you don't have these, use the :

            f1ddc9ae-5fa6-4e5c-92b5-485f26077705-image.png

            ( and for the next time : make SFTP - SSH - Console work, as it is not optional (IMHO)).

            The file your looking for is here : /tmp/acme/your-domain.tld/acme_issuecert.log
            where your-domain.tld is your domain.

            This file tells you when acme is executing.
            Typically, each day - see the cron line above for the time.

            The answer to your question is in this file.

            No "help me" PM's please. Use the forum, the community will thank you.
            Edit : and where are the logs ??

            G 1 Reply Last reply Reply Quote 4
            • G
              gguglielmi @Gertjan
              last edited by

              @gertjan On my installation the first option is activated, the cron entry is the same as yours, but the folder "/tmp/acme/" doesn't exist at all!
              Instead on the appliance that is still on 2.4.5p1 the folder exists and i can see the logs.
              Maybe this is the problem?
              But i have no idea how to fix it.

              GertjanG 1 Reply Last reply Reply Quote 0
              • GertjanG
                Gertjan @gguglielmi
                last edited by Gertjan

                @gguglielmi said in Let's Encrypt Certificate Authority Expiring soon:

                but the folder "/tmp/acme/" doesn't exist at all!
                Instead on the appliance that is still on 2.4.5p1 the folder exists and i can see the logs.
                Maybe this is the problem?

                I 'forgot' to mention that the /tmp/ is emptied on every reboot ^^
                No big deal.All OS's do this (except Windows ..... where it becomes a real junk yard over time)

                Just do this :

                14e31998-2758-410d-80e4-89f8bc437668-image.png

                == Hit the Renew button.

                and everything -acme directory, log file, etc will get recreated.

                If it's a cert renewal fail, you should also a 'partial' (less details) in the GUI acme screen.

                Btw : you are aware of the fact that you can't hit the Renew button more then 5 times a day (LetsEncrypted usage condition ...).
                So, hit it ones, see it fail. Consult the log - repair the issue (post results, tell what dns method you're using etc) and then dry run a test - and do the final Renew to see it work, or have it renewed during the cron job, as you have 27 days left and the issue will get cleared in less time ^^

                No "help me" PM's please. Use the forum, the community will thank you.
                Edit : and where are the logs ??

                G 1 Reply Last reply Reply Quote 3
                • G
                  gguglielmi @Gertjan
                  last edited by

                  @gertjan said in Let's Encrypt Certificate Authority Expiring soon:

                  @gguglielmi said in Let's Encrypt Certificate Authority Expiring soon:

                  but the folder "/tmp/acme/" doesn't exist at all!
                  Instead on the appliance that is still on 2.4.5p1 the folder exists and i can see the logs.
                  Maybe this is the problem?

                  I 'forgot' to mention that the /tmp/ is emptied on every reboot ^^
                  No big deal.All OS's do this (except Windows ..... where it becomes a real junk yard over time)

                  Right, i totally overlooked this detail.

                  I renewed one certificate, and it renewed successfully, but i still see the CA expiring in 27 days.

                  71b4104a-8bec-4e92-934a-4a004db9004f-image.png

                  The strange thing is that the expiring CA is showing 0 certificates, and i have a second let's encrypt CA that has all of them.

                  On the appliance with pfSense 2.4.5 i still have both CA, the expiring one has all the certificates that expired between december 2020 and january 2021. And as with the upgraded appliance all the current certificates are on the "new" CA.

                  Maybe is something that acme is doing by itself, but for some reason on 2.5 pfSense reports an error and on 2.4.5 not?

                  M GertjanG 2 Replies Last reply Reply Quote 1
                  • M
                    mbentley @gguglielmi
                    last edited by mbentley

                    So what has happened is that the Let's Encrypt intermediate CA certificate is expiring. That is the certificate identified by CN=Let's Encrypt Authority X3. The good news is that they are on top of things over at Let's Encrypt and have issued a new intermediate certificate from which your server certificates are generated. That replacement intermediate certificate is identified by CN=R3 so as long as you have that listed, your system will be able to connect the chain of trust from the Root CA -> Intermediate certificate -> your server certificate (which is generated by the acme plugin).

                    Basically, it is nothing to work about as long as you have the R3 cert. All new certificates as of sometime in December (by my tests) are all being generated by the new R3 intermediate so basically anyone should be in a good state with a certificate from the new intermediate. You can confirm this by looking on the Certificates tab and looking at the value in the Issuer column for your server certificate. It should say something like Acmecert: O=Let's Encrypt, CN=R3, C=US.

                    It doesn't have anything to do with a pfSense version or a plugin version - the timing is just a coincidence.

                    1 Reply Last reply Reply Quote 3
                    • GertjanG
                      Gertjan @gguglielmi
                      last edited by

                      @gguglielmi said in Let's Encrypt Certificate Authority Expiring soon:

                      I renewed one certificate, and it renewed successfully, but i still see the CA expiring in 27 days.

                      Ah, that one. I have the same 'old' intermediate certificate(s) :

                      f2e17b68-3975-46f4-869d-8ea82a5ac3fb-image.png

                      in my 'store'.
                      This is how I took care of it :

                      98049238-8dd0-45ca-84d2-75bfa5da1e1b-image.png

                      as the newer R3 is used now :

                      c683bbe4-3bf5-4e7d-ab7e-67389abb19bb-image.png

                      You should read about this https://letsencrypt.org/certificates/-- where they cam from, what they mean, how they are used :) It's a real good story, and you are actually uses this technique everywhere.

                      No "help me" PM's please. Use the forum, the community will thank you.
                      Edit : and where are the logs ??

                      G 1 Reply Last reply Reply Quote 13
                      • G
                        gguglielmi @Gertjan
                        last edited by

                        @mbentley said in Let's Encrypt Certificate Authority Expiring soon:

                        It doesn't have anything to do with a pfSense version or a plugin version - the timing is just a coincidence.

                        The only strange thing is that on 2.5.0 this causes a notification, but on 2.4.5 not.
                        Maybe is something that they added in the new version and that i haven't read yet in the changelog.

                        @gertjan said in Let's Encrypt Certificate Authority Expiring soon:

                        https://letsencrypt.org/certificates/

                        I literally just finished reading it!

                        So the "old" one is safe to delete it, that's the important thing!

                        Thanks to everyone!

                        1 Reply Last reply Reply Quote 1
                        • T Tom8 referenced this topic on
                        • First post
                          Last post
                        Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.