Hello,
one more word to the sentence in the release notes?
QuotePlease note that Let's Encrypt users need to reissue their certificates manually after upgrading to this version to fix the embedded certificate chain issue with the current signing CA switch going on.
Do I have to do this right away or (as it seems to me at the moment) can I wait for the next issuing via cron, if it is before march 2021. It should be as 17 march is more then 90 days away if I counted right.
Best,
Bernd
https://github.com/opnsense/plugins/issues/2126
so, if I understood correctly, if your current cert chain leeds to X3 root - can wait
if your cert chain leeds to R3 root - force renew to rebuild chain
Thanks for the clarification and the link, that makes sense.
Best, Bernd
Hi Guys,
Not sure if I'm an isolated case, but since updating to 20.7.6 I seem to be getting the same error every time when trying to forcefully renew the certificate chain as below:
Please refer to https://curl.haxx.se/libcurl/c/libcurl-errors.html for error code: 7
When looking at the URL it lists error 7 as:
CURLE_COULDNT_CONNECT (7)
Failed to connect() to host or proxy.
Turning up the logging level shows the below errors in the logs:
[Thu Dec 17 11:25:45 GMT 2020] Giving up sending to CA server after 20 retries.
[Thu Dec 17 11:25:43 GMT 2020] Could not get nonce, let's try again.
[Thu Dec 17 11:25:43 GMT 2020] ret='7'
== Info: Immediate connect fail for 2606:4700:60:0:f53d:5624:85c7:3a2c: No route to host
== Info: Immediate connect fail for 172.65.32.248: Host is down
[Thu Dec 17 11:25:43 GMT 2020] == Info: Trying 172.65.32.248:443...
So it looks as if the acme client is trying to connect to something thats offline or the url is incorrectly configured in the request, however when I manually ping the address: 172.65.32.248 from my private network behind the firewall it answers and if I access it with HTTPS it lets me know its a letsencrypt server running boulder.
I run two OPNsense firewalls, both set up similarly and using Hurricane electric DNS and the DNS01 challenge for renewal but for different domains and in different physical locations.
The other one I haven't updated from 20.7.5 yet and that still seems to be working without issues.
I dont use the HAproxy integration and just select the named cert in the haproxy frontend.
I have tried stripping all LetsEncrypt configuration, resetting the configuration uninstalling and reinstalling the LetsEncrypt plugin and reconfiguring from scratch and still receive the same error as above, changing the password for Hurricane Electric in case there is some new limitation introduced, but none of this seems to resolve at all.
My original cert from previous versions is still in place in the trust store and valid until the 21st Jan so I have a little time to resolve, but I'm really running out of ideas, so asking for help if you can provide any?
Thanks
Gareth