I've got a valid LE cert on my FW, but the certifcates in the GUI show validation failed, and I can't seem to find the cronjob.
ideas?
(I force renewed from the GUI, hence the new issue date).
So chrome/firefox, shows a letsencrypt certificate?
I noticed your domain home-fw.lerctr.org points to a local network address 192.168.200.11
yep.
https://www.lerctr.org/~ler/cert.png
(since the attachment limit is too small).
I'm *VERY* knowledgeable, and a FreeBSD ports committer FWIW.
What validation method you using?
dns-01 / nsupdate to my nameserver. NOTE: acme issues the cert, but the GUI doesn't seem to know that.
If you look in to the source code (https://github.com/opnsense/plugins/blob/a18c04031f682eb5bf77487bb4d5b897ec34ed88/security/acme-client/src/opnsense/scripts/OPNsense/AcmeClient/certhelper.php) line 226 is the part of the if statement I think your getting.
So if you follow the run_acme_validation() function it builds the command to check the status of the certificate, so the check must be failing due to some reason. The logs might help you there.
You haven't removed the TXT record have you?
The DNS-01 challenge creates, then auths, then deletes the TXT record, so it will *NOT* exist, except during the renewal process.
I'll have to go look at the script later.
If it's looking for dns01, but the validation method is actually DNS-01, that's a problem.....
Quote from: lrosenman on April 04, 2019, 10:01:39 PM
The DNS-01 challenge creates, then auths, then deletes the TXT record, so it will *NOT* exist, except during the renewal process.
I'll have to go look at the script later.
I'm no expert but I thought the DNS record had to stay there?
Quote from: lrosenman on April 04, 2019, 10:36:40 PM
If it's looking for dns01, but the validation method is actually DNS-01, that's a problem.....
I think they just remove the - in the logic.
Quote from: Jonny on April 06, 2019, 02:08:18 PM
I'm no expert but I thought the DNS record had to stay there?
Nope. The record is created by the NSUPDATE helper, checked by acme during cert authorization, they removed
by the NSUPDATE helper.
Quote from: Jonny on April 06, 2019, 02:08:18 PM
Quote from: lrosenman on April 04, 2019, 10:36:40 PM
If it's looking for dns01, but the validation method is actually DNS-01, that's a problem.....
I think they just remove the - in the logic.
and what about cAsE-sEnSiTiViTy?
Have the same problem: https://forum.opnsense.org/index.php?topic=11350.msg51317#msg51317
YAY! it's not just me :)
I have the same problem with my certificate, someone already solved the problem?
Not yet. Waiting for someone with some clue to chime in.
I inform you, with the last update 19.1.6 the certificate no longer marks error
Mine is still showing error....
My certificate renewed last night and it still shows validation failed:
Search
Enabled
Common Name
Multi-Domain (SAN)
Description
Issue/Renewal Date
Last Acme Status
Last Acme Run
Commands
home-fw.lerctr.org home.lerctr.org 6/12/2019, 12:02:38 AM validation failed 4/3/2019, 2:08:07 PM
(19.1,9/
os-acme-client (installed) 1.23 235KiB Let's Encrypt client)
+1 19.1.9 still the same.