OPNsense Forum
Archive => 23.1 Legacy Series => Topic started by: Koloa on April 10, 2023, 06:16:52 am
-
Prior to 23.1, the ACME plugin seemed to work fine, and I had automatically renewed certificates for several months.
Somewhere around the change to 23.1, however, it no longer works via OPNSense, even though I can use Gandi's LiveDNS and API key from "letsencrypt" on a Pi just fine (so the issue is not Gandi, and not the API key).
My logs appear as such (with debug logging enabled for the ACME Settings):
2023-04-10T14:02:33 Error opnsense AcmeClient: validation for certificate failed: host.mydomain.com
2023-04-10T14:02:33 Error opnsense AcmeClient: domain validation failed (dns01)
2023-04-10T14:02:25 Notice opnsense AcmeClient: running acme.sh command: /usr/local/sbin/acme.sh --issue --syslog 7 --debug --server 'letsencrypt' --dns 'dns_gandi_livedns' --dnssleep '90' --home '/var/etc/acme-client/home' --certpath '/var/etc/acme-client/certs/whatever.07307279/cert.pem' --keypath '/var/etc/acme-client/keys/whatever.07307279/private.key' --capath '/var/etc/acme-client/certs/whatever.07307279/chain.pem' --fullchainpath '/var/etc/acme-client/certs/whatever.07307279/fullchain.pem' --domain 'host.mydomain.com' --days '1' --force --keylength '4096' --accountconf '/var/etc/acme-client/accounts/whatever.40506586_prod/account.conf'
2023-04-10T14:02:25 Notice opnsense AcmeClient: using challenge type: GandiV5
2023-04-10T14:02:25 Notice opnsense AcmeClient: account is registered: Let's Encrypt
2023-04-10T14:02:25 Notice opnsense AcmeClient: using CA: letsencrypt
2023-04-10T14:02:25 Notice opnsense AcmeClient: issue certificate: host.mydomain.com
2023-04-10T14:02:25 Notice opnsense AcmeClient: certificate must be issued/renewed: host.mydomain.com
Obviously, this is in reverse chronological order.
I've obfuscated a few things, but, I do not think they are relevant to the issue. The domain has the Gandi API enabled, the key works fine, etc etc.
What I do notice, however, is that the "dnssleep" option passed to the ACME shell script is being ignored. I've tried various values here, 120 seconds, 240, 0 (default) - however, as you can see from the logs, within 2 seconds OPNSense records the attempt as a failure, and gives up.
Interestingly, even with "0" set as the value, the OPNSense plugin does not seem to re-try as per the on-screen note of: The time in seconds to wait for all the TXT records to take effect after adding them to the DNS API. Defaults to 0 seconds, which causes Acme Client to check public DNS services every 10 seconds for up to 20 minutes. If set to a non-zero value, a fixed DNS sleep time will be used and the local DNS servers will be queried instead. A DNS sleep time of 120 seconds or more is recommended for some DNS APIs.
Does anyone have ACME working with 23.1 series and Gandi LiveDNS?
-
For what it is worth, this problem persists with OPNsense 23.1.7_3 with ACME Client Plugin 3.16.
The DNS01 challenge for Gandi (and perhaps all DNS01 challenges?) seem to fail immediately, without respecting the DNS Sleep option.
-
Also at All-Inkl.com does not work, why is OPNSense so buggy?
-
f
-
Problem can come from old API key being used:
Workaround is to manually edit the acme-client account.conf file and change the API key to latest value:
1. Login into opnsense root shell account.
2. Edit /var/etc/acme-client/accounts/*/account.conf
3. Replace latest Gandi API key in GANDI_LIVEDNS_KEY='your.latest.gandi.api.key'
Then try to re-generate your certs.
See: https://github.com/acmesh-official/acme.sh/issues/2011
-
Outstanding. That was it. I modified the .conf file, re-issued a certificate, and all looks good.
Thank you very much for the pointer!
-
Outstanding. That was it. I modified the .conf file, re-issued a certificate, and all looks good.
Thank you very much for the pointer!
I struggled with the same issue for months and when I finally found a solution it was a great relief so I can understand how helpful it can be for others.
Sent from my AC2003 using Tapatalk