ACME not renewing one certificate as scheduled
-
Hi,
I am running a pfsense in my homelab and I have a couple of domains for which the ACME package obtains LE certificates.
Generally, renewal works. It is my understanding that pfSense renews certificates after 60 days, i.e. 30 days ahead of their expiry.
However, this morning I received an email from LE for one of my certificates that such certificate is about to expire (in 20 days). The renewal setting for this certificate is unchanged/default. All other certificates are up to date (the newest was renewed on 27 November).
What might be going on here? Where should I look to find what might be the issue?
There is a cron job at 3:16am every day for the acme package to renew all:
/usr/local/pkg/acme/acme_command.sh "renewall" | /usr/bin/logger -t ACME 2>&1
Thanks!
-
@sensewolf Without knowing anything else, you might double check whether that certificate is in use (and if so, its expiration date). If it was recreated/reissued then the warning might be for the old one. We see that a lot for web sites where, for whatever reason, one hostname didn't renew so we need to reissue, and LE doesn't know any better so it warns about the expiring/invalid cert.
-
It is not just LE telling me (I just mentioned LE because their email made me aware). pfsense is also showing the certificate as expiring (yellow in the list of certificates) on December 26.
So pfsense/ACME knows the certificate is due for renewal and has had a chance to renew it for the last 10 days but doesn't.
-
Another day, another cron job run and - nothing.
Is there a log I could consult to see whether it at least attempts to renew and fails or whether it doesn't even try?
-
@sensewolf said in ACME not renewing one certificate as scheduled:
Is there a log I could consult to see whether it at least attempts to renew and fails or whether it doesn't even try?
Yep.
The word 'log' is in here :@sensewolf said in ACME not renewing one certificate as scheduled:
/usr/local/pkg/acme/acme_command.sh "renewall" | /usr/bin/logger -t ACME 2>&
In the pfSense main system log, you will find not much, but important info :
2022-12-08 03:16:00.258995+01:00 ACME 93405 Renewal number of days not yet reached. 2022-12-08 03:16:00.258615+01:00 ACME 93405 Checking if renewal is needed for: V2_my-cert-account.net
The data time tells you the cron job works at the right moment.
It also lists the domain(s) that it is testing.For the real stuff, you have to use the keyboard (or SSH + SFTP access, which brings everything down to mouse click level).
You will find a folder called /acme in /tmp/, and another sub folder into that, with the domain name (account name) :
/tmp/acme/V2_my-cert-account.net/
In this folder there is the famous "acme_issuecert.log" with the complete log trace of everything the acme.sh core script file does.
If you can read and understand what's happening in here, line by line, then please call me, I have some questions ;)
Joke aside, this log file is understandable.I can clearly see that it decide, or not, to update the cert.
Asking LE for a secret random code.
Picking my update method (I'm using nsupdate or RFC2136).
Adding the needed DNS TXT records with the secret code into my domain name server master server
Waiting 120 seconds (so DNS slaves will get synced with the DNS master).
Then it signals LE : Go check !
LE, on his side, checks the TXT record for the presence of the secret code.
If it find the secret code, it files me a new updated cert for my domain.When you click on Issue Renew yourself,
you should see, after a while (notably the DNS sleep wait period), a green 'text box with the principal events logged to the screen.
This green log screen contains the absolute most important logged message at the top, whatever (good or fail) was the result :You see the log file ? I guess you missed that one ;)
-
Did you maybe change this setting?
It's at the very bottom of the page when editing a ACME entry.
-
No, I didn't touch that.
-
What did the green 'log' in the GUI tell you ?
Or, better : zero the log file I mentioned above.
Do a manual renew.
Look at the file again, it has many lines now.Upload them to (whatever) => pastebin.org
Past the link here.Btw : be careful, don't press several times per day at the manual reew button : after 5 times or so, you'll get blacklisted for a day, as the number of times you renew a cert is limited.