OPNsense Forum

Archive => 21.7 Legacy Series => Topic started by: leacho73 on November 29, 2021, 11:35:02 am

Title: ACME Client Drops WAN Connection
Post by: leacho73 on November 29, 2021, 11:35:02 am

Hi All,

Has anyone else had issues with the built in ACME Client in 21.7.x of OPNSense?

I'm having an issue where if I try to renew any certificates, whenever I select Issue/Renew certificate, my WAN connection drops - and I loose all connections to the internet until the ACME job times out - the connections then re-establish.

Thanks
Leacho

Title: Re: ACME Client Drops WAN Connection
Post by: joeyboon on December 19, 2021, 11:35:13 am

Hi,

Same issue here on:

OPNsense 21.10.1-amd64
FreeBSD 12.1-RELEASE-p21-HBSD
OpenSSL 1.1.1l 24 Aug 2021
ACME Client plugin:    3.4

During cert renewal the timeout causes all connections to be dropped. So there seem to be two issues. Cert not properly renewing and connections being dropped during the process.

ACME log:
2021-12-19T11:11:29   acme.sh[44099]   Can not init api for: https://acme-v02.api.letsencrypt.org/directory.
2021-12-19T11:11:28   acme.sh[58460]   Please refer to https://curl.haxx.se/libcurl/c/libcurl-errors.html for error code: 6
2021-12-19T11:11:10   acme.sh[68125]   Sleep 10 and retry.
2021-12-19T11:11:10   acme.sh[36103]   Can not init api for: https://acme-v02.api.letsencrypt.org/directory.
2021-12-19T11:11:09   acme.sh[2756]   Please refer to https://curl.haxx.se/libcurl/c/libcurl-errors.html for error code: 6
2021-12-19T11:10:51   acme.sh[76135]   Sleep 10 and retry.

System Log:
2021-12-19T03:07:21   opnsense-business[73486]   AcmeClient: validation for certificate failed: REDACTED
2021-12-19T03:07:21   opnsense-business[73486]   AcmeClient: domain validation failed (http01)
2021-12-19T03:00:00   opnsense-business[73486]   AcmeClient: using challenge type: REDACTED
2021-12-19T03:00:00   opnsense-business[73486]   AcmeClient: using IPv4 address: REDACTED
2021-12-19T03:00:00   opnsense-business[73486]   AcmeClient: using IPv4 address: REDACTED
2021-12-19T03:00:00   opnsense-business[73486]   AcmeClient: account is registered: REDACTED
2021-12-19T03:00:00   opnsense-business[73486]   AcmeClient: using CA: letsencrypt
2021-12-19T03:00:00   opnsense-business[73486]   AcmeClient: renew certificate: REDACTED
2021-12-19T03:00:00   opnsense-business[73486]   AcmeClient: certificate must be issued/renewed: REDACTED

This seems to be the reason it drops the connection every night (it tries to renew the cert). It happens both when trying to manually renew or via cron. 

Title: Re: ACME Client Drops WAN Connection
Post by: Fright on December 19, 2021, 07:17:31 pm

@joeyboon Hi

Quote

Please refer to https://curl.haxx.se/libcurl/c/libcurl-errors.html for error code: 6

Code: [Select]

CURLE_COULDNT_RESOLVE_HOST (6)dns settings issue?

Title: Re: ACME Client Drops WAN Connection
Post by: joeyboon on December 19, 2021, 08:53:10 pm

Hi @fright

DNS is set correctly and propagated.

Title: Re: ACME Client Drops WAN Connection
Post by: Fright on December 20, 2021, 08:22:16 pm

so if you try

Code: [Select]

curl https://acme-v02.api.letsencrypt.org/directoryin shell it works?
can you try "Forcefully issue or renew" in this case?

Title: Re: ACME Client Drops WAN Connection
Post by: joeyboon on December 28, 2021, 08:21:50 am

Hi @Fright,

Quote from: Fright on December 20, 2021, 08:22:16 pm

so if you try

Code: [Select]

curl https://acme-v02.api.letsencrypt.org/directoryin shell it works?
can you try "Forcefully issue or renew" in this case?

In shell this returns:

{
  "DFkTnKbE2ms": "https://community.letsencrypt.org/t/adding-random-entries-to-the-directory/33417",
  "keyChange": "https://acme-v02.api.letsencrypt.org/acme/key-change",
  "meta": {
    "caaIdentities": [
      "letsencrypt.org"
    ],
    "termsOfService": "https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf",
    "website": "https://letsencrypt.org"
  },
  "newAccount": "https://acme-v02.api.letsencrypt.org/acme/new-acct",
  "newNonce": "https://acme-v02.api.letsencrypt.org/acme/new-nonce",
  "newOrder": "https://acme-v02.api.letsencrypt.org/acme/new-order",
  "revokeCert": "https://acme-v02.api.letsencrypt.org/acme/revoke-cert"

So that seems to be also working fine. I tried forcefully renewing already through the GUI, this resulted in the same problem.

Title: Re: ACME Client Drops WAN Connection
Post by: Fright on December 29, 2021, 07:30:42 am

Hi!
sorry, can’t simulate a situation when name resolution works from shell but does not work from the acme script. can you share the dns settings on the opnsense host? using a local dns service on host or external servers (or both)?

Title: Re: ACME Client Drops WAN Connection
Post by: joeyboon on January 06, 2022, 08:33:33 am

Hi,

I've managed to solve the issue by reinstalling the plugin and adding everything in same way I did last time. So no idear why it broke in the first place. It instantly worked again. I used this guide: https://www.youtube.com/watch?v=IR41duTqN6Y

I changed nothing to the external DNS records, so it defitnly was a problem on the local system.