OPNsense
  • Home
  • Help
  • Search
  • Login
  • Register

  • OPNsense Forum »
  • Archive »
  • 18.1 Legacy Series »
  • 18.1.1 & acme client
« previous next »
  • Print
Pages: [1] 2

Author Topic: 18.1.1 & acme client  (Read 9876 times)

elektroinside

  • Hero Member
  • *****
  • Posts: 574
  • Karma: 51
    • View Profile
18.1.1 & acme client
« on: February 02, 2018, 01:16:14 pm »
Think this was fixed, was it a patch that fixed it?

[Fri Feb  2 14:10:45 EET 2018] original='{
  "type": "urn:acme:error:malformed",
  "detail": "Provided agreement URL [https://letsencrypt.org/documents/LE-SA-v1.1.1-August-1-2016.pdf] does not match current agreement URL [https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf]",
  "status": 400
}'
Logged
OPNsense v18 | HW: Gigabyte Z370N-WIFI, i3-8100, 8GB RAM, 60GB SSD, | Controllers: 82575GB-quad, 82574, I221, I219-V | PPPoE: RDS Romania | Down: 980Mbit/s | Up: 500Mbit/s

Team Rebellion Member

franco

  • Administrator
  • Hero Member
  • *****
  • Posts: 13633
  • Karma: 1174
    • View Profile
Re: 18.1.1 & acme client
« Reply #1 on: February 02, 2018, 01:20:59 pm »
Still not quite, have to ask Frank on the status... acme.sh was updated, but did not fix this (expectations that it would were not clear anyway at least that is what one user reported testing it).


Cheers,
Franco
Logged

elektroinside

  • Hero Member
  • *****
  • Posts: 574
  • Karma: 51
    • View Profile
Re: 18.1.1 & acme client
« Reply #2 on: February 02, 2018, 01:24:00 pm »
Okay Franco,

Thank you!
Logged
OPNsense v18 | HW: Gigabyte Z370N-WIFI, i3-8100, 8GB RAM, 60GB SSD, | Controllers: 82575GB-quad, 82574, I221, I219-V | PPPoE: RDS Romania | Down: 980Mbit/s | Up: 500Mbit/s

Team Rebellion Member

bigops

  • Jr. Member
  • **
  • Posts: 82
  • Karma: 2
    • View Profile
Re: 18.1.1 & acme client
« Reply #3 on: February 02, 2018, 04:47:45 pm »
I have always found the ACME client to be a pain to use especially when you have to renew a certificate and you are using the DNS validation.  ZeroSSL is much more easier to use and then to import the certificate. 
Logged

fraenki

  • Full Member
  • ***
  • Posts: 171
  • Karma: 28
    • View Profile
    • GitHub
Re: 18.1.1 & acme client
« Reply #4 on: February 02, 2018, 10:23:34 pm »
Quote from: elektroinside on February 02, 2018, 01:16:14 pm
Think this was fixed, was it a patch that fixed it?

[Fri Feb  2 14:10:45 EET 2018] original='{
  "type": "urn:acme:error:malformed",
  "detail": "Provided agreement URL [https://letsencrypt.org/documents/LE-SA-v1.1.1-August-1-2016.pdf] does not match current agreement URL [https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf]",
  "status": 400
}'

I've been pretty sure that acme.sh 2.7.5 would fix this error:
https://github.com/opnsense/plugins/issues/470

Apparently I was wrong. It will not be fixed until acme.sh 2.7.6 is released. I'll reopen this issue.


Regards
- Frank
« Last Edit: February 02, 2018, 10:30:44 pm by fraenki »
Logged

elektroinside

  • Hero Member
  • *****
  • Posts: 574
  • Karma: 51
    • View Profile
Re: 18.1.1 & acme client
« Reply #5 on: February 02, 2018, 11:32:58 pm »
No worries :)

Thank you.
Logged
OPNsense v18 | HW: Gigabyte Z370N-WIFI, i3-8100, 8GB RAM, 60GB SSD, | Controllers: 82575GB-quad, 82574, I221, I219-V | PPPoE: RDS Romania | Down: 980Mbit/s | Up: 500Mbit/s

Team Rebellion Member

eshield

  • Newbie
  • *
  • Posts: 14
  • Karma: 3
    • View Profile
Re: 18.1.1 & acme client
« Reply #6 on: February 03, 2018, 01:50:47 pm »
Hello,

Some additional info to 400 tos error:
Quote
PHP Warning:  cert_action_validator(): Node no longer exists in
/usr/local/opnsense/scripts/OPNsense/AcmeClient/certhelper.php on line 122
PHP Warning:  cert_action_validator(): Node no longer exists in /usr/local/opnsense/scripts/OPNsense/AcmeClient/certhelper.php on line 122
Crash always happens after cert issue attempt.
Logged

franco

  • Administrator
  • Hero Member
  • *****
  • Posts: 13633
  • Karma: 1174
    • View Profile
Re: 18.1.1 & acme client
« Reply #7 on: February 03, 2018, 03:41:18 pm »
It's a cosmetic PHP issue since 7.0, ticket here....

https://github.com/opnsense/plugins/issues/333


Cheers,
Franco
Logged

elektroinside

  • Hero Member
  • *****
  • Posts: 574
  • Karma: 51
    • View Profile
Re: 18.1.1 & acme client
« Reply #8 on: February 11, 2018, 09:34:21 pm »
I had enough of that agreement error so I "hacked" acme.sh to take the correct one.
I also needed to comment a validation because of a freak error, but it worked... got a new cert.
« Last Edit: February 11, 2018, 09:55:25 pm by elektroinside »
Logged
OPNsense v18 | HW: Gigabyte Z370N-WIFI, i3-8100, 8GB RAM, 60GB SSD, | Controllers: 82575GB-quad, 82574, I221, I219-V | PPPoE: RDS Romania | Down: 980Mbit/s | Up: 500Mbit/s

Team Rebellion Member

eshield

  • Newbie
  • *
  • Posts: 14
  • Karma: 3
    • View Profile
Re: 18.1.1 & acme client
« Reply #9 on: February 12, 2018, 03:01:08 pm »
acme.sh 2.7.6 has been released 3 days ago, any ETA on LE package update?

Thanks.
Logged

franco

  • Administrator
  • Hero Member
  • *****
  • Posts: 13633
  • Karma: 1174
    • View Profile
Re: 18.1.1 & acme client
« Reply #10 on: February 12, 2018, 03:36:13 pm »
As soon as it hits FreeBSD as it is tested as it is shipped in OPNsense. :)


Cheers,
Franco
Logged

eshield

  • Newbie
  • *
  • Posts: 14
  • Karma: 3
    • View Profile
Re: 18.1.1 & acme client
« Reply #11 on: February 12, 2018, 03:42:58 pm »
ouch! well, updated acme.sh by myself and everything works fine  :o
Logged

franco

  • Administrator
  • Hero Member
  • *****
  • Posts: 13633
  • Karma: 1174
    • View Profile
Re: 18.1.1 & acme client
« Reply #12 on: February 12, 2018, 03:49:19 pm »
Nice!  Will you share your solution with everyone? :)
Logged

eshield

  • Newbie
  • *
  • Posts: 14
  • Karma: 3
    • View Profile
Re: 18.1.1 & acme client
« Reply #13 on: February 12, 2018, 04:37:23 pm »
Quote from: franco on February 12, 2018, 03:49:19 pm
Nice!  Will you share your solution with everyone? :)
There is no special magic involved. I just replaced /usr/local/sbin/acme.sh with a new one and set permissions to 0555 using WinSCP  :o
Logged

elektroinside

  • Hero Member
  • *****
  • Posts: 574
  • Karma: 51
    • View Profile
Re: 18.1.1 & acme client
« Reply #14 on: February 14, 2018, 10:28:56 am »
Confirming it works (replacing with the new one) :)
No other hacks, just chmod 0555

FYI, without 0555, it will fail to validate this:

Code: [Select]
    if [ ! -f "$CERT_KEY_PATH" ] || [ "$_key_length" != "$_key" ] || [ "$Le_ForceNewDomainKey" = "1" ]; then
      if ! createDomainKey "$_main_domain" "$_key_length"; then
        _err "Create domain key error."
        _clearup
        _on_issue_err "$_post_hook"
        return 1
      fi
    fi
« Last Edit: February 14, 2018, 11:09:15 am by elektroinside »
Logged
OPNsense v18 | HW: Gigabyte Z370N-WIFI, i3-8100, 8GB RAM, 60GB SSD, | Controllers: 82575GB-quad, 82574, I221, I219-V | PPPoE: RDS Romania | Down: 980Mbit/s | Up: 500Mbit/s

Team Rebellion Member

  • Print
Pages: [1] 2
« previous next »
  • OPNsense Forum »
  • Archive »
  • 18.1 Legacy Series »
  • 18.1.1 & acme client
 

OPNsense is an OSS project © Deciso B.V. 2015 - 2023 All rights reserved
  • SMF 2.0.19 | SMF © 2021, Simple Machines
    Privacy Policy
    | XHTML | RSS | WAP2