Renewed certificate was not imported into Cert Manager

Talisker

I have a godaddy domain where I have a wildcard-certificate used to HA-proxy. I can renew the certificate via the ACME package, but the renewed certificate isn't imported into Cert Manager. Instead Cert manager reports that the certificate is about to expire.

Now I solved it by editing the existing certficiate by pasting in the information i got from ACME "-----BEGIN CERTIFICATE-----..." and the private key from /conf/acme/cert-name.key to the existing certificate in Cert Manager, but there must be something wrong.
Even more strange is that ACME managed to renew a certificate from a cloudflare domain correctly.

Has anyone else experienced this? Is there a bug with godaddy or why wont the certificate automatically be imported to cert manager?

Gertjan

@talisker said in Renewed certificate was not imported into Cert Manager:

but there must be something wrong.

Can you show us what went wrong ?

Look at the last several lines of this file : /tmp/acme/yourdomain.tld/acme_issuecert.log

[Thu Jul 22 18:22:49 CEST 2021] APP
[Thu Jul 22 18:22:49 CEST 2021] 20:Le_RealFullChainPath=''
[Thu Jul 22 18:22:49 CEST 2021] Run reload cmd: /tmp/acme/yourdomain.tld/reloadcmd.sh
[Thu Jul 22 18:22:59 CEST 2021] Reload success
[Thu Jul 22 18:22:59 CEST 2021] _on_issue_success

Can you show us the content of the file :

/tmp/acme/yourdomain.tld/reloadcmd.sh

It's this file that the import the new certs the pfSense GUI Cert Manager.

Talisker

[Tue Jul 27 13:29:26 CEST 2021] Found cert chain
[Tue Jul 27 13:29:26 CEST 2021] _end_n='35'
[Tue Jul 27 13:29:26 CEST 2021] Le_LinkCert='https://acme-v02.api.letsencrypt.org/acme/cert/045675a4d1ca103c2f7d78e46f6856df6fb6'
[Tue Jul 27 13:29:26 CEST 2021] OK
[Tue Jul 27 13:29:26 CEST 2021] 11:Le_LinkCert='https://acme-v02.api.letsencrypt.org/acme/cert/045675a4d1ca103c2f7d78e46f6856df6fb6'
[Tue Jul 27 13:29:26 CEST 2021] Cert success.
[Tue Jul 27 13:29:26 CEST 2021] Your cert is in /tmp/acme/Wildcard_Domain//.domain.se/.domain.se.cer
[Tue Jul 27 13:29:26 CEST 2021] Your cert key is in /tmp/acme/Wildcard_Domain//.domain.se/.domain.se.key
[Tue Jul 27 13:29:26 CEST 2021] APP
[Tue Jul 27 13:29:26 CEST 2021] 5:USER_PATH='/etc:/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/bin/'
[Tue Jul 27 13:29:26 CEST 2021] v2 chain.
[Tue Jul 27 13:29:26 CEST 2021] The intermediate CA cert is in /tmp/acme/Wildcard_Domain//.domain.se/ca.cer
[Tue Jul 27 13:29:26 CEST 2021] And the full chain certs is there: /tmp/acme/Wildcard_Domain//.domain.se/fullchain.cer
[Tue Jul 27 13:29:26 CEST 2021] OK
[Tue Jul 27 13:29:26 CEST 2021] 12:Le_CertCreateTime='1627385366'
[Tue Jul 27 13:29:26 CEST 2021] OK
[Tue Jul 27 13:29:26 CEST 2021] 13:Le_CertCreateTimeStr='Tue Jul 27 11:29:26 UTC 2021'
[Tue Jul 27 13:29:26 CEST 2021] OK
[Tue Jul 27 13:29:26 CEST 2021] 14:Le_NextRenewTimeStr='Sat Sep 25 11:29:26 UTC 2021'
[Tue Jul 27 13:29:26 CEST 2021] OK
[Tue Jul 27 13:29:26 CEST 2021] 15:Le_NextRenewTime='1632482966'
[Tue Jul 27 13:29:26 CEST 2021] OK
[Tue Jul 27 13:29:26 CEST 2021] 16:Le_RealCertPath=''
[Tue Jul 27 13:29:26 CEST 2021] OK
[Tue Jul 27 13:29:26 CEST 2021] 17:Le_RealCACertPath=''
[Tue Jul 27 13:29:26 CEST 2021] OK
[Tue Jul 27 13:29:26 CEST 2021] 18:Le_RealKeyPath=''
[Tue Jul 27 13:29:26 CEST 2021] base64 single line.
[Tue Jul 27 13:29:26 CEST 2021] OK
[Tue Jul 27 13:29:26 CEST 2021] 19:Le_ReloadCmd='_ACME_BASE64__START_L3RtcC9hY21lL1dpbGRjYXJkX1dvbGxtYXIvcmVsb2FkY21kLnNo__ACME_BASE64__END'
[Tue Jul 27 13:29:26 CEST 2021] OK
[Tue Jul 27 13:29:26 CEST 2021] 20:Le_RealFullChainPath=''
[Tue Jul 27 13:29:26 CEST 2021] Run reload cmd: /tmp/acme/Wildcard_Domain/reloadcmd.sh
[Tue Jul 27 13:29:36 CEST 2021] Reload success
[Tue Jul 27 13:29:36 CEST 2021] _on_issue_success
[Tue Jul 27 13:29:36 CEST 2021] '' does not contain 'dns'

Gertjan

As said above :

@talisker said in Renewed certificate was not imported into Cert Manager:

[Tue Jul 27 13:29:26 CEST 2021] Run reload cmd: /tmp/acme/Wildcard_Domain/reloadcmd.sh

Does it exist ?
And
@gertjan said in Renewed certificate was not imported into Cert Manager:

Can you show us the content of the file :
/tmp/acme/yourdomain.tld/reloadcmd.sh

The the paths and files used in this shell script, do they exist ?

"/tmp/acme/yourdomain.tld/yourdomain.tld/yourdomain.tld.key"
"/tmp/acme/yourdomain.tld/yourdomain.tld/yourdomain.tld.cer"
"/tmp/acme/yourdomain.tld/yourdomain.tld/ca.cer"
"/tmp/acme/yourdomain.tld/yourdomain.tld/fullchain.cer"

Talisker

@gertjan said in Renewed certificate was not imported into Cert Manager:

/reloadcmd.sh

It looks like no line break at all in the file.

/usr/local/pkg/acme/acme_command.sh importcert "Wildcard_domain" ".domain.se" "/tmp/acme/Wildcard_domain/.domain.se/.domain.se.key" "/tmp/acme/Wildcard_domain/.domain.se/.domain.se.cer" "/tmp/acme/Wildcard_domain/.domain.se/ca.cer" "/tmp/acme/Wildcard_domain/*.domain.se/fullchain.cer"

and I have all the files in that directory. (Since I copied the result and the .key-file to Cert Manager, I know that ACME succeded in renewing the cert. The problem seems to be related to copy/move it to the manager automatically.

Gertjan

@talisker said in Renewed certificate was not imported into Cert Manager:

and I have all the files in that directory. (Since I copied the result and the .key-file to Cert Manager, I know that ACME succeded in renewing the cert. The problem seems to be related to copy/move it to the manager automatically.

You can check if /usr/local/pkg/acme/acme_command.sh works.
Execute it yourself ! (use the console or SSH access !)

@talisker said in Renewed certificate was not imported into Cert Manager:

It looks like no line break at all in the file

Same thing for me. I added the line breaks as humans prefer reading like that. Shell interpreters don't.

Talisker

@gertjan I execute the .sh-file, and it looks like it could work.

[2.5.2-RELEASE][admin@domain.se]/tmp/acme/Wildcard_Domain/.domain.se: /usr/local/pkg/acme/acme_command.sh importcert *.domain.se.cer ".domain.se" ".domain.se.key" ".domain.se.cer" ca.cer fullchain.cer

IMPORT CERT *.domain.se.cer, *.domain.se.key, .domain.se.cer
[2.5.2-RELEASE][admin@domain.se]/tmp/acme/Wildcard_Domain/.domain.se:

Looks like that worked when I checked /cf/conf/acme.

Talisker

One strange thing is that the certificate isn't removed from the /tmp.
The certificates from cloudflare (other domain) is removed, but this one from godaddy is still in tmp even though I ran the acme_command.sh

Gertjan

@talisker said in Renewed certificate was not imported into Cert Manager:

One strange thing is that the certificate isn't removed from the /tmp.

Nothing is removed from /tmp when exectuing "acme_command.sh importcert" - neither the sub folders and their content.
The /tmp folder is only emptied when you reboot pfSense.

The "acme_command.sh importcert CERTNAME DOMAIN KEY_PATH CERT_PATH CA_CERT_PATH CERT_FULLCHAIN_PATH" takes old the files created by the acme package (files are stored in /tmp/acme/domain/....) and imports them intp the pfSense "cert Manager".
It doesn't wipe them - there is no need to do so.

@talisker said in Renewed certificate was not imported into Cert Manager:

The certificates from cloudflare (other domain) is removed

Test for yourself :
Wait a week or so.
Now force renew all certs you have.
You will find as many /tmp/acme/domain sub folders as you have certs requested.
"domain' will be the base domain name;
These "domain" folders will stay there.
Until you reboot.

If you don't reboot after 60 days or so, the content of the certs will get renewed and overwritten.