Let's Encypt support
-
Well, the certificate is not yet in need of renewal so it won't try. If you want to experiment, try making a fresh account key against the LE staging system and then a new cert that uses that key. It's a system meant for testing like this.
If you need help with Route53 specifically, please start a new thread.
If you have the renewal command set in the certificate, and it's active, then the package will run it automatically. If that doesn't work, please start a new thread.
-
Is there any way to get the Acme script to stop HAProxy before running the script?
I have it restart HAProxy afterwards currently.
Basically I'm using the "local webroot" option, but if my HAProxy is running, it doesn't renew the certificate and I'm not quite sure what's wrong.
The frontend is only listening on 443, but I guess somewhere it's redirecting all 80 traffic to 443, and I'm not sure where, since it gives the error below:FOUND domainitemwebroot put token at: /usr/local/www/.well-known/acme-challenge/X8oGDvSMWzmr1-b-IiaxuyGkTdjSBt1kJNpAxnjwCnE [Mon Jul 31 10:53:52 CEST 2017] Pending [Mon Jul 31 10:53:55 CEST 2017] Found domain http api file: /tmp/acme/LetsEncryptTest//httpapi/pfSenseacme.sh [Mon Jul 31 10:53:55 CEST 2017] storm-family.com:Verify error:Fetching https://domain-name.com/.well-known/acme-challenge/X8oGDvSMWzmr1-b-IiaxuyGkTdjSBt1kJNpAxnjwCnE: Timeout [Mon Jul 31 10:53:56 CEST 2017] Please check log file for more details: /tmp/acme/LetsEncryptTest/acme_issuecert.logThis is how my frontend is configured currently (see attachment).
If I stop HAProxy, then do the certificate renew, it works perfectly.
-
Let's Encrypt must use port 80 when validating, not 443. That ACME ACL/Action will have no effect on a 443 frontend.
What exactly do you have setup for port 80? Some other frontend? Or something outside of haproxy?
-
Nope, nothing on port 80.
I can only think that I had the header "Strict-Transport-Security" on which is still causing some issues even though it's now removed…
-
Make sure nothing on the firewall is using port 80 and then use the method mentioned at the top of page 3 of this thread (https://forum.pfsense.org/index.php?topic=101186.30)
-
Thanks for the Howto of HAProy and ACME.
There is one caveat you have to remind in 2.4.0:The Webroot must not be set to "/tmp/haproxy_chroot/haproxywebroot/.well-known/acme-challenge/"Â as mentionend in the "help" inline. You must set it as described in the HowTo /tmp/haproxy_chroot/well-known/acme-challenge/
One question.
Is this script a security problem? or should i deactivate the HAProxy on 80 after Cert refresh? I normally only use 443 HTTPS. -
If someone really insists on using a local webroot.
…
When I try to do like in yours manual i have received 404 resource not found.
Can help with that?
Tech part:
pfSense 2.4.0 , haproxy 0.52_14 (1.7.9), acme 0.1.20
HAProxy part:
Created acme-webroot.lua in files tab, created one frontend to all WAN IPs on only 80 port, ACL: url_acme_http01 with value /.well-known/acme-challenge/ and Actions: http-request lua service with value METH_GET url_acme_http01 and function acme-http01ACME part:
create issue cert to one domain with SAL list:
method webroot local folder: /tmp/haproxy_chroot/.well-known/acme-challenge/, tried to /tmp/haproxy_chroot/haproxywebroot/.well-known/acme-challenge/ -
I we created by hands folders (think it may can help, but no):
even tried to change permission to folder to 777 /tmp/haproxy_chroot for test purpose.
mkdir -p /tmp/haproxy_chroot/haproxywebroot/.well-known/acme-challenge/
mkdir -p /tmp/haproxy_chroot/.well-known/acme-challenge/
mkdir -p /tmp/haproxy_chroot/well-known/acme-challenge/and pointed ACME packet to this roots, but there no files in this directories :( after try issue certificate and because of it i get 404 (it response from acme-http01 lua service)
It this needed I can give acme logs -
Thanks for the Howto of HAProy and ACME.
There is one caveat you have to remind in 2.4.0:The Webroot must not be set to "/tmp/haproxy_chroot/haproxywebroot/.well-known/acme-challenge/"Â as mentionend in the "help" inline. You must set it as described in the HowTo /tmp/haproxy_chroot/well-known/acme-challenge/
One question.
Is this script a security problem? or should i deactivate the HAProxy on 80 after Cert refresh? I normally only use 443 HTTPS.Hi you successful configured the pfSense 2.4.0 with acme and haproxy?
Because I have troubles with this, can help? My problem discribed in two post above -
Please start separate threads for distinct issues, having multiple unrelated discussions simultaneously in a thread like this is hard for anyone to follow properly.
