OPNsense Forum
English Forums => 24.1 Production Series => Topic started by: opn_minded on February 08, 2024, 03:50:29 pm
-
hi there,
i'm running on OPNsense 24.1.1. nextcloud behind haproxy/acme working fine since ages, so i never paid attention for the automatic cert-renewals as this was a working process. today my client told me that the cert was outdated, so i had a look into the acme/LE certs and yes, it's past its renewal date. i'm using http-01 challenge.
my question to you; were there any changes to haproxy/acme since december 2023 (i'm not aware of any that would require a change in settings)?
what happens when i force-renew a certain certificate..
syslog
AcmeClient: validation for certificate failed: <REDACTED>
acme log
[Thu Feb 8 15:28:32 CET 2024] Invalid status, <REDACTED>:Verify error detail:<REDACTED>: Fetching https://<REDACTED>/.well-known/acme-challenge/<REDACTED>: Error getting validation data
/var/log/acme.sh.log doesn't show anything additional.
oc i've also tried to run w/o haproxy.
many thanks for your time!
-
Hi opn_minded, I've reported this issue here in the forum some days ago, and after that some other users reported this as well.
Here are the reports:
https://forum.opnsense.org/index.php?topic=38585.0
https://forum.opnsense.org/index.php?topic=38535.0
https://forum.opnsense.org/index.php?topic=38484.0 (this is my report)
As in your case, I have realized that the certificates were not being renewed some days after the first error occurred.
Because I have other certificates that had successfully renewed before, I can infer that the problem started to happen between January, 1st and 22nd. There was an update in the middle. The 23.7.11 update.
-
hi mate,
thanks for sharing your insights and the links to the other reports.
good news; i got it working again.
as for the acme-client:
- reset acme-client
- remove acme-client
- re-install acme-client
as for NAT:
- i changed the port forward (had a custom port) and adopted according to https://letsencrypt.org/docs/challenge-types/#http-01-challenge
as for haproxy:
- i changed the listening port for http-challenges
that's basically it. afterwards i've re-created the settings in the acme-client and force-refreshed my cert. it was provided immediately w/o any errors.
hope that helps!
-
Excelent, glad to see you resolved it.
May be the solution is uninstall and reinstall as you did.
Don't think its a matter of configuration because it has worked for years and it suddenly failed.