Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Failure updating ACME certificate

    Scheduled Pinned Locked Moved ACME
    23 Posts 5 Posters 5.4k Views 5 Watching
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • johnpozJ Offline
      johnpoz LAYER 8 Global Moderator @AudioDave
      last edited by

      @AudioDave seems like you have it overly complex.. I run a couple of services behind pfsense that are open to the public internet.. But I just ha proxy handle all the ssl.. And just update the acme certs via dns..

      ha proxy can direct to your different backends based on the fqdn.. If they are all in the same domain you could just use 1 cert (wildcard) and only need to update 1 cert, etc.

      An intelligent man is sometimes forced to be drunk to spend time with his fools
      If you get confused: Listen to the Music Play
      Please don't Chat/PM me for help, unless mod related
      SG-4860 25.07.1 | Lab VMs 2.8.1, 25.07.1

      A 1 Reply Last reply Reply Quote 0
      • A Offline
        AudioDave @johnpoz
        last edited by

        @johnpoz It may be overly complex, no opinion on that. As it is, everything is working EXCEPT the automatic renewal of the server certificate for my web server. Prior to changing out my router for a pfsense router, I had longer duration certificate(s), but since then there have been limits put on the duration of certificates to 90 days. Thus my need to get this working.

        All the other port forwards occur only for access from the LAN/VLAN side for security.

        The ONLY access from the WAN side is ports 80/445 for the web server, and standard ports for OpenVPN and IPsec for VPN access. The VPN ports can easily be disabled when not needed to reduce the footprint for external port scans.

        I do not access most of these web admin interfaces from the WAN side.

        I certainly can reconfigure if there's a compelling reason to do that. However, I do not want to open another can of worms unnecessarily. I'm only trying to resolve what I've done wrong for the certificate renewals to function.

        johnpozJ 1 Reply Last reply Reply Quote 0
        • johnpozJ Offline
          johnpoz LAYER 8 Global Moderator @AudioDave
          last edited by

          @AudioDave said in Failure updating ACME certificate:

          I had longer duration certificate(s), but since then there have been limits put on the duration of certificates to 90 days.

          ACME has never been longer than 90 days... Yeah if you got your certs from some CA then you could of have longer..

          Maybe you manually installed these certs that you had for longer than 90 days?

          If you do not even access them via outside, why even have them available? Just offering up a suggestion to simplify your cert management.. If you are going to use ACME for your cert needs.. If you have multiple services that are accessed from the public, I would just put them behind haproxy, this allows you to handle all the ssl for all over your services in one spot. If you want your services to handle their own certs, then run the acme client on those boxes to handle their certs.

          Either way I would use dns method of validating your certs.

          If you have your ssl offloaded via haproxy - you can access your services via ha proxy while your internal to your network.

          An intelligent man is sometimes forced to be drunk to spend time with his fools
          If you get confused: Listen to the Music Play
          Please don't Chat/PM me for help, unless mod related
          SG-4860 25.07.1 | Lab VMs 2.8.1, 25.07.1

          A 1 Reply Last reply Reply Quote 0
          • A Offline
            AudioDave @johnpoz
            last edited by

            @johnpoz said in Failure updating ACME certificate:

            Maybe you manually installed these certs that you had for longer than 90 days?

            If you do not even access them via outside, why even have them available? Just offering up a suggestion to simplify your cert management. If you are going to use ACME for your cert needs.. If you have multiple services that are accessed from the public, I would just put them behind haproxy, this allows you to handle all the ssl for all over your services in one spot. If you want your services to handle their own certs, then run the acme client on those boxes to handle their certs.

            Either way I would use dns method of validating your certs.

            This is getting a little off track. If there is a compelling reason to redo everything, I'm certainly willing to reconsider. However, my original question is simply how to resolve the fact that the automatic renewal is failing.

            I was previously using a self-signed certificate that I created using OpenSSL. Newer browser versions do not appear particularly happy with self-signed certificates from an untrusted CA.
             
            Will I open some of these services to access from the WAN at some point? Maybe. Most of these I simply configure from the LAN side, but still have configured such that the certificates work with ssl/https. The DNS query on the LAN side returns an internal IP to keep the URL happy.

            I don't understand your comment about "using the DNS method". How does that differ from what I'm attempting and how would I get to that result?

            I'm not sure where to go with your suggestions, partly because I do not understand the how or why to go that route. Can you point to example(s) or documentation?

            Thanks! Not meaning to be argumentative. I simply want to address the issue of automatic certificate renewal. If I need to describe my complete setup to get to an answer, I can certainly attempt to do that, providing it's necessary to answer the question(s). I did not keep extensive notes about how I got to the current configuration. I simply resolved each issue I discovered as I progressively got things working after switching out a Zyxel router for a pfsense one.

            p.s. I think what I did to get the original certificate was simply to disable the port forwarding on port 80, which allowed the script to get the responses from Letsencrypt. Perhaps I will try that for the renewal as well, if nothing else to confirm the issue.

            johnpozJ GertjanG P 3 Replies Last reply Reply Quote 0
            • johnpozJ Offline
              johnpoz LAYER 8 Global Moderator @AudioDave
              last edited by johnpoz

              @AudioDave Just trying to give you an easy way to manage certs for multiple devices behind pfsense... But hey you do you..

              I simply want to address the issue of automatic certificate renewal.

              Well if you want to use the web server approach then yeah you would have to open up pfsense wan if you want acme on pfsense to validate.. If you want something behind pfsense to use certbot and renew its certs then you would have to forward the port to the client.

              Or just use dns method where ever you run the lets encrypt script to renew a cert... But leaving some port open to something behind pfsense is not going to renew the cert on the acme client on pfsense.. Because that would have the correct info that is created when it checks, etc. and the cert wouldn't be on your remote device even if it did work..

              An intelligent man is sometimes forced to be drunk to spend time with his fools
              If you get confused: Listen to the Music Play
              Please don't Chat/PM me for help, unless mod related
              SG-4860 25.07.1 | Lab VMs 2.8.1, 25.07.1

              1 Reply Last reply Reply Quote 0
              • LarryFahnoeL Offline
                LarryFahnoe
                last edited by

                @AudioDave have you read https://docs.netgate.com/pfsense/en/latest/packages/acme/settings-validation.html This should help to illustrate the DNS method that is being encouraged here.

                --Larry

                A 1 Reply Last reply Reply Quote 0
                • A Offline
                  AudioDave @LarryFahnoe
                  last edited by

                  @LarryFahnoe I have not but will check it out. Thanks!

                  1 Reply Last reply Reply Quote 0
                  • GertjanG Offline
                    Gertjan @AudioDave
                    last edited by

                    @AudioDave said in Failure updating ACME certificate:

                    However, my original question is simply how to resolve the fact that the automatic renewal is failing.

                    The web root method needs an "open port TCP 80" ending up on the WAN interface of pfSense.
                    If you already have that port forwarded else - using a NAT rule - you have a conflict, as enabling and disabling NAT and/or firewall rules isn't going to happen.

                    I'm not sure, but :

                    e5771395-9e7a-45ec-9c98-4c7e0554634b-image.png

                    => It must be port 80 or port 443 - and the help text says so : traffic must arrive at the WAN, so if need, take car of upstream NAT if you have an upstream ISP router.

                    I've read some of the https://www.google.com/search?client=firefox-b-d&q=ddns.net+letsencrypt and it really looks like a "yes, it is possible, but is is a pure pain to handle".
                    By far, I prefer the original solution 'DNS' and this needs a 'real' domain name that you rent (la couple of $ a year) with a capable registrar that supports a DNS method, and call it a day.
                    Not that the webroot / standalone method is bad : if you didn't have any ports forwarder into your network, it doesn't matter that ones in 60 days, a 'listener' (the socat tool) fires up to handle the incoming request from Letsencrypt, but : you still have an open hole in your WAN.

                    Far more better (= easier) would be : as said : use a DNS method. Check if your registrar which one it supports, and use it : no more hassle, no more 'ports to open' (could be a a security issue).
                    Not that it is the best way, but I've pfSense acme asking for a wildcard certificate for my internal network domain name, and copy it over to some other devices (nas, printers etc) ones every 60 days. Not that this really needed, I could still access their GUI anyway.

                    No "help me" PM's please. Use the forum, the community will thank you.
                    Edit : and where are the logs ??

                    A 1 Reply Last reply Reply Quote 0
                    • A Offline
                      AudioDave @Gertjan
                      last edited by

                      @Gertjan Well, this is all just to keep encryption (HTTPS) on a small forum on my network and has already been a PITA for a small amount of benefit.

                      I'm not a network expert, so I end up investing time to understand and implement this and frankly, it's becoming less attractive to manage it.

                      I'll dig a little more, but it may ultimately not be worth the trouble. I may also revert to how I originally managed certificates, which removes the 90-day restriction. I only really moved to Letsencrypt because it appeared that managing certs had been automated and that the certificates were from a "valid" CA.

                      No free lunch, I suppose!

                      I'm using a free dynamic DNS provider and am not motivated to pay fees for a little-used server. I may just drop the idea entirely.

                      Even for the VPN access, I've managed years without this. It just seemed it would be nice to have a VPN for use on the road. Even there, I find myself monitoring logs to track port scanners banging on the open ports. Ultimately, it's becoming less attractive.

                      LarryFahnoeL 1 Reply Last reply Reply Quote 0
                      • LarryFahnoeL Offline
                        LarryFahnoe @AudioDave
                        last edited by

                        @AudioDave said in Failure updating ACME certificate:

                        I'm using a free dynamic DNS provider and am not motivated to pay fees for a little-used server. I may just drop the idea entirely.

                        If your current DNS provider is amongst those listed in the ACME configuration, this is a very easy route & gives you the low maintenance automated that you're looking for. Easy enough to set up a test cert to see if/how the dynamic DNS bits work with ACME and then decide if you want to use it to generate other certs.

                        --Larry

                        1 Reply Last reply Reply Quote 0
                        • P Offline
                          Popolou @AudioDave
                          last edited by

                          @AudioDave said in Failure updating ACME certificate:

                          However, my original question is simply how to resolve the fact that the automatic renewal is failing

                          I did point out your problem several days ago and what you needed to do.

                          1 Reply Last reply Reply Quote 0
                          • First post
                            Last post
                          Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.