Pfsense ACME CERT LE package method HTTP standalone error while issuing

sshami · Jun 11, 2021, 1:41 PM

I am freshly installed new pfsense with ACME and HAProxy.
Trying to issue certificate ACME LE via DOMAIN SAN List - Method - Standalone HTTP server but getting following error.
###################################################################################################
Renewing certificate
account: letsencrypt-prod
server: letsencrypt-production-2

/usr/local/pkg/acme/acme.sh --issue --domain 'mydomain.test.network' --standalone --listen-v4 --httpport '8126' --home '/tmp/acme/devop-testing/' --accountconf '/tmp/acme/devop-testing/accountconf.conf' --force --reloadCmd '/tmp/acme/mydomain/reloadcmd.sh' --log-level 3 --log '/tmp/acme/mydomain/acme_issuecert.log'
Array
(
[path] => /etc:/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/bin/
[PATH] => /etc:/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/bin/
[port] => 8126
[ipv6] =>
)
[Fri Jun 11 14:30:46 CEST 2021] Using CA: https://acme-v02.api.letsencrypt.org/directory
[Fri Jun 11 14:30:46 CEST 2021] Standalone mode.
[Fri Jun 11 14:30:46 CEST 2021] Single domain='mydomain.test.network'
[Fri Jun 11 14:30:46 CEST 2021] Getting domain auth token for each domain
[Fri Jun 11 14:30:49 CEST 2021] Getting webroot for domain='mydomain.test.network'
[Fri Jun 11 14:30:49 CEST 2021] Verifying: mydomain.test.network
[Fri Jun 11 14:30:49 CEST 2021] Standalone mode server
[Fri Jun 11 14:30:54 CEST 2021] mydomain.test.network:Verify error:Invalid response from http://mydomain.test.network/.well-known/acme-challenge/kg6AC3IfSpBGZhJODIAzlFabYrOSiXkT5dwA8dFLIV8 [xxx.xx.xx.xx]: 503
[Fri Jun 11 14:30:54 CEST 2021] Please check log file for more details: /tmp/acme/mydomain/acme_issuecert.log

####################################################################################################
I can resolve by dns name in pfsense and checked on the Physical Firewall logs there are not drop pf packets, rules are defined.
On WAN interface port 80 and 443 open.

Try to issue CERT with method AWS Route53 it works but in my environment i need to use method standalone HTTP method.

I am struggling badly with this error, any suggestion highly appreciated.

Gertjan · Jun 11, 2021, 3:44 PM

You can do what the Letsencrypt 'test process' does.

@sshami said in Pfsense ACME CERT LE package method HTTP standalone error while issuing:

[Fri Jun 11 14:30:54 CEST 2021] mydomain.test.network:Verify error:Invalid response from http://mydomain.test.network/.well-known/acme-challenge/kg6AC3IfSpBGZhJODIAzlFabYrOSiXkT5dwA8dFLIV8 [xxx.xx.xx.xx]: 503

This :
http://mydomain.test.network/.well-known/acme-challenge/kg6AC3IfSpBGZhJODIAzlFabYrOSiXkT5dwA8dFLIV8
returned a '503'.

Double check that you (also) can reach
http://mydomain.test.network:8126
yourself.

How ? Use a browser.

Then check that a sub directory "acme-challenge" is created - and the file in it : "kg6AC3IfSpBGZhJODIAzlFabYrOSiXkT5dwA8dFLIV8 "
and that it return a content.

If you can do it, with your PC, and from another WAN IP, like your phone, then the Letsencrypt test process can do also.
And will succeed, so it gives you a cert.

Btw : You can see what happened in the log stated : /tmp/acme/mydomain/acme_issuecert.log

sshami · Jun 12, 2021, 5:59 PM

@gertjan thanks for your input!

http://mydomain.test.network:8126 - Not getting anything

http://mydomain.test.network

acme_issuecert.log:

response='{
"type": "urn:ietf:params:acme:error:malformed",
"detail": "Unable to update challenge :: authorization must be pending",
"status": 400
}'

I checked packets on firewall there is no any block or deny!
Struggling with this issue very badly.

sshami · Jun 16, 2021, 7:30 AM

@gertjan
Where is the location of this folder : .well-known/acme-challenge/kg6AC3IfSpBGZhJODIAzlFabYrOSiXkT5dwA8dFLIV8

Gertjan · Jun 16, 2021, 8:32 AM

@sshami said in Pfsense ACME CERT LE package method HTTP standalone error while issuing:

@gertjan
Where is the location of this folder : .well-known/acme-challenge/kg6AC3IfSpBGZhJODIAzlFabYrOSiXkT5dwA8dFLIV8

According to you :

@sshami said in Pfsense ACME CERT LE package method HTTP standalone error while issuing:

I am freshly installed new pfsense with ACME and HAProxy.

So I understand (now) that you use the HAProxy setup to host some web site locally somewhere (on your LAN). Using the method "Standalone HTTP server "
That's where the "HAProxy" directory and file should be created.

sshami · Jun 20, 2021, 5:00 PM

This post is deleted!

sshami · Jun 22, 2021, 9:37 AM

@gertjan
Hi gertjan, thanks for the info now i am able to create CERT.

I have one more question, i have HA setup of Primary and secondary node pfsense.
What is the best way to configure ACME CERT sync with Primary to secondary. Both nodes have acme and HAProxy package installed when i see on secondary node in Acme certificates - CA i found CA not listed not sync.
But when i go to secondary node, System - Cert Manager - Certificates i found certificate synced here.

Do we really need to install ACME package on secondary node? Sync is working fine with other things but only ACME cert sync has problem.

I would like a setup when one node fail, second carry on everthing.

Thanks in advance.