Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    ACME, Let's Encrypt, Timeout during connect (likely firewall problem)

    Scheduled Pinned Locked Moved ACME
    1 Posts 1 Posters 2.1k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • A
      aelhar
      last edited by aelhar

      Hello,

      I'm getting the following error (from the web GUI) when I click on "Issue/Renew".

      My setup:

      • pfSense v2.5.2-RELEASE (amd64).
      • I have a dynamic DNS name, for privacy reason say, myserver.mydomain.com. I am using Google Domain's Dynamic DNS service.
      • I verified that the nslookup reports same IP address as my WAN address.
      • pfSense GUI is on port 10443.
      • Disable webConfigurator redirect rule is checked.
      • Tried both "Standalone HTTP server" port 80 and "Standardalone TLS-ALPN server" port 443.
      • Edit: Account Keys: letsencrypt-staging-2

      I am new to pfSense and just installed it a few days ago.
      From reading the docs, it seem that ACME will automatically do: open port, run a web server there, and close both of those when renew is done.
      I feel like it's an operator error.
      Am I supposed to open port 443?

      myserver
Renewing certificate 
account: myserver 
server: letsencrypt-staging-2 

/usr/local/pkg/acme/acme.sh  --issue  --domain 'myserver.mydomain.com' --standalone --listen-v4 --httpport '80' --home '/tmp/acme/myserver/' --accountconf '/tmp/acme/myserver/accountconf.conf' --force --reloadCmd '/tmp/acme/myserver/reloadcmd.sh' --log-level 3 --log '/tmp/acme/myserver/acme_issuecert.log'
Array
(
    [path] => /etc:/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/bin/
    [PATH] => /etc:/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/bin/
    [port] => 80
    [ipv6] => 
)
[Fri Sep 17 23:01:58 JST 2021] Using CA: https://acme-staging-v02.api.letsencrypt.org/directory
[Fri Sep 17 23:01:58 JST 2021] Standalone mode.
[Fri Sep 17 23:01:58 JST 2021] Single domain='myserver.mydomain.com'
[Fri Sep 17 23:01:58 JST 2021] Getting domain auth token for each domain
[Fri Sep 17 23:02:01 JST 2021] Getting webroot for domain='myserver.mydomain.com'
[Fri Sep 17 23:02:01 JST 2021] Verifying: myserver.mydomain.com
[Fri Sep 17 23:02:01 JST 2021] Standalone mode server
[Fri Sep 17 23:02:05 JST 2021] Pending
[Fri Sep 17 23:02:08 JST 2021] Pending
[Fri Sep 17 23:02:11 JST 2021] Pending
[Fri Sep 17 23:02:13 JST 2021] myserver.mydomain.com:Verify error:Fetching http://myserver.mydomain.com/.well-known/acme-challenge/aBnHjgC4X6tAWEI5DEWWha9WQTogOedrFyC9NlOVtEI: Timeout during connect (likely firewall problem)
[Fri Sep 17 23:02:13 JST 2021] Please check log file for more details: /tmp/acme/myserver/acme_issuecert.log

      I have access to /tmp/acme/myserver/acme_issuecert.log

      Edit: this section seems safe to post:

      server: nginx
date: Fri, 17 Sep 2021 14:02:14 GMT
content-type: application/problem+json
content-length: 144
boulder-requester: 26908158
cache-control: public, max-age=0, no-cache
link: <https://acme-staging-v02.api.letsencrypt.org/directory>;rel="index"
replay-nonce: 0002OZoSro2iNuEkzXJ-ro0xnw7rLNorzK1Y8vDTJwsNKkQ

'
[Fri Sep 17 23:02:14 JST 2021] code='400'
[Fri Sep 17 23:02:14 JST 2021] original='{
  "type": "urn:ietf:params:acme:error:malformed",
  "detail": "Unable to update challenge :: authorization must be pending",
  "status": 400
}'
[Fri Sep 17 23:02:14 JST 2021] response='{
  "type": "urn:ietf:params:acme:error:malformed",
  "detail": "Unable to update challenge :: authorization must be pending",
  "status": 400
}'
      1 Reply Last reply Reply Quote 1
      • First post
        Last post
      Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.