Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    ACME filling up disk

    Scheduled Pinned Locked Moved
    ACME
    1
    1
    29
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • T
      thecabinet
      last edited by

      For (nearly) the second time now the ACME package has filled up the disk on my pfSense. A recap of some history:

      • On August 8, the ACME package updated the certificate
      • On October 7, I came home in the afternoon to find the internet not working. Eventually determined the disk was full and deleted some zfs filesystems associated with old versions. This got things working but the webgui was totally borked.
      • On October 11, I finally did a factory reset, and restored a configuration backup from August 8, after the certificate update

      Things were working fine until a couple of days ago when I started getting HSTS errors when trying to connect. My browser showed I was being served the August 8 certificate, which expired on November 6. The certificate seemed legit (as in, one that was issued to my pfSense) but for whatever reason a newer cert (that was present in the GUI) wasn't being used. I couldn't find any evidence of this August 8th cert in the GUI or configs, but that's not actually the point of the story.

      While trying to figure this out, I noticed that /cf was using a large amount of space. This was one of the things that eventually led to the previous install crashing:
      ce5f6f00-8e84-4c7e-a832-560c8c29ee07-image.png

      Poking around I found a config file every second in the backup directory:
      4715cf3b-c4cb-4739-b212-23875c10069b-image.png

      Looking at the timestamps on these config files you can see about when it started:
      610c4531-0070-42ac-835b-9191f897a80b-image.png

      The first config in that 1731701* bunch had this change, me forcing a certificate issuance in the hope that would fix something:
      6cf88b4e-f8e1-4406-824f-2df44f8d9106-image.png

      After that, there is an "identical" config every second looking like:
      40b5bb0c-a638-4b95-b404-689c4e351e9d-image.png

      time is /pfsense/revision/time, and lastrenewal is /pfsense/installedpackages/acme/certificates/item/lastrenewal. The comment on every one of thos configs is the same as above, "(system): Services: Acme: Storing signed certificate". I assume ACME is somehow in a loop where modifying the config is causing it to update the config.

      I ended up uninstalling ACME which stopped the problem, but once I re-installed ACME and forced another Issue/Renew, it started again. System Logs shows this loop:
      2380115f-0204-4f3f-9f2f-480f5b3ee984-image.png

      This is with pfSense-pkg-acme-0.8_1 on a Netgate 1100 running 24.03-RELEASE

      1 Reply Last reply Reply Quote 0
      • First post
        Last post