Wildcard domain renewal fails

Boab

My problem is everyday pfsense 2.7.1 / acme 0.7.5 sends me a message like this:-

Notifications in this message: 1

03:01:00 The following CA/Certificate entries are expiring:
Certificate: star.example.com (6571dca5067ae): Expiring soon, in 14 days

I am trying to renew example.com and *.example.com with letsencrypt. When I press Issue/Renew I get a new certificate for the next 90 days which works, tested/examined on www.example.com.
I am coming to the end of first 90 day certificate, so this is my first real renewal. I have also received expiry notices from letsencrypt but not all that frequent.

I am configured with only one certificate with ‘Domain SAN list’ of example.com and *.example.com the DNS update mechanism works as lets encrypt issues new working certificates.

No I'm not really trying to renew example.com, simply replaced the real domain. pfsense uses word star i use *.

HELP!!!

pfsense trace removed as submit refused as spam

Gertjan

@Boab said in Wildcard domain renewal fails:

I am coming to the end of first 90 day certificate, so this is my first real renewal. I have also received expiry notices from letsencrypt but not all that frequent.

That's why this default value exists :

If something fails, you have 30 days to find the solution.
Didn't know that LE sends mails to warn you for a soon-to-expire certificate - that's a nice of them.

I also have a domain name that I use to with acme, and I renew it as a wild card :
This means I have to entries :
"domain.tld" and *.domain.tld" :

If the renewal goes wrong, do what the 'error' message said, somewhere at the bottom : look at the acme log file, it will contain the message that tells why it fails.
Its shows you where you can find it :
/tmp/acme/[your-domaine-here.tld]/ and in that folder you'll find the very detailed log file acme_issuecert.log

Boab

@Gertjan Thanks for the reply.
I have renewal set for 60 days and have been getting the emails for the last two weeks.
My table looks like yours but I don't have the Zone entry - will try that.
I don't see any obvious error message all appears to complete as expected

here are the last few line which I hope will get thru the spam filter:-
-----END CERTIFICATE-----
[Sat Feb 17 19:14:14 GMT 2024] Your cert is in: /tmp/acme/example.com/example.com/example.com.cer
[Sat Feb 17 19:14:14 GMT 2024] Your cert key is in: /tmp/acme/example.com/example.com/example.com.key
[Sat Feb 17 19:14:14 GMT 2024] The intermediate CA cert is in: /tmp/acme/example.com/example.com/ca.cer
[Sat Feb 17 19:14:14 GMT 2024] And the full chain certs is there: /tmp/acme/example.com/example.com/fullchain.cer
[Sat Feb 17 19:14:14 GMT 2024] Your pre-generated next key for future cert key change is in: /tmp/acme/example.com/example.com/example.com.key.next
[Sat Feb 17 19:14:14 GMT 2024] Run reload cmd: /tmp/acme/example.com/reloadcmd.sh

IMPORT CERT example.com, /tmp/acme/example.com/example.com/example.com.key, /tmp/acme/example.com/example.com/example.com.cer
update cert![Sat Feb 17 19:14:14 GMT 2024] Reload success

Boab

@Boab first attempt at pastebin...
https://pastebin.com/WgkpgNTR

Gertjan

@Boab said in Wildcard domain renewal fails:

-----END CERTIFICATE-----
[Sat Feb 17 19:14:14 GMT 2024] Your cert is in: /tmp/acme/example.com/example.com/example.com.cer
[Sat Feb 17 19:14:14 GMT 2024] Your cert key is in: /tmp/acme/example.com/example.com/example.com.key
[Sat Feb 17 19:14:14 GMT 2024] The intermediate CA cert is in: /tmp/acme/example.com/example.com/ca.cer
[Sat Feb 17 19:14:14 GMT 2024] And the full chain certs is there: /tmp/acme/example.com/example.com/fullchain.cer
[Sat Feb 17 19:14:14 GMT 2024] Your pre-generated next key for future cert key change is in: /tmp/acme/example.com/example.com/example.com.key.next
[Sat Feb 17 19:14:14 GMT 2024] Run reload cmd: /tmp/acme/example.com/reloadcmd.sh

IMPORT CERT example.com, /tmp/acme/example.com/example.com/example.com.key, /tmp/acme/example.com/example.com/example.com.cer
update cert![Sat Feb 17 19:14:14 GMT 2024] Reload success

Looks fine to me.

You have this :

so the web server instances on pfSense restart with the new certificate ?

Did you check the certificate under System > Certificates > Certificates ?
It should have a Valid from date on last February 17.

Boab

@Boab

I think i may have spotted it.
The top entry, when you look at the info covers my domain and * my domain.
The bottom entry looks a bit strange and probably should be deleted, it may have been hanging around since i was initially setting up acme!

Sins coming back to bite you...

Thank you Gertjan for guiding me to it - I spent many hours struggling with this before asking on the forum.

Gertjan

@Boab

You have a wild card, so you can probably delete de start dot domain.tld as it is going out of businesses anyway.