Hello together,
ich had a really strange problem.
Whenever I request/renew a certificate I have to reboot the firewall to get my Internet connection back.
The firewall had furthermore a connection to the internet, but no traffic going out.
This happens always if a start renewal of a certifcate.
If i reboot firewall or reload filters at ssh console with "configctl filter reload", the connection is getting functional.
An other user had the same problem like me: https://forum.opnsense.org/index.php?topic=4792.0
But in my opinion it looks like an error in Opnsense or let´s encrypt.
There are now error message in system - general logs except the following one:
2021-02-15T22:28:57 sshd[37286] Unable to negotiate with 185.239.242.158 port 57798: no matching key exchange method found. Their offer: diffie-hellman-group14-sha1,diffie-hellman-group-exchange-sha1,diffie-hellman-group1-sha1 [preauth]
2021-02-15T22:28:18 sshd[86814] Unable to negotiate with 185.239.242.158 port 34914: no matching key exchange method found. Their offer: diffie-hellman-group14-sha1,diffie-hellman-group-exchange-sha1,diffie-hellman-group1-sha1 [preauth]
2021-02-15T22:28:18 opnsense[84212] AcmeClient: using challenge type: http_portfwd_on_wan
2021-02-15T22:28:18 opnsense[84212] AcmeClient: using IPv4 address: 87.aaa.bbb.cc
2021-02-15T22:28:18 opnsense[84212] AcmeClient: using IPv4 address: 192.168.21.1
2021-02-15T22:28:18 opnsense[84212] AcmeClient: using IPv4 address: 87.xxx.yyy.zz
2021-02-15T22:28:18 opnsense[84212] AcmeClient: account is registered: DynDns my
2021-02-15T22:28:18 opnsense[84212] AcmeClient: issue certificate: mydyndnsdomain.hoster.eu
Meta-Data:
OPNsense 21.1.1-amd64
FreeBSD 12.1-RELEASE-p13-HBSD
OpenSSL 1.1.1i 8 Dec 2020
os-acme-client (installed) 2.3 Let's Encrypt client
Do someone know this behavior?
Quote from: Mr. Browny on February 15, 2021, 10:37:13 PM
2021-02-15T22:28:18 opnsense[84212] AcmeClient: using challenge type: http_portfwd_on_wan
2021-02-15T22:28:18 opnsense[84212] AcmeClient: using IPv4 address: 87.aaa.bbb.cc
2021-02-15T22:28:18 opnsense[84212] AcmeClient: using IPv4 address: 192.168.21.1
2021-02-15T22:28:18 opnsense[84212] AcmeClient: using IPv4 address: 87.xxx.yyy.zz
2021-02-15T22:28:18 opnsense[84212] AcmeClient: account is registered: DynDns my
2021-02-15T22:28:18 opnsense[84212] AcmeClient: issue certificate: mydyndnsdomain.hoster.eu
I'd assume you are using the HTTP-01 challenge type with "OPNsense Web Service (automatic port forward)" selected. In this mode the Let's Encrypt plugin tries to _guess_ the correct settings for your firewall and automatically generates firewall rules accordingly. This can easily go wrong. You've likely hit a bug.
Please provide the exact challenge type settings (a screenshot is sufficient). Furthermore the contents of the following files will help me to understand what went wrong (the ID "abcdefgh.12345678" is a placeholder, search for the correct one):
root@opnsense:~ # ls -l /var/etc/acme-client/configs/abcdefgh.12345678
total 8
-rwxr-x--- 1 root wheel 325 Apr 29 2019 acme_anchor_rules*
-rwxr-x--- 1 root wheel 25 Apr 29 2019 acme_anchor_setup*As a sidenote: I highly recommend using a DNS-01 challenge type whenever possible. It is extremely reliable and hard to break. :)
Regards
- Frank
Hi Frank,
thanks for your reply and the tips.
you are right, i am using HTTP-01 to generate a valid lets encrypt cert.
I followed your hint and changed the generation to DNS-01 with haproxy.
Now it is working fine and the described problem is gone.
Thank you very much.