OPNsense Forum
English Forums => General Discussion => Topic started by: curioustech on March 29, 2020, 08:23:23 pm
-
root@OPNsense:~ # cat /var/log/acme.sh.log
[Sun Mar 29 18:03:25 UTC 2020] HEAD
[Sun Mar 29 18:03:26 UTC 2020] _post_url='https://acme-v02.api.letsencrypt.org/acme/new-nonce'
[Sun Mar 29 18:03:26 UTC 2020] _CURL='curl -L --silent --dump-header /var/etc/acme-client/home/http.header -g -I '
[Sun Mar 29 18:03:26 UTC 2020] _ret='0'
[Sun Mar 29 18:03:26 UTC 2020] POST
[Sun Mar 29 18:03:27 UTC 2020] _post_url='https://acme-v02.api.letsencrypt.org/acme/new-order'
[Sun Mar 29 18:03:27 UTC 2020] _CURL='curl -L --silent --dump-header /var/etc/acme-client/home/http.header -g '
[Sun Mar 29 18:03:27 UTC 2020] _ret='0'
[Sun Mar 29 18:03:27 UTC 2020] code='201'
[Sun Mar 29 18:03:27 UTC 2020] Le_LinkOrder=' https://acme-v02.api.letsencrypt.org/acme/order/81932777/2822543509'
[Sun Mar 29 18:03:27 UTC 2020] Le_OrderFinalize='https://acme-v02.api.letsencrypt.org/acme/finalize/81932777/2822543509'
[Sun Mar 29 18:03:27 UTC 2020] url='https://acme-v02.api.letsencrypt.org/acme/authz-v3/3637170129'
[Sun Mar 29 18:03:27 UTC 2020] payload
[Sun Mar 29 18:03:29 UTC 2020] POST
[Sun Mar 29 18:03:29 UTC 2020] _post_url='https://acme-v02.api.letsencrypt.org/acme/authz-v3/3637170129'
[Sun Mar 29 18:03:29 UTC 2020] _CURL='curl -L --silent --dump-header /var/etc/acme-client/home/http.header -g '
[Sun Mar 29 18:03:29 UTC 2020] _ret='0'
[Sun Mar 29 18:03:29 UTC 2020] code='200'
[Sun Mar 29 18:03:30 UTC 2020] d='*.homelabusa.com'
[Sun Mar 29 18:03:30 UTC 2020] Getting webroot for domain='*.homelabusa.com'
[Sun Mar 29 18:03:30 UTC 2020] _w='/var/etc/acme-client/challenges'
[Sun Mar 29 18:03:30 UTC 2020] _currentRoot='/var/etc/acme-client/challenges'
[Sun Mar 29 18:03:30 UTC 2020] entry
[Sun Mar 29 18:03:30 UTC 2020] Error, can not get domain token entry *.homelabusa.com
[Sun Mar 29 18:03:30 UTC 2020] The supported validation types are: dns-01 , but you specified: http-01
[Sun Mar 29 18:03:30 UTC 2020] pid
[Sun Mar 29 18:03:30 UTC 2020] No need to restore nginx, skip.
[Sun Mar 29 18:03:30 UTC 2020] _clearupdns
[Sun Mar 29 18:03:30 UTC 2020] dns_entries
[Sun Mar 29 18:03:30 UTC 2020] skip dns.
[Sun Mar 29 18:03:30 UTC 2020] _on_issue_err
[Sun Mar 29 18:03:30 UTC 2020] Please check log file for more details: /var/log/acme.sh.log
-
https://letsencrypt.org/de/docs/challenge-types/
[Sun Mar 29 18:03:30 UTC 2020] The supported validation types are: dns-01 , but you specified: http-01
-
https://letsencrypt.org/de/docs/challenge-types/
[Sun Mar 29 18:03:30 UTC 2020] The supported validation types are: dns-01 , but you specified: http-01
Thank you. I now understand that for the wildcard cert renewal, I need to configure DNS API so that ACME validation can be performed by creating a custom txt record.
My domain is serviced by Google domain. "Google Cloud DNS API" is the closest match among list of available options.
Is there any article or documentation on how to obtain, "JSON Key" to configure this option?
-
After chatting with google domain support, I learn that google do not provide API to create a synthetic txt DNS record as per ACME V2 requirement.
so, I changed DNS server to cloudflare and after that using "CloudFlare.com API" I could obtain wild card cert for staging environment successfully.
So, the next logical step was to change Let's Encrypt Environment to Production to get real cert from Let's encrypt CA.
So, I went to Services->Let's Encrypt ->Settings-> Let's Encrypt Environment:
From: Staging Environment
To: Production Environment [default]
Lets Encrypt Client is not Reading key lengh and not creating key and not doing any processing.
Here is all the log entries for attempt to obtain cert for Production Environment.
[Mon Mar 30 01:05:18 UTC 2020] ACCOUNT_THUMBPRINT='RemovedMyAccountThubPrint'
[Mon Mar 30 01:05:18 UTC 2020] Calc CA_KEY_HASH='h28g6IEtI2JC8RGXHixEqIZdykK+x125CDpeQ4HHsuc='
[Mon Mar 30 01:05:18 UTC 2020] _accUri='https://acme-v02.api.letsencrypt.org/acme/acct/81953603'
[Mon Mar 30 01:05:18 UTC 2020] Already registered
[Mon Mar 30 01:05:18 UTC 2020] code='200'
[Mon Mar 30 01:05:18 UTC 2020] _ret='0'
[Mon Mar 30 01:05:17 UTC 2020] _CURL='curl -L --silent --dump-header /var/etc/acme-client/home/http.header --trace-ascii /tmp/tmp.cRb6rHUS -g '
[Mon Mar 30 01:05:17 UTC 2020] _post_url='https://acme-v02.api.letsencrypt.org/acme/new-acct'
[Mon Mar 30 01:05:17 UTC 2020] POST
[Mon Mar 30 01:05:17 UTC 2020] _ret='0'
[Mon Mar 30 01:05:14 UTC 2020] _CURL='curl -L --silent --dump-header /var/etc/acme-client/home/http.header --trace-ascii /tmp/tmp.cRb6rHUS -g -I '
[Mon Mar 30 01:05:14 UTC 2020] _post_url='https://acme-v02.api.letsencrypt.org/acme/new-nonce'
[Mon Mar 30 01:05:14 UTC 2020] HEAD
[Mon Mar 30 01:05:14 UTC 2020] payload='{"contact": ["mailto: pranav.raval.usa@gmail.com"], "termsOfServiceAgreed": true}'
[Mon Mar 30 01:05:14 UTC 2020] url='https://acme-v02.api.letsencrypt.org/acme/new-acct'
[Mon Mar 30 01:05:14 UTC 2020] Registering account
[Mon Mar 30 01:05:08 UTC 2020] RSA key
[Mon Mar 30 01:05:08 UTC 2020] ACME_VERSION='2'
[Mon Mar 30 01:05:08 UTC 2020] ACME_NEW_NONCE='https://acme-v02.api.letsencrypt.org/acme/new-nonce'
[Mon Mar 30 01:05:08 UTC 2020] ACME_AGREEMENT='https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf'
[Mon Mar 30 01:05:08 UTC 2020] ACME_REVOKE_CERT='https://acme-v02.api.letsencrypt.org/acme/revoke-cert'
[Mon Mar 30 01:05:08 UTC 2020] ACME_NEW_ACCOUNT='https://acme-v02.api.letsencrypt.org/acme/new-acct'
[Mon Mar 30 01:05:08 UTC 2020] ACME_NEW_ORDER='https://acme-v02.api.letsencrypt.org/acme/new-order'
[Mon Mar 30 01:05:08 UTC 2020] ACME_NEW_AUTHZ
[Mon Mar 30 01:05:08 UTC 2020] ACME_KEY_CHANGE='https://acme-v02.api.letsencrypt.org/acme/key-change'
[Mon Mar 30 01:05:07 UTC 2020] ret='0'
[Mon Mar 30 01:05:05 UTC 2020] _CURL='curl -L --silent --dump-header /var/etc/acme-client/home/http.header --trace-ascii /tmp/tmp.r1p8ee3j -g '
[Mon Mar 30 01:05:05 UTC 2020] timeout=
[Mon Mar 30 01:05:05 UTC 2020] url='https://acme-v02.api.letsencrypt.org/directory'
[Mon Mar 30 01:05:05 UTC 2020] GET
[Mon Mar 30 01:05:05 UTC 2020] _init api for server: https://acme-v02.api.letsencrypt.org/directory
[Mon Mar 30 01:05:05 UTC 2020] ACME_DIRECTORY='https://acme-v02.api.letsencrypt.org/directory'
[Mon Mar 30 01:05:05 UTC 2020] Using config home:/var/etc/acme-client/home
[Mon Mar 30 01:05:05 UTC 2020] ACME_DIRECTORY='https://acme-v02.api.letsencrypt.org/directory'
-
Compared the log of unsuccessful production environment with a staging environment and learn that it was getting stuck at the reading key.
I changed the key size from 4096 to 2048 and tried again and this time, Lets Encrypt client worked as expected and I got wild card cert key.
Lesson learned here is that Lets Encrypt Client doesn't seem to support 4096 key.
Perhaps it might support for single-server cert which I have not verified.
However, it definitely didn't work for wild card cert request.
-
Compared the log of unsuccessful production environment with a staging environment and learn that it was getting stuck at the reading key.
I changed the key size from 4096 to 2048 and tried again and this time, Lets Encrypt client worked as expected and I got wild card cert key.
Lesson learned here is that Lets Encrypt Client doesn't seem to support 4096 key.
Perhaps it might support for single-server cert which I have not verified.
However, it definitely didn't work for wild card cert request.
I would be submitting a bug report on github because 4096 key worked for wild card cert in a staging environment.
Special thanks to @banym who shared KB article to educate me to use DNS validation because that's the only validation method supported for wild card cert.
Also, by studying the article, I learn how Lets Encrypt Client makes API calls to create txt record by using API calls to DNS providers to get wild card cert.
-
Many thanks to share the solution and the further informatino about key size.