Problems/comments with "Let's Encrypt" module

[Taomyn]

I decided to give the "Let's Encrypt" module a go, but I've hit a few issues.

• Whenever I request/renew a certificate I have to reboot the firewall to get my Internet connection back - no traffic going out. I don't see any residual rules left behind so I have no idea why this is happening. PPPoE with VLAN perhaps? I'm also not using the HAProxy option just generating certificates as I didn't want to run before I could walk - oh, and I was successful in getting both a test certificate and a real one, so that's all working.
  
• Is there a way to export the full certificate and also include a password? I'm actually wanting to use the module to generate certificates for another device and for some inexplicable reason it won't let me enter a blank password when importing - I'm thinking that they assume no-one stores full certificates without a password.
  
• The log file is being split at the wrong "column" and so displays something like:
  [Tue Mar 14                                        19:43:34 CET 2017] Blah blah blah

[Nnyan]

I actually want to get a cert for my OPNsense box so i was thinking of using this.  If my girls give me some time tonight I'll give this a spin and try to get this installed to see what happens.

[fraenki]

Hi Taomyn,

thanks for your report.

• Whenever I request/renew a certificate I have to reboot the firewall to get my Internet connection back - no traffic going out. I don't see any residual rules left behind so I have no idea why this is happening. PPPoE with VLAN perhaps? I'm also not using the HAProxy option just generating certificates as I didn't want to run before I could walk - oh, and I was successful in getting both a test certificate and a real one, so that's all working.
  

Please provide some additional details. Which validation method are you using for your certificate?
I can only think of one validation method that might cause an issue: HTTP-01 OPNsense port forward. Are you using it?
If so, maybe post a screenshot of your settings. It's the only one that builds some port forward rules depending on either your configuration or some assumptions ("IP Auto-Discovery").

   

• Is there a way to export the full certificate and also include a password? I'm actually wanting to use the module to generate certificates for another device and for some inexplicable reason it won't let me enter a blank password when importing - I'm thinking that they assume no-one stores full certificates without a password.
  

The LE plugin just uses the system Certificate Manager (System -> Trust -> Certificates). It seems to lack this functionality.
I've created a feature request: https://github.com/opnsense/core/issues/1475

   

• The log file is being split at the wrong "column" and so displays something like:
  [Tue Mar 14                                        19:43:34 CET 2017] Blah blah blah

This is a known bug: https://github.com/opnsense/plugins/issues/69


Regards
- Frank

[fraenki]

Hi Taomyn,

this should have been my first question: Which version of OPNsense and the LE plugin are you using?


Regards
- Frank

[Taomyn]

OPNSense v17.1.2-amd64
os-acme-client v1.1

Yes, I'm using the HTTP-01 method only. I've attached a screenshot of the main settings.

[fraenki]

OPNSense v17.1.2-amd64
os-acme-client v1.1

Yes, I'm using the HTTP-01 method only. I've attached a screenshot of the main settings.

Since you've specified your official IP, maybe remove "IP Auto-Discovery" and try again.


Regards
- Frank

[Taomyn]

Still the same when I untick that option - specifying the IP was the only way I could get it to work which is why it's there.

[fraenki]

Still the same when I untick that option - specifying the IP was the only way I could get it to work which is why it's there.

Please have a look at the system log: System -> Log File.
Maybe these log messages can reveal the root cause of this issue.


Thanks
- Frank

[Taomyn]

I just updated to 17.1.3 which has a newer version of the LE plug-in, hopefully tonight I can give it another go to get logs and see what happens.

[Taomyn]

As promised, I tried again still kills my connection, this is the log from the actions:

Mar 16 17:24:24   config[71271]: /usr/local/opnsense/scripts/OPNsense/AcmeClient/certhelper.php: AcmeClient: failed to retrieve restart action from certificate
Mar 16 17:24:24   opnsense: /usr/local/opnsense/scripts/OPNsense/AcmeClient/certhelper.php: AcmeClient: issued/renewed certificate: xxxxxne.co.uk
Mar 16 17:24:06   configd.py: [65b197e8-5ac6-4acd-b3a1-e8dedb650ef7] signing or renewing a certificate
Mar 16 17:24:06   configd.py: [42f73e2e-e5ac-4349-9fc5-0a9f667d8195] Tested for presence of plugin haproxy

And attached is a screenshot of the requested certificate. Hope it helps, so if you want me to test a patch/fix let me know.

[fraenki]

Mar 16 17:24:24   config[71271]: /usr/local/opnsense/scripts/OPNsense/AcmeClient/certhelper.php: AcmeClient: failed to retrieve restart action from certificate
Mar 16 17:24:24   opnsense: /usr/local/opnsense/scripts/OPNsense/AcmeClient/certhelper.php: AcmeClient: issued/renewed certificate: xxxxxne.co.uk
Mar 16 17:24:06   configd.py: [65b197e8-5ac6-4acd-b3a1-e8dedb650ef7] signing or renewing a certificate
Mar 16 17:24:06   configd.py: [42f73e2e-e5ac-4349-9fc5-0a9f667d8195] Tested for presence of plugin haproxy

These messages are normal. You haven't configured a restart action, so it's ok that it failed to retrieve it (but this message should be supressed by the LE plugin since it's useless).

And there is nothing else in the system log around the time when your internet connection died?
I'm sorry, I still have no idea what's wrong there


Regards
- Frank

[Taomyn]

No, those lines were all that was logged, then I rebooted the firewall to get my connection back - is there any way to get more info into the logs?


I still have a few more certificates I need to issue and I was saving them for further testing of this problem.

[fraenki]

No, those lines were all that was logged, then I rebooted the firewall to get my connection back - is there any way to get more info into the logs?

The temporary pf rules, that are added during certificate validation, are stored in filesystem in /var/etc/acme-client/configs. Each certificate has it's own subfolder (represented by the internal certificate ID) and the subfolder should contain a file named "acme_anchor_rules". Would you please paste the contents of this file here?


Thanks
- Frank

[Taomyn]

I'll PM you the content of the file shortly

[Taomyn]

Or I would:

User 'fraenki' has blocked your personal message.