Problem with Let's Encrypt plugin

[gs]

Hello,
I am trying to use the Let's encrypt plugin version 1.4, in HTTP-01 mode with the OPNsense port forward option, the plugin works fine as I can see it reach "Installing full chain to:/var/etc/acme-client/certs/..." at the end of the log. However, it leaves my router in a mode where packets in and out are blocked, and there seems to be way to few rules in pf (if I list them in the shell, GUI seems normal). Reloading config using /usr/local/etc/rc.reload_all seems to fix the problem so my guess is that the plugin doesn't cleanup after itself and restore the original NAT and/or rules after running the acme protocol and installing the certificate.
The problem is reproducible 100% of the time so please let me know if you need me to run more tests. As a workaround, I would have run /usr/local/etc/rc.reload_all as a custom restart action, but it looks like this option was removed in version 1.4 of the plugin :-( .
Thanks in advance,

[Taomyn]

FYI, this is the same as I reported here: https://forum.opnsense.org/index.php?topic=4792.0


I too discovered reloading the firewall rules fixed it, and also disappointed the custom option got taken as it was my only automated fix. Was hoping this meant a fix for the problem was incoming, but still waiting.

[franco]

This was included in the latest release today: https://github.com/opnsense/plugins/commit/5c864ddf9


Cheers,
Franco

[Taomyn]

This was included in the latest release today: https://github.com/opnsense/plugins/commit/5c864ddf9


Cheers,
Franco

A cool, will try it later tonight

[Taomyn]

Well that won't happen now that I can't even access the LE settings

[Taomyn]

Should be able to test this soon now

[whitenosethunderpants]

Since I had so much trouble with the HAProxy HTTP Frontend integration, I tried the Port Forward option. It worked the first time. Any subsequent attempts, however, resembled the results that others in this thread are getting. No machines on my network can access the internet once I renew the cert. It appears that the different suggestions for getting connectivity back all work for me as well.

I am running the most recent versions of OPNsense (17.1.5) and os-acme-client (1.6).

[gs]

I just updated OPNsense and tested the fix, unfortunately it looks like variable $backend is null so the script crashes with the following stack trace (I've also submitted it through the reporter). I've replaced line 727 "$response = $backend->configdRun('filter reload');" by "mwexec('/usr/local/etc/rc.reload_all');" and it seems to be working as a temporary workaround.
Best,

[25-Apr-2017 23:55:26 Europe/Zurich] PHP Fatal error:  Uncaught Error: Call to a member function configdRun() on null in /usr/local/opnsense/scripts/OPNsense/AcmeClient/certhelper.php:727
Stack trace:
#0 /usr/local/opnsense/scripts/OPNsense/AcmeClient/certhelper.php(214): run_acme_validation(Object(SimpleXMLElement), Object(OPNsense\Base\FieldTypes\ContainerField), Object(OPNsense\Base\FieldTypes\ContainerField))
#1 /usr/local/opnsense/scripts/OPNsense/AcmeClient/certhelper.php(85): cert_action_validator('58f7e39960c846....')
#2 {main}
  thrown in /usr/local/opnsense/scripts/OPNsense/AcmeClient/certhelper.php on line 727

[gs]

(Oh, and while we're at it, certhelper.php also crashes on line 123 when a certificate has been removed in Services > Let's Encrypt > Certificates )

[26-Apr-2017 00:28:08 Europe/Zurich] PHP Warning:  cert_action_validator(): Node no longer exists in /usr/local/opnsense/scripts/OPNsense/AcmeClient/certhelper.php on line 123

[whitenosethunderpants]

I can confirm @gs workaround worked for me as well.

[gs]

Thanks whitenosethunderpants, this said, it is quite inelegant, it will reset the GUI on you depending on what you are doing so a real fix is definitely needed. Unfortunately I don't have enough knowledge to create the elegant solution.