Navigation

    Netgate Discussion Forum
    • Register
    • Login
    • Search
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search

    Let's Encypt support

    ACME
    34
    86
    37763
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • P
      pwnd28 last edited by

      Hi everybody,

      for the last few months i fallowed the Let's Encrypt Project and now it s going in the final round with the project.

      My question is, if there will be a package for the pfsense to be installed or a default support in future releases?

      greetings

      1 Reply Last reply Reply Quote 0
      • H
        heper last edited by

        isn't letencrypt just another CA ?

        1 Reply Last reply Reply Quote 0
        • johnpoz
          johnpoz LAYER 8 Global Moderator last edited by

          yes but they are going to have some idiot proof script where user just clicks a button, runs a script sort of thing

          Anyone who has gone through the trouble of setting up a secure website knows what a hassle getting and maintaining a certificate can be. Let’s Encrypt automates away the pain and lets site operators turn on and manage HTTPS with simple commands.

          Getting a Certificate

          The letsencrypt tool always handles the certificate request and authentication for you.
          With Automatic Web Server Configuration

          This will automatically configure Apache and Nginx servers with your new certificate.

          $ letsencrypt run

          Think they are asking for some sort of package to integrate the script.. Pretty pointless if you ask me..

          An intelligent man is sometimes forced to be drunk to spend time with his fools
          If you get confused: Listen to the Music Play
          Please don't Chat/PM me for help, unless mod related
          2440 2.4.5p1 | 2x 3100 2.4.4p3 | 2x 3100 22.01 | 4860 22.05

          1 Reply Last reply Reply Quote 0
          • D
            doktornotor Banned last edited by

            @pwnd28: I already mentioned this elsewhere. This needs an existing FreeBSD port first. Cannot be intergrated in any way without that.

            1 Reply Last reply Reply Quote 0
            • johnpoz
              johnpoz LAYER 8 Global Moderator last edited by

              There seems to be some work on a port, looks like one even done already if not current code.
              https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=203405

              But is this something that is really needed?  The ca manager could be used to install the certs and you could use anything to do the csr and get the certs..  And then just use the CA manager to install the cert into pfsense and use it..

              An intelligent man is sometimes forced to be drunk to spend time with his fools
              If you get confused: Listen to the Music Play
              Please don't Chat/PM me for help, unless mod related
              2440 2.4.5p1 | 2x 3100 2.4.4p3 | 2x 3100 22.01 | 4860 22.05

              1 Reply Last reply Reply Quote 0
              • MikeV7896
                MikeV7896 last edited by

                @johnpoz:

                There seems to be some work on a port, looks like one even done already if not current code.
                https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=203405

                But is this something that is really needed?  The ca manager could be used to install the certs and you could use anything to do the csr and get the certs..  And then just use the CA manager to install the cert into pfsense and use it..

                Except their certs are only good for 90 days, hence their preference of an automated renewal process rather than having to do it manually every 3 months. The short renewal length allows them to keep a small CRL.

                The S in IOT stands for Security

                1 Reply Last reply Reply Quote 0
                • KOM
                  KOM last edited by

                  90 days??  Geez, why waste time with that when you can get a freebie from StartSSL that's good for a year.

                  1 Reply Last reply Reply Quote 0
                  • N
                    NOYB last edited by

                    @KOM:

                    90 days??  Geez, why waste time with that when you can get a freebie from StartSSL that's good for a year.

                    A more appropriate place for this question would be here:
                    Maximum and Minimum Certificate Lifetimes

                    For other non pfSense specific details, the Let's Encrypt and Support sites are typically better sources of information.

                    1 Reply Last reply Reply Quote 0
                    • F
                      firewalluser last edited by

                      @KOM:

                      90 days??  Geez, why waste time with that when you can get a freebie from StartSSL that's good for a year.

                      If you dont know your certs have been nicked, then they are useful to hackers for a whole year.

                      Capitalism, currently The World's best Entertainment Control System and YOU cant buy it! But you can buy this, or some of this or some of these

                      Asch Conformity, mainly the blind leading the blind.

                      1 Reply Last reply Reply Quote 0
                      • P
                        pwnd28 last edited by

                        Hi,
                        Thanks for the many answers.
                        I m also not sure if this is realy usefull or not. Nobody realy knows if the CA you use is trustfull or has a connection to the government or an other party.
                        I am exited if there will be a package or not. A lil bit better than an unsight certificate it is of course especielly through the support of 4096 bit certificates and more

                        1 Reply Last reply Reply Quote 0
                        • F
                          firewalluser last edited by

                          Just interchange hackers for spooks, and interchange national for foreign, their actions amount to the same either way.

                          With that in mind, do you trust another entity who provides the certs when you dont know the staff and/or infrastructure being used, and even if the device is good, you still then need to trust the manufacturers of the devices being used.

                          All in all thats a lot of trust you need to spread around, but one of the beauties of hacking is, even if you do trust an entity, considering they may use devices that then get used at home, where offspring or others who are less tech savvy exist, their devices maybe inadvertently hacking the very entity and their devices you trust, rendering them untrustworthy without their knowledge.

                          With this in mind do you still want to trust a third party and not your own capabilities even when you are motivated to improve your own capabilities by learning, like printing your own certs on a standalone trusted device under your supervision?

                          An abstract but perhaps realistic view on life.

                          Capitalism, currently The World's best Entertainment Control System and YOU cant buy it! But you can buy this, or some of this or some of these

                          Asch Conformity, mainly the blind leading the blind.

                          1 Reply Last reply Reply Quote 0
                          • KOM
                            KOM last edited by

                            If you dont know your certs have been nicked, then they are useful to hackers for a whole year.

                            Believe me, nobody wants my certs  ;D

                            1 Reply Last reply Reply Quote 0
                            • D
                              David_W last edited by

                              @pwnd28:

                              Nobody realy knows if the CA you use is trustfull or has a connection to the government or an other party.

                              Best practice is to generate the private key you wish to use for a certificate locally on an uncompromised machine with a cryptographically secure random number generator. In this scenario the security of the private key is entirely in your hands because the Certificate Signing Request sent to the CA does not contain the private key.

                              1 Reply Last reply Reply Quote 0
                              • johnpoz
                                johnpoz LAYER 8 Global Moderator last edited by

                                I see no point to support of this on pfsense to be honest..  Other than maybe captive portal.  For the webgui to admin pfsense.. Just use CA on pfsense to create a cert and trust it on your machines you will admin pfsense from.  This really should be a really small list of machines!!

                                Now using https in your captive portal, yes https could be handy to be able to use a cert that is auto trusted by your guests.. But prob going to fail anyway even if the https your serving is valid for your https captive portal page since redirect of https is tricky and browsers don't like it and balk as well they should and if the site they have been going to via https is using hsts most browsers going to prevent it.

                                Your best solution is to just notify users that they have to hit your captive portal directly or try and go to a http site to get redirected.  You could then redirect them to a https url that you have trusted cert for..  This would really be the only reason I could see for this..  But why not just get a https for a year from free like start or there are other places they cost a whole $10 a year.

                                If your so cheap to not want to pay for your ssl.. Just don't bother doing your captive portal via https - or use self signed and deploy that to your users of your captive portal on the your going to have anyway on the http url for the captive portal.

                                An intelligent man is sometimes forced to be drunk to spend time with his fools
                                If you get confused: Listen to the Music Play
                                Please don't Chat/PM me for help, unless mod related
                                2440 2.4.5p1 | 2x 3100 2.4.4p3 | 2x 3100 22.01 | 4860 22.05

                                1 Reply Last reply Reply Quote 0
                                • N
                                  NOYB last edited by

                                  @KOM:

                                  If you dont know your certs have been nicked, then they are useful to hackers for a whole year.

                                  Believe me, nobody wants my certs  ;D

                                  Fortunately the Let's Encrypt project isn't about only you.

                                  1 Reply Last reply Reply Quote 0
                                  • N
                                    NOYB last edited by

                                    @johnpoz:

                                    But why not just get a https for a year from free like start or there are other places they cost a whole $10 a year.

                                    Let's Encrypt cert is in essence good for as long as the automation runs.

                                    @johnpoz:

                                    If your so cheap to not want to pay for your ssl.. Just don't bother doing your captive portal via https - or use self signed and deploy that to your users of your captive portal on the your going to have anyway on the http url for the captive portal.

                                    It's not always only about the money.  Let's Encrypt cert automation can be very appealing too.

                                    1 Reply Last reply Reply Quote 0
                                    • F
                                      firewalluser last edited by

                                      @David_W:

                                      @pwnd28:

                                      Nobody realy knows if the CA you use is trustfull or has a connection to the government or an other party.

                                      Best practice is to generate the private key you wish to use for a certificate locally on an uncompromised machine with a cryptographically secure random number generator. In this scenario the security of the private key is entirely in your hands because the Certificate Signing Request sent to the CA does not contain the private key.

                                      Thats the rub, even if you had an uncompromised machine so many zero days make it possible to obtain such things so if you ever get something like this in your bios http://blog.trendmicro.com/trendlabs-security-intelligence/hacking-team-uses-uefi-bios-rootkit-to-keep-rcs-9-agent-in-target-systems/ well you might just as well throw your system in the bin.

                                      Edit. I'll chuck this link in as its useful which might be of interest. http://www.uefi.org/sites/default/files/resources/UEFI_Secure_Boot_in_Modern_Computer_Security_Solutions_2013.pdf

                                      @johnpoz:

                                      I see no point to support of this on pfsense to be honest..  Other than maybe captive portal.  For the webgui to admin pfsense.. Just use CA on pfsense to create a cert and trust it on your machines you will admin pfsense from.  This really should be a really small list of machines!!

                                      I'm no longer using any encryption to access devices or services lan side as I cant inspect the data, any encryption found can be blocked by snort/suricata and investigated. Things like web access to secure websites now take place on a separate device from a linux live cd with no hard drive or other forms of storage and an easily flashable bios.

                                      As to accessing pfsense, switches etc, as above but usernames/password are locally stored so no radius servers for convenience, as its all about minimising the risk of unknowns or to use a more popular phrase, zero days.

                                      If your so cheap to not want to pay for your ssl.. Just don't bother doing your captive portal via https - or use self signed and deploy that to your users of your captive portal on the your going to have anyway on the http url for the captive portal.

                                      Its not so much about being cheap, but trusting the other entities in the supply chain, as it is we have to trust so many people already, reducing that risk just makes sense, which is why we dont trust some people to do some things for us. Others we have to trust when we are incapable of doing something, but where possible its better to do what you can where possible.

                                      Capitalism, currently The World's best Entertainment Control System and YOU cant buy it! But you can buy this, or some of this or some of these

                                      Asch Conformity, mainly the blind leading the blind.

                                      1 Reply Last reply Reply Quote 0
                                      • johnpoz
                                        johnpoz LAYER 8 Global Moderator last edited by

                                        @NOYB:

                                        Let's Encrypt cert is eventually good for as long as the automation runs.

                                        And how often does it look to update?  Every day?  What if goes to update day before the cert runs out and fails to update for whatever reason - issue on their end, firewall problem on your end, etc.

                                        I don't see the automated updating of ssl to be a good thing to be honest.  While I can see this useful on say personal site on some webhost for more users to start using https for their sites.  I just do not really see a need off pfsense.. Its a firewall not a WEB SERVER..  Using some automated process to use https for your webgui just seems silly.  There should be what a handful of people accessing a firewall gui in the first place.. So why not just issue your own self signed and have those machines used to access it trust the CA that is completely under your control.

                                        Now if you want to use it on your web server behind pfsense - have at it.. I will prob use this on some of my play systems.. Just don't see need/use on my firewall at all.. Especially when that firewall system has a CA..

                                        An intelligent man is sometimes forced to be drunk to spend time with his fools
                                        If you get confused: Listen to the Music Play
                                        Please don't Chat/PM me for help, unless mod related
                                        2440 2.4.5p1 | 2x 3100 2.4.4p3 | 2x 3100 22.01 | 4860 22.05

                                        1 Reply Last reply Reply Quote 0
                                        • N
                                          NOYB last edited by

                                          John,

                                          Please go read up on the subject before acting like an expert.

                                          1 Reply Last reply Reply Quote 0
                                          • S
                                            stanthewizard last edited by

                                            I think too a package would be very useful especially when you use squid reverse proxy with Apache and Exchange.

                                            :)

                                            1 Reply Last reply Reply Quote 0
                                            • F
                                              fourseasons last edited by

                                              I wanted to open a new thread on this but found this one just before posting.  ::)

                                              –-

                                              Let's encrypt is a new CA that will begin signing free trusted certificates to the public on 3.12.2015.

                                              The project is founded by the likes of of Mozilla, Akamai, Cisco and the EFF who work together in the  Internet Security Research Group (ISRG). [1]

                                              The "catch" is that the certificates have a lifetime of 90 days. Their reasoning behind this is that they want to limit damage from key compromises and they want to encourage automation, which I think makes sense. [2]

                                              These free certificates would be perfect for some pfsense applications like the captive portal or the pfsense web interface.
                                              From what I can tell it has already been implemented in python or javascript so it should run on FreeBSD.

                                              [1] https://en.wikipedia.org/wiki/Internet_Security_Research_Group
                                              [2] https://letsencrypt.org/2015/11/09/why-90-days.html

                                              1 Reply Last reply Reply Quote 0
                                              • P
                                                pwnd28 last edited by

                                                @fourseasons:

                                                I wanted to open a new thread on this but found this one just before posting.  ::)

                                                –-

                                                Let's encrypt is a new CA that will begin signing free trusted certificates to the public on 3.12.2015.

                                                The project is founded by the likes of of Mozilla, Akamai, Cisco and the EFF who work together in the  Internet Security Research Group (ISRG). [1]

                                                The "catch" is that the certificates have a lifetime of 90 days. Their reasoning behind this is that they want to limit damage from key compromises and they want to encourage automation, which I think makes sense. [2]

                                                These free certificates would be perfect for some pfsense applications like the captive portal or the pfsense web interface.
                                                From what I can tell it has already been implemented in python or javascript so it should run on FreeBSD.

                                                [1] https://en.wikipedia.org/wiki/Internet_Security_Research_Group
                                                [2] https://letsencrypt.org/2015/11/09/why-90-days.html

                                                That sounds good. I think i will try to chnage my pfsense to the letsencrypt ca in the christmas hollidys.
                                                i will post my experiences :)

                                                1 Reply Last reply Reply Quote 0
                                                • johnpoz
                                                  johnpoz LAYER 8 Global Moderator last edited by

                                                  NOYB..  And in what point did I say I was an expert?  And at what point did I sound like one.. Please explain to me why a FIREWALL with limited access to its webgui by only ADMINS that has its own built in CA already would need/want and automated system to install a cert that expires every 90 days if it can not phone home..

                                                  I just do not get it??  I have a cert on my web gui, took all of 2 seconds to create and trust from my different machines I admin pfsense from..

                                                  I mentioned already that it might be a good idea for something like captive portal as well.

                                                  An intelligent man is sometimes forced to be drunk to spend time with his fools
                                                  If you get confused: Listen to the Music Play
                                                  Please don't Chat/PM me for help, unless mod related
                                                  2440 2.4.5p1 | 2x 3100 2.4.4p3 | 2x 3100 22.01 | 4860 22.05

                                                  1 Reply Last reply Reply Quote 0
                                                  • S
                                                    singerie last edited by

                                                    The project is now in public beta.

                                                    It seems to be supported on freebsd :

                                                    https://letsencrypt.readthedocs.org/en/latest/contributing.html#freebsd

                                                    https://letsencrypt.readthedocs.org/en/latest/using.html#installation-and-usage

                                                    1 Reply Last reply Reply Quote 0
                                                    • F
                                                      filnko last edited by

                                                      gonzopancho mentioned on reddit that there will be a let's encrypt package in 2.4  ;D

                                                      1 Reply Last reply Reply Quote 0
                                                      • S
                                                        singerie last edited by

                                                        Package is there in the nightly, but i don't know how to use it … lol

                                                        1 Reply Last reply Reply Quote 0
                                                        • jimp
                                                          jimp Rebel Alliance Developer Netgate last edited by

                                                          @singerie:

                                                          Package is there in the nightly, but i don't know how to use it … lol

                                                          It depends on what you want to do with it. For the GUI:

                                                          Visit keys tab, make a new entry, click the button to generate a new account key, then click the button to register the key, then save.

                                                          Visit the certs tab, make a new cert, enter a hostname and setup a challenge/response method in the SAN list (pick a method, click +, enter the details), then save, then click issue/renew.

                                                          What you can use for the challenge depends on what you have available. If your DNS provider for your domain is listed you can probably use one of the DNS update methods, or if your server supports RFC2136 you could setup keys for the TXT records it wants to make and use the nsupdate option (this is what I prefer to do).

                                                          I would advise against attempting the webroot method directly on the firewall. You could port forward port 80 on the firewall's WAN address to a local web server and then use the webroot FTP option perhaps if you don't have any other choice.

                                                          Once you have managed to get a cert issued, go to System > Advanced, pick it for the GUI cert. Edit the cert entry in the ACME package and setup a new action for a shell command to run /etc/rc.restart_webgui, save again. Visit the general settings tab and check the box, then save.

                                                          If you want to use it for something other than the GUI, repeat the process but pick it wherever you need to use it instead (e.g. haproxy), though your update method may vary for that.

                                                          I'll write up a more thorough doc on it eventually.

                                                          Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

                                                          Need help fast? Netgate Global Support!

                                                          Do not Chat/PM for help!

                                                          1 Reply Last reply Reply Quote 0
                                                          • M
                                                            moscato359 last edited by

                                                            @KOM:

                                                            90 days??  Geez, why waste time with that when you can get a freebie from StartSSL that's good for a year.

                                                            The let's encrypt script can be put on cron, and automate every 90 days with a new cert.

                                                            It's done regularly on linux webservers.

                                                            1 Reply Last reply Reply Quote 0
                                                            • M
                                                              mandrekogmail.com last edited by

                                                              @KOM:

                                                              90 days??  Geez, why waste time with that when you can get a freebie from StartSSL that's good for a year.

                                                              One reason may be that the newest version of Google Chrome is no longer trusting StartSSL, due to their parent company doing some shady things.

                                                              1 Reply Last reply Reply Quote 0
                                                              • Y
                                                                yodaphone last edited by

                                                                @jimp:

                                                                @singerie:

                                                                Package is there in the nightly, but i don't know how to use it … lol

                                                                It depends on what you want to do with it. For the GUI:

                                                                Visit keys tab, make a new entry, click the button to generate a new account key, then click the button to register the key, then save.

                                                                Visit the certs tab, make a new cert, enter a hostname and setup a challenge/response method in the SAN list (pick a method, click +, enter the details), then save, then click issue/renew.

                                                                What you can use for the challenge depends on what you have available. If your DNS provider for your domain is listed you can probably use one of the DNS update methods, or if your server supports RFC2136 you could setup keys for the TXT records it wants to make and use the nsupdate option (this is what I prefer to do).

                                                                I would advise against attempting the webroot method directly on the firewall. You could port forward port 80 on the firewall's WAN address to a local web server and then use the webroot FTP option perhaps if you don't have any other choice.

                                                                Once you have managed to get a cert issued, go to System > Advanced, pick it for the GUI cert. Edit the cert entry in the ACME package and setup a new action for a shell command to run /etc/rc.restart_webgui, save again. Visit the general settings tab and check the box, then save.

                                                                If you want to use it for something other than the GUI, repeat the process but pick it wherever you need to use it instead (e.g. haproxy), though your update method may vary for that.

                                                                I'll write up a more thorough doc on it eventually.

                                                                awesome.. i had my dns with namecheap & wasnt able to figure out how to do NSUpdate with them. so moved it to cloudflare & it worked.

                                                                If you use cloudflare make sure the dns uses cloudflare DNS only & has a grey cloud.  Grey Cloud: Records that display a grey cloud icon will bypass Cloudflare, using only Cloudflare DNS

                                                                if you have an orange cloud the auth fails. you can re-enable it after the cert is issued

                                                                1 Reply Last reply Reply Quote 0
                                                                • D
                                                                  doktornotor Banned last edited by

                                                                  If someone really insists on using  a local webroot.

                                                                  1/ Install HAproxy package.
                                                                  2/ Put this to  HAProxy > Files (Type - Lua script, Name: acme-http01-webroot.lua)

                                                                  (or download from here)

                                                                  
                                                                  -- ACME http-01 domain validation plugin for Haproxy 1.6+
                                                                  -- copyright (C) 2015 Jan Broer
                                                                  --
                                                                  
                                                                  acme = {}
                                                                  acme.version = "0.1.1"
                                                                  
                                                                  --
                                                                  -- Configuration
                                                                  --
                                                                  -- When HAProxy is *not* configured with the 'chroot' option you must set an absolute path here and pass 
                                                                  -- that as 'webroot-path' to the letsencrypt client
                                                                  
                                                                  acme.conf = {
                                                                  	["non_chroot_webroot"] = ""
                                                                  }
                                                                  
                                                                  --
                                                                  -- Startup
                                                                  --  
                                                                  acme.startup = function()
                                                                  	core.Info("[acme] http-01 plugin v" .. acme.version);
                                                                  end
                                                                  
                                                                  --
                                                                  -- ACME http-01 validation endpoint
                                                                  --
                                                                  acme.http01 = function(applet)
                                                                  	local response = ""
                                                                  	local reqPath = applet.path
                                                                  	local src = applet.sf:src()
                                                                  	local token = reqPath:match( ".+/(.*)$" )
                                                                  
                                                                  	if token then
                                                                  		token = sanitizeToken(token)
                                                                  	end
                                                                  
                                                                  	if (token == nil or token == '') then
                                                                  		response = "bad request\n"
                                                                  		applet:set_status(400)
                                                                  		core.Warning("[acme] malformed request (client-ip: " .. tostring(src) .. ")")
                                                                  	else
                                                                  		auth = getKeyAuth(token)
                                                                  		if (auth:len() >= 1) then
                                                                  			response = auth .. "\n"
                                                                  			applet:set_status(200)
                                                                  			core.Info("[acme] served http-01 token: " .. token .. " (client-ip: " .. tostring(src) .. ")")
                                                                  		else
                                                                  			response = "resource not found\n"
                                                                  			applet:set_status(404)
                                                                  			core.Warning("[acme] http-01 token not found: " .. token .. " (client-ip: " .. tostring(src) .. ")")
                                                                  		end
                                                                  	end
                                                                  
                                                                  	applet:add_header("Server", "haproxy/acme-http01-authenticator")
                                                                  	applet:add_header("Content-Length", string.len(response))
                                                                  	applet:add_header("Content-Type", "text/plain")
                                                                  	applet:start_response()
                                                                  	applet:send(response)
                                                                  end
                                                                  
                                                                  --
                                                                  -- strip chars that are not in the URL-safe Base64 alphabet
                                                                  -- see https://github.com/letsencrypt/acme-spec/blob/master/draft-barnes-acme.md
                                                                  --
                                                                  function sanitizeToken(token)
                                                                  	_strip="[^%a%d%+%-%_=]"
                                                                  	token = token:gsub(_strip,'')
                                                                  	return token
                                                                  end
                                                                  
                                                                  --
                                                                  -- get key auth from token file
                                                                  --
                                                                  function getKeyAuth(token)
                                                                          local keyAuth = ""
                                                                          local path = acme.conf.non_chroot_webroot .. "/.well-known/acme-challenge/" .. token
                                                                          local f = io.open(path, "rb")
                                                                          if f ~= nil then
                                                                                  keyAuth = f:read("*all")
                                                                                  f:close()
                                                                          end
                                                                          return keyAuth
                                                                  end
                                                                  
                                                                  core.register_init(acme.startup)
                                                                  core.register_service("acme-http01", "http", acme.http01)
                                                                  
                                                                  

                                                                  3/ Create a very simple http frontend on WAN address, port 80.

                                                                  4/ Use this for your certificate(s) in ACME package:

                                                                  [EDIT: The image host originally used in this post is dead. Fixed using cached copies of the images on another host -jimp]

                                                                  1 Reply Last reply Reply Quote 1
                                                                  • R
                                                                    reggie14 last edited by

                                                                    Is there any chance that this will work with Google Domain's DNS?  It doesn't look Google provides a way to create txt records using their Dynamic DNS API.

                                                                    1 Reply Last reply Reply Quote 0
                                                                    • T
                                                                      Tentacruel last edited by

                                                                      @jimp:

                                                                      What you can use for the challenge depends on what you have available. If your DNS provider for your domain is listed you can probably use one of the DNS update methods, or if your server supports RFC2136 you could setup keys for the TXT records it wants to make and use the nsupdate option (this is what I prefer to do)..

                                                                      I've been trying to get the manual method to work with he.net, but can't figure out how to generate the TXT key - While I know I need to add it manually to my DNS, is the generation of the key included in your package or is there a manual step required here?

                                                                      /SJ

                                                                      1 Reply Last reply Reply Quote 0
                                                                      • jimp
                                                                        jimp Rebel Alliance Developer Netgate last edited by

                                                                        @Tentacruel:

                                                                        @jimp:

                                                                        What you can use for the challenge depends on what you have available. If your DNS provider for your domain is listed you can probably use one of the DNS update methods, or if your server supports RFC2136 you could setup keys for the TXT records it wants to make and use the nsupdate option (this is what I prefer to do)..

                                                                        I've been trying to get the manual method to work with he.net, but can't figure out how to generate the TXT key - While I know I need to add it manually to my DNS, is the generation of the key included in your package or is there a manual step required here?

                                                                        /SJ

                                                                        That was the first method I tested. Define the domain name entry and then click issue/renew. In the green output it tells you what the content of the record should be. Add it to DNS and then wait 2-3 minutes to be sure the record is available, then click issue/renew again.

                                                                        Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

                                                                        Need help fast? Netgate Global Support!

                                                                        Do not Chat/PM for help!

                                                                        1 Reply Last reply Reply Quote 0
                                                                        • E
                                                                          execcr last edited by

                                                                          Hello,
                                                                          new user here. Fresh pfsense install update to 2.3.2_1
                                                                          I've installed the acme package but i have some problems with Route 53 Dns validation
                                                                          The output say that:

                                                                          [Mon Feb 6 17:24:12 CET 2017] Registering account
                                                                          [Mon Feb 6 17:24:13 CET 2017] Already registered
                                                                          [Mon Feb 6 17:24:14 CET 2017] Update success.
                                                                          [Mon Feb 6 17:24:14 CET 2017] Single domain='test.sanitazedomain.it'
                                                                          [Mon Feb 6 17:24:14 CET 2017] Getting domain auth token for each domain
                                                                          [Mon Feb 6 17:24:14 CET 2017] Getting webroot for domain='test.sanitazedomain.it'
                                                                          [Mon Feb 6 17:24:14 CET 2017] _w='dns_aws'
                                                                          [Mon Feb 6 17:24:14 CET 2017] Getting new-authz for domain='test.sanitazedomain.it'
                                                                          [Mon Feb 6 17:24:15 CET 2017] The new-authz request is ok.
                                                                          [Mon Feb 6 17:24:16 CET 2017] Found domain api file: /usr/local/pkg/acme/dnsapi/dns_aws.sh
                                                                          [color][Mon Feb 6 17:24:18 CET 2017] Error add txt for domain:_acme-challenge.test.sanitazedomain.it[/color]
                                                                          [Mon Feb 6 17:24:18 CET 2017] Please check log file for more details: /tmp/acme/test/acme_issuecert.log
                                                                          

                                                                          i checked the log and seem to fail at curl command to retriete http.header.
                                                                          If i open HTTP.HEADER file in the acme domain folder (test in this case) i get:

                                                                          HTTP/1.1 505 HTTP Version not supported
                                                                          Date: Mon, 06 Feb 17 16:24:18 GMT
                                                                          Connection: close
                                                                          x-amz-id-2: 1rjTvEvOKQpJ5zruKVbddXvS15q4+I1y/+r2qirC9S8MYXm1esOQYwkOscLruZW8zzvK0+WY8BOQiy8GvYMu0rx0Uwq8WqlH
                                                                          x-amz-request-id: 8B82C340F9CA158D
                                                                          Content-Length: 0
                                                                          
                                                                          

                                                                          any hint? Aws access ID and secret key seems ok. I've tried also to get full access to this IAM user to Route53

                                                                          1 Reply Last reply Reply Quote 0
                                                                          • jimp
                                                                            jimp Rebel Alliance Developer Netgate last edited by

                                                                            Route53 made some change to their service in the last few days that might have broken this client. We've had at least one other report of Route53 dyndns not working in general (not related to acme). Odds are the route53 script needs updated to match their new API/methods.

                                                                            Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

                                                                            Need help fast? Netgate Global Support!

                                                                            Do not Chat/PM for help!

                                                                            1 Reply Last reply Reply Quote 0
                                                                            • E
                                                                              execcr last edited by

                                                                              Thank you.
                                                                              Just my luck. Every time i try something new, something is broken since hours or days  ::)

                                                                              1 Reply Last reply Reply Quote 0
                                                                              • F
                                                                                Freshman last edited by

                                                                                Hello, cert BFU here, so sorry if I won't make much sense…
                                                                                Is it somehow possible to continue with certs from previous "issuing"? I have used "acme.sh" script in Ubuntu two months ago, sucefully got some acme-challenge TXT values for my (sub)domains, which I have added manually to my DNS configuration and on the second run of "acme.sh" couple files were generated (.cer, .key, ...).

                                                                                I have sucesfully added generated .cer to HAproxy on my pfSense and it is now serving me my https websites through HAproxy and it was my undestanding that when the time comes I would just have to do "acme.sh --renew -d mydomain.com" to regenerate certs and manually replace cert on HAproxy.

                                                                                I wanted to automate this using this pfSense package. Is it possible to continue with started process, or do I have to generate new set of TXT values and replace them at my DNS config again?

                                                                                I have tried to put content of my .key file into "Account keys" tab and define same domainname on Certificates tab with Method: DNS-manual, but attempt to "Renew" ends with green "mydomain.com is not a issued domain, skip" message.

                                                                                Am I doing it all wrong?

                                                                                1 Reply Last reply Reply Quote 0
                                                                                • jimp
                                                                                  jimp Rebel Alliance Developer Netgate last edited by

                                                                                  The TXT records are only valid for a few days and then they expire – you'd have to remake them when it's time to renew anyhow.

                                                                                  If you use the exact same list of SANs from your original cert, LE will allow it can will consider it a reissue. If you change the the list of SANs, it's treated as a new certificate. (Not too important unless you're close to their rate limits...)

                                                                                  Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

                                                                                  Need help fast? Netgate Global Support!

                                                                                  Do not Chat/PM for help!

                                                                                  1 Reply Last reply Reply Quote 0
                                                                                  • T
                                                                                    Tentacruel last edited by

                                                                                    @jimp:

                                                                                    That was the first method I tested. Define the domain name entry and then click issue/renew. In the green output it tells you what the content of the record should be. Add it to DNS and then wait 2-3 minutes to be sure the record is available, then click issue/renew again.

                                                                                    Thanks for the response! Oddly, when I configure the manual method I get both an issue and a renew button, rather than the joined button I get if it was set to webroot, but I think that's a minor detail.

                                                                                    My output, however, holds no TXT entry, which is why I was getting confused

                                                                                    
                                                                                    xxx.net
                                                                                    Renewing certificateaccount: xxx-key 
                                                                                    server: letsencrypt-production 
                                                                                    
                                                                                    /usr/local/pkg/acme/acme.sh --issue -d 'host.xxx.net' --home '/tmp/acme/xxx.net/' --accountconf '/tmp/acme/xxx.net/accountconf.conf' --force --reloadCmd '/tmp/acme/xxx.net/reloadcmd.sh' --dns '' --log-level 3 --log '/tmp/acme/xxx.net/acme_issuecert.log'
                                                                                    
                                                                                    Array
                                                                                    (
                                                                                    [path] => /etc:/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/bin/
                                                                                    [PATH] => /etc:/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/bin/
                                                                                    )
                                                                                    [Mon Feb 6 21:03:55 UTC 2017] Single domain='host.xxx.net'
                                                                                    [Mon Feb 6 21:03:55 UTC 2017] Getting domain auth token for each domain
                                                                                    [Mon Feb 6 21:03:55 UTC 2017] Getting webroot for domain='host.xxx.net'
                                                                                    [Mon Feb 6 21:03:55 UTC 2017] _w
                                                                                    [Mon Feb 6 21:03:55 UTC 2017] Getting new-authz for domain='host.xxx.net'
                                                                                    [Mon Feb 6 21:03:59 UTC 2017] The new-authz request is ok.
                                                                                    [Mon Feb 6 21:03:59 UTC 2017] Verifying:host.xxx.net
                                                                                    [Mon Feb 6 21:04:02 UTC 2017] Pending
                                                                                    [Mon Feb 6 21:04:05 UTC 2017] host.xxx.net:Verify error:Could not connect to host.xxx.net
                                                                                    [Mon Feb 6 21:04:05 UTC 2017] Please check log file for more details: /tmp/acme/xxx.net/acme_issuecert.log
                                                                                    
                                                                                    
                                                                                    1 Reply Last reply Reply Quote 0
                                                                                    • First post
                                                                                      Last post