Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    ACME pkg v0.7.4

    Scheduled Pinned Locked Moved ACME
    14 Posts 7 Posters 965 Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • jimpJ
      jimp Rebel Alliance Developer Netgate
      last edited by

      ACME pkg v0.7.4 is building now and will be available shortly for Plus 23.05, Plus 23.01, CE 2.6.0, and dev snapshots for Plus and CE.

      Synchronizes with upstream acme.sh version 3.0.6 (master branch)

      Bug fixes:

      • Addresses a potential remote command execution issue in acme.sh
        from a malicious CA
        https://github.com/acmesh-official/acme.sh/issues/4659

        -- Low risk, affected CA was not supported by the ACME package.

      • Fix a few reported PHP errors

      • Various upstream bug fixes for DNS providers

      New DNS Providers:

      • Gcore
      • Google Domains (DNS API)
      • IPv64.net
      • Nanelo.com

      Remember: Upvote with the πŸ‘ button for any user/post you find to be helpful, informative, or deserving of recognition!

      Need help fast? Netgate Global Support!

      Do not Chat/PM for help!

      johnpozJ JeGrJ 2 Replies Last reply Reply Quote 3
      • jimpJ jimp pinned this topic on
      • johnpozJ
        johnpoz LAYER 8 Global Moderator @jimp
        last edited by

        @jimp thanks... I saw it available and updated to it.

        I was able to renew one of my certs - so looks to be working from that limited test

        Fri, 09 Jun 2023 13:17:11 -0500
        Issued Certificate Dates:
        Valid From: Fri, 09 Jun 2023 12:17:10 -0500
        Valid Until: Thu, 07 Sep 2023 12:17:09 -0500 
        

        An intelligent man is sometimes forced to be drunk to spend time with his fools
        If you get confused: Listen to the Music Play
        Please don't Chat/PM me for help, unless mod related
        SG-4860 24.11 | Lab VMs 2.8, 24.11

        jimpJ 1 Reply Last reply Reply Quote 0
        • jimpJ
          jimp Rebel Alliance Developer Netgate @johnpoz
          last edited by

          @johnpoz said in ACME pkg v0.7.4:

          @jimp thanks... I saw it available and updated to it.

          I was able to renew one of my certs - so looks to be working from that limited test

          Fri, 09 Jun 2023 13:17:11 -0500
          Issued Certificate Dates:
          Valid From: Fri, 09 Jun 2023 12:17:10 -0500
          Valid Until: Thu, 07 Sep 2023 12:17:09 -0500 
          

          RSA or ECC key?

          I renewed several in my lab with the new code (most RSA, one ECC) before committing the changes so I'm reasonably confident it works well but as always it's impossible to test every combination of settings out there.

          I initially had some issues renewing non-ECC certs but fixed that in a way that might have negatively impacted ECC certs, but at least for me both worked after so I'm hopeful that others are also going to end up working properly after.

          Remember: Upvote with the πŸ‘ button for any user/post you find to be helpful, informative, or deserving of recognition!

          Need help fast? Netgate Global Support!

          Do not Chat/PM for help!

          johnpozJ 1 Reply Last reply Reply Quote 0
          • K
            kapranos
            last edited by

            Thank you @jimp apprecite your support, will update as soon appears (not yet on 23.05) Captura de pantalla 2023-06-09 a las 23.22.31.png

            1 Reply Last reply Reply Quote 0
            • johnpozJ
              johnpoz LAYER 8 Global Moderator @jimp
              last edited by johnpoz

              @jimp said in ACME pkg v0.7.4:

              RSA or ECC key?

              Private key is set for 256bit ECDSA, I don't have any set for RCA any more.

              An intelligent man is sometimes forced to be drunk to spend time with his fools
              If you get confused: Listen to the Music Play
              Please don't Chat/PM me for help, unless mod related
              SG-4860 24.11 | Lab VMs 2.8, 24.11

              1 Reply Last reply Reply Quote 1
              • JeGrJ
                JeGr LAYER 8 Moderator @jimp
                last edited by JeGr

                @jimp At first big thanks for updating the package.

                Still get a bit of a problem with multiple SAN domains though as discussed in another topic as with the current parameter set, acme.sh still creates multiple TXT entries for DNS validation instead of one for multiple domains for the same certificate. And quite a few of providers have API limitations, that will trigger and stop the cert from going through the first time (so acme has to try and try again until it finishes eventually with more and more domains skipped because of already being checked).

                Is there anything we could do about helping that? :)

                Cheers
                \jens

                Don't forget to upvote πŸ‘ those who kindly offered their time and brainpower to help you!

                If you're interested, I'm available to discuss details of German-speaking paid support (for companies) if needed.

                1 Reply Last reply Reply Quote 0
                • jmanesJ
                  jmanes
                  last edited by

                  Hey all, hope I'm on the right path here. I took this update and renewed my existing cert just fine. Went to create a new one today for a different domain name and got the following error. I tried EDCSA-256 and RSA-4096:

                  Personal-Index
                  Renewing certificate 
                  account: Personal-Index 
                  server: letsencrypt-production-2 
                  
                  Fatal error: Uncaught TypeError: openssl_pkey_get_details(): Argument #1 ($key) must be of type OpenSSLAsymmetricKey, bool given in /usr/local/pkg/acme/acme.inc:1732
                  Stack trace:
                  #0 /usr/local/pkg/acme/acme.inc(1732): openssl_pkey_get_details(false)
                  #1 /usr/local/pkg/acme/acme.inc(1884): pfsense_pkg\acme\getCertificatePSK('https://acme-v0...', Array, '--obfuscated-for-forum-post--')
                  #2 /usr/local/www/acme/acme_certificates.php(69): pfsense_pkg\acme\issue_certificate('Personal-Index', true, true)
                  #3 {main}
                    thrown in /usr/local/pkg/acme/acme.inc on line 1732
                  PHP ERROR: Type: 1, File: /usr/local/pkg/acme/acme.inc, Line: 1732, Message: Uncaught TypeError: openssl_pkey_get_details(): Argument #1 ($key) must be of type OpenSSLAsymmetricKey, bool given in /usr/local/pkg/acme/acme.inc:1732
                  Stack trace:
                  #0 /usr/local/pkg/acme/acme.inc(1732): openssl_pkey_get_details(false)
                  #1 /usr/local/pkg/acme/acme.inc(1884): pfsense_pkg\acme\getCertificatePSK('https://acme-v0...', Array, '--obfuscated-for-forum-post--')
                  #2 /usr/local/www/acme/acme_certificates.php(69): pfsense_pkg\acme\issue_certificate('Personal-Index', true, true)
                  #3 {main}
                    thrown
                  
                  jmanesJ 1 Reply Last reply Reply Quote 0
                  • jmanesJ
                    jmanes @jmanes
                    last edited by jmanes

                    @jmanes Thought I'd follow up. I think this might be a bug elsewhere in pfSense as well. If renewing a cert fails, you have to rename the cert to something unique to try again. Alternatively, you have to delete the cert config for acme, then go to the system certs and delete it from there, then go back to the acme page and re-create the cert from scratch with your preferred name.

                    I dug into the PHP source code a bit and it seems the $cert['prv'] comes back as blank in this error case, and there is no check to verify this in the code: https://github.com/pfsense/FreeBSD-ports/commit/0a473e5f95748e58559aab107e8cd11e30c3e0b0#diff-eeb7356791b2ebd92a27afe3e87af51589f3faa347489e825761b7c132b6ec4eR1731

                    I didn't get much further than this, as I discovered a workaround and needed to get this working.

                    I 1 Reply Last reply Reply Quote 2
                    • I
                      IonutIT @jmanes
                      last edited by IonutIT

                      @jmanes
                      Hi, currently facing the exact same issue. My existing certificate failed to automatically renew, tried to renew it manually and got this:

                      Fatal error: Uncaught TypeError: openssl_pkey_get_details(): Argument #1 ($key) must be of type OpenSSLAsymmetricKey, bool given in /usr/local/pkg/acme/acme.inc:1732
                      Stack trace:
                      #0 /usr/local/pkg/acme/acme.inc(1732): openssl_pkey_get_details(false)
                      #1 /usr/local/pkg/acme/acme.inc(1884): pfsense_pkg\acme\getCertificatePSK('https://acme-st...', Array, 'pfsense.<domain>...')
                      #2 /usr/local/www/acme/acme_certificates.php(61): pfsense_pkg\acme\issue_certificate('pfsense.<domain>...', true)
                      #3 {main}
                        thrown in /usr/local/pkg/acme/acme.inc on line 1732
                      PHP ERROR: Type: 1, File: /usr/local/pkg/acme/acme.inc, Line: 1732, Message: Uncaught TypeError: openssl_pkey_get_details(): Argument #1 ($key) must be of type OpenSSLAsymmetricKey, bool given in /usr/local/pkg/acme/acme.inc:1732
                      Stack trace:
                      #0 /usr/local/pkg/acme/acme.inc(1732): openssl_pkey_get_details(false)
                      #1 /usr/local/pkg/acme/acme.inc(1884): pfsense_pkg\acme\getCertificatePSK('https://acme-st...', Array, 'pfsense.<domain>...')
                      #2 /usr/local/www/acme/acme_certificates.php(61): pfsense_pkg\acme\issue_certificate('pfsense.<domain>...', true)
                      #3 {main}
                        thrown
                      

                      Unfortunately, I've tried to clear all ACME config, cleared all ACME certificates and Root CA from Certificate Manager, uninstalled ACME, reinstalled, reconfigured everythign from scratch and I got the same result.

                      What's going on?

                      jmanesJ 1 Reply Last reply Reply Quote 0
                      • jmanesJ
                        jmanes @IonutIT
                        last edited by

                        @IonutIT Odd. Deleting the entire acme config and then deleting all of the certs / private keys that were generated from Acme in the System > Cert Manager > Certificates section worked for me. I did not have to re-install acme or anything like this.

                        From my experience, as soon as the renewal fails once the entire setup is hosed. You have to go through this process every time a renewal fails. I wish I could be of more help but I'd need to dig into the source code and figure out how acme works. I do not have time to do this at the moment.

                        I johnpozJ 2 Replies Last reply Reply Quote 0
                        • I
                          IonutIT @jmanes
                          last edited by

                          @jmanes

                          One question, how did you delete the acme config? I just deleted all certificate entries and authorisation keys. Is there another way to clear out everything?

                          jmanesJ 1 Reply Last reply Reply Quote 0
                          • johnpozJ
                            johnpoz LAYER 8 Global Moderator @jmanes
                            last edited by

                            @jmanes I use to run into issues some time ago where renews would fail, etc. Had to do with the dns-sleep I changed mine to 180 and haven't had any issues since. I use dns with cloudflare for the certs I have acme do.

                            An intelligent man is sometimes forced to be drunk to spend time with his fools
                            If you get confused: Listen to the Music Play
                            Please don't Chat/PM me for help, unless mod related
                            SG-4860 24.11 | Lab VMs 2.8, 24.11

                            J 1 Reply Last reply Reply Quote 1
                            • jmanesJ
                              jmanes @IonutIT
                              last edited by

                              @IonutIT I had to delete the configs from Services > Acme Certificates > Certificates first. Only the ones effected. Then go to the System certs and wipe them out there. Then go back to System > Acme Certificates > Certificates and create a brand new config and ensure it worked right on the first attempt.

                              @johnpoz Just proposed a potential solution though so I'd try their DNS sleep config first. I'll do it on my end as well.

                              1 Reply Last reply Reply Quote 0
                              • J
                                jrey @johnpoz
                                last edited by

                                @johnpoz

                                Yes, exactly this. I noticed in the log the if the secondaries were slow to update and the field for DNS-Sleep is empty, it seems to only try about 10 times with little delay between each attempt and then just stops. This would seem to be different than the expectation stated: "The default behavior is to automatically poll public DNS servers for the records until they are found, rather than waiting a set amount of time."

                                Having entered a set amount of time, has worked every time with no issue.

                                It's been a while since I changed this setting and what I can't remember is if I rebooted, (assuming the script was hung, when field was empty) or not. I seem to recall that I did reboot, then entered a sleep value and haven't looked back. Has successfully updated the cert every time since the value was added.

                                JR

                                1 Reply Last reply Reply Quote 0
                                • jimpJ jimp unpinned this topic on
                                • First post
                                  Last post
                                Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.