Hi,
i have several OPNsense installations that has issues renewing ECC certificates are failing, RSA certificates working without issues. It looks like the renew script is missing a parameter --ecc before running Let's Encrypt to renew the certificate.
[Mon Jan 25 00:00:01 CET 2021] 'my.domain.com' is not an issued domain, skip.
[Mon Jan 25 00:00:01 CET 2021] Renew: 'my.domain.com'
[Mon Jan 25 00:00:01 CET 2021] DOMAIN_PATH='/var/etc/acme-client/home/my.domain.com'
[Mon Jan 25 00:00:01 CET 2021] The domain 'my.domain.com' seems to have a ECC cert already, please add '--ecc' parameter if you want to use that cert.
[Mon Jan 25 00:00:01 CET 2021] _ACME_SERVER_HOST='acme-v02.api.letsencrypt.org'
[Mon Jan 25 00:00:01 CET 2021] ACME_DIRECTORY='https://acme-v02.api.letsencrypt.org/directory'
[Mon Jan 25 00:00:01 CET 2021] default_acme_server
Anyone else getting this? it doesnt matter if i use DNS or port forward authentication.
No one? looks like i have to go back to RSA then.
I don't use the LE plugin but that does sound like a bug. I assume the ECC cert was originally created using the plugin and it is just the renew that is failing?
If it is a bug, suggest opening an issue on GitHub.
I've seen the same error message with one ECC cert while another one renewed just fine. I didn't have time yet for an in-depth investigation. I'll have to renew an ECC cert in about a week and will report back.
Okay, I was able to reproduce this and it might be related to OCSP Must Staple.
Please check this GitHub issue and comment whether you observe the same behavior:
https://github.com/opnsense/plugins/issues/2223
Cheers
Maurice