Navigation

    Netgate Discussion Forum
    • Register
    • Login
    • Search
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search

    Let's Encrypt Certificate Authority Expiring soon

    ACME
    5
    10
    262
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • C
      costanzo last edited by costanzo

      The following CA/Certificate entries are expiring:
      Certificate Authority: Acmecert: O=Let's Encrypt, CN=Let's Encrypt Authority X3, C=US (5eafeb7f6b77c): Expiring soon, in 27 days @ 2021-02-18 03:01:00

      How do I resolve this? Using latest ACME package.

      Thanks in advance!

      --- Update

      The fix is to just delete the expiring cert. Let's Encrypt is using a newer CA, "R3" now to sign their certs. Thanks @Gertjan for pointing this out.

      Gertjan 1 Reply Last reply Reply Quote 4
      • G
        gguglielmi last edited by

        Did you just upgrade to pfSense 2.5? I just got the same notification after upgrading to version 2.5.
        I have an appliance still on 2.4.5p1, but with a similar configuration and using the same Let's Encrypt account, and is not showing this notification, even if the "expiry date" is the same.

        1 Reply Last reply Reply Quote 0
        • C
          cmonster12uk last edited by

          Got exactly the same here. Started flagging up as soon as upgraded to 21.02.

          1 Reply Last reply Reply Quote 0
          • Gertjan
            Gertjan @costanzo last edited by

            @costanzo said in Let's Encrypt Certificate Authority Expiring soon:

            How do I resolve this? Using latest ACME package.

            Check this page :

            c73ed0c2-c14c-4ead-9550-b52d4f8dae72-image.png

            Is the first option checked ?
            If not, then ok, the non renewal is what you want.
            If checked : Install the cron package.

            Visit this page :

            2d6936a8-dbe8-415a-ae04-a799842e77de-image.png

            Btw : the cron package is a very lightwheight package that dies nothing but enabling you to see -and edit if needed - in the GUI the exiting cron jobs.

            Do you have a :

            74cf3943-1e0e-4605-b0c1-e5892af7b892-image.png

            If so, ok.
            Now its time to check the "acme" log file.

            Use your favourite access : In order of (my) preference : SFTP - SSH - Console and if you don't have these, use the :

            f1ddc9ae-5fa6-4e5c-92b5-485f26077705-image.png

            ( and for the next time : make SFTP - SSH - Console work, as it is not optional (IMHO)).

            The file your looking for is here : /tmp/acme/your-domain.tld/acme_issuecert.log
            where your-domain.tld is your domain.

            This file tells you when acme is executing.
            Typically, each day - see the cron line above for the time.

            The answer to your question is in this file.

            G 1 Reply Last reply Reply Quote 1
            • G
              gguglielmi @Gertjan last edited by

              @gertjan On my installation the first option is activated, the cron entry is the same as yours, but the folder "/tmp/acme/" doesn't exist at all!
              Instead on the appliance that is still on 2.4.5p1 the folder exists and i can see the logs.
              Maybe this is the problem?
              But i have no idea how to fix it.

              Gertjan 1 Reply Last reply Reply Quote 0
              • Gertjan
                Gertjan @gguglielmi last edited by Gertjan

                @gguglielmi said in Let's Encrypt Certificate Authority Expiring soon:

                but the folder "/tmp/acme/" doesn't exist at all!
                Instead on the appliance that is still on 2.4.5p1 the folder exists and i can see the logs.
                Maybe this is the problem?

                I 'forgot' to mention that the /tmp/ is emptied on every reboot ^^
                No big deal.All OS's do this (except Windows ..... where it becomes a real junk yard over time)

                Just do this :

                14e31998-2758-410d-80e4-89f8bc437668-image.png

                == Hit the Renew button.

                and everything -acme directory, log file, etc will get recreated.

                If it's a cert renewal fail, you should also a 'partial' (less details) in the GUI acme screen.

                Btw : you are aware of the fact that you can't hit the Renew button more then 5 times a day (LetsEncrypted usage condition ...).
                So, hit it ones, see it fail. Consult the log - repair the issue (post results, tell what dns method you're using etc) and then dry run a test - and do the final Renew to see it work, or have it renewed during the cron job, as you have 27 days left and the issue will get cleared in less time ^^

                G 1 Reply Last reply Reply Quote 1
                • G
                  gguglielmi @Gertjan last edited by

                  @gertjan said in Let's Encrypt Certificate Authority Expiring soon:

                  @gguglielmi said in Let's Encrypt Certificate Authority Expiring soon:

                  but the folder "/tmp/acme/" doesn't exist at all!
                  Instead on the appliance that is still on 2.4.5p1 the folder exists and i can see the logs.
                  Maybe this is the problem?

                  I 'forgot' to mention that the /tmp/ is emptied on every reboot ^^
                  No big deal.All OS's do this (except Windows ..... where it becomes a real junk yard over time)

                  Right, i totally overlooked this detail.

                  I renewed one certificate, and it renewed successfully, but i still see the CA expiring in 27 days.

                  71b4104a-8bec-4e92-934a-4a004db9004f-image.png

                  The strange thing is that the expiring CA is showing 0 certificates, and i have a second let's encrypt CA that has all of them.

                  On the appliance with pfSense 2.4.5 i still have both CA, the expiring one has all the certificates that expired between december 2020 and january 2021. And as with the upgraded appliance all the current certificates are on the "new" CA.

                  Maybe is something that acme is doing by itself, but for some reason on 2.5 pfSense reports an error and on 2.4.5 not?

                  M Gertjan 2 Replies Last reply Reply Quote 0
                  • M
                    mbentley @gguglielmi last edited by mbentley

                    So what has happened is that the Let's Encrypt intermediate CA certificate is expiring. That is the certificate identified by CN=Let's Encrypt Authority X3. The good news is that they are on top of things over at Let's Encrypt and have issued a new intermediate certificate from which your server certificates are generated. That replacement intermediate certificate is identified by CN=R3 so as long as you have that listed, your system will be able to connect the chain of trust from the Root CA -> Intermediate certificate -> your server certificate (which is generated by the acme plugin).

                    Basically, it is nothing to work about as long as you have the R3 cert. All new certificates as of sometime in December (by my tests) are all being generated by the new R3 intermediate so basically anyone should be in a good state with a certificate from the new intermediate. You can confirm this by looking on the Certificates tab and looking at the value in the Issuer column for your server certificate. It should say something like Acmecert: O=Let's Encrypt, CN=R3, C=US.

                    It doesn't have anything to do with a pfSense version or a plugin version - the timing is just a coincidence.

                    1 Reply Last reply Reply Quote 3
                    • Gertjan
                      Gertjan @gguglielmi last edited by

                      @gguglielmi said in Let's Encrypt Certificate Authority Expiring soon:

                      I renewed one certificate, and it renewed successfully, but i still see the CA expiring in 27 days.

                      Ah, that one. I have the same 'old' intermediate certificate(s) :

                      f2e17b68-3975-46f4-869d-8ea82a5ac3fb-image.png

                      in my 'store'.
                      This is how I took care of it :

                      98049238-8dd0-45ca-84d2-75bfa5da1e1b-image.png

                      as the newer R3 is used now :

                      c683bbe4-3bf5-4e7d-ab7e-67389abb19bb-image.png

                      You should read about this https://letsencrypt.org/certificates/-- where they cam from, what they mean, how they are used :) It's a real good story, and you are actually uses this technique everywhere.

                      G 1 Reply Last reply Reply Quote 6
                      • G
                        gguglielmi @Gertjan last edited by

                        @mbentley said in Let's Encrypt Certificate Authority Expiring soon:

                        It doesn't have anything to do with a pfSense version or a plugin version - the timing is just a coincidence.

                        The only strange thing is that on 2.5.0 this causes a notification, but on 2.4.5 not.
                        Maybe is something that they added in the new version and that i haven't read yet in the changelog.

                        @gertjan said in Let's Encrypt Certificate Authority Expiring soon:

                        https://letsencrypt.org/certificates/

                        I literally just finished reading it!

                        So the "old" one is safe to delete it, that's the important thing!

                        Thanks to everyone!

                        1 Reply Last reply Reply Quote 0
                        • First post
                          Last post

                        Products

                        • Platform Overview
                        • TNSR
                        • pfSense
                        • Appliances

                        Services

                        • Training
                        • Professional Services

                        Support

                        • Subscription Plans
                        • Contact Support
                        • Product Lifecycle
                        • Documentation

                        News

                        • Media Coverage
                        • Press
                        • Events

                        Resources

                        • Blog
                        • FAQ
                        • Find a Partner
                        • Resource Library
                        • Security Information

                        Company

                        • About Us
                        • Careers
                        • Partners
                        • Contact Us
                        • Legal
                        Our Mission

                        We provide leading-edge network security at a fair price - regardless of organizational size or network sophistication. We believe that an open-source security model offers disruptive pricing along with the agility required to quickly address emerging threats.

                        Subscribe to our Newsletter

                        Product information, software announcements, and special offers. See our newsletter archive to sign up for future newsletters and to read past announcements.

                        © 2021 Rubicon Communications, LLC | Privacy Policy