I use latest and greatest version 21.7.3_1. OPNsense Acme client keeps renewing SSL cert using expired CA:
OPNsense ACME:
- DST Root CA X3 -> R3 -> Server SSL cert
and for example Freebsd (TrueNAS) acme.sh client in version of 2.8.6 or latest 3.0.1 uses following:
- ISRG Root X1 -> R3 -> Server SSL cert
As per https://letsencrypt.org/docs/dst-root-ca-x3-expiration-september-2021/ X3 CA is already expired.
I can't find location/path of acme client in OPNsense; anyway, how can I get it fixed?
See this thread: https://forum.opnsense.org/index.php?topic=24950
Quote from: Greelan on September 30, 2021, 09:25:16 AM
See this thread: https://forum.opnsense.org/index.php?topic=24950 (https://forum.opnsense.org/index.php?topic=24950)
Thanks, been looking by "acme" phrase :o . I hit renewal rate threshold and I need to wait, but it seems that solution is to delete expired R3 CA cert.?
Hi,
the steps are:
- Delete the expired R3 CA cert.
- Renew all your certs.
- Reassign your certs where the old ones where used.
KH
Question about rate limiting. I'd tried to renew manually something like 4-5 times and I hit the limit already:
Create new order error. Le_OrderFinalize not found. {
"type": "urn:ietf:params:acme:error:rateLimited",
"detail": "Error creating new order :: too many certificates (5) already issued for this exact set of domains in the last 168 hours: example.com: see https://letsencrypt.org/docs/rate-limits/",
"status": 429
}
Above is output of acme.sh from my TrueNAS. As per LE website, limit is 50 certs per week, or I have missed something like above "(5)" means current limit?
QuoteThe main limit is Certificates per Registered Domain (50 per week). A registered domain is, generally speaking, the part of the domain you purchased from your domain name registrar. For instance, in the name www.example.com, the registered domain is example.com. In new.blog.example.co.uk, the registered domain is example.co.uk. We use the Public Suffix List to calculate the registered domain. Exceeding the Certificates Per Registered Domain limit is reported with the error message too many certificates already issued, possibly with additional details.
later on the same page:
QuoteRenewals are treated specially: they don't count against your Certificates per Registered Domain limit, but they are subject to a Duplicate Certificate limit of 5 per week. Note: renewals used to count against your Certificate per Registered Domain limit until March 2019, but they don't anymore. Exceeding the Duplicate Certificate limit is reported with the error message too many certificates already issued for exact set of domains.
A certificate is considered a renewal (or a duplicate) of an earlier certificate if it contains the exact same set of hostnames, ignoring capitalization and ordering of hostnames. For instance, if you requested a certificate for the names [www.example.com, example.com], you could request four more certificates for [www.example.com, example.com] during the week. If you changed the set of hostnames by adding [blog.example.com], you would be able to request additional certificates.
Quote from: Fright on September 30, 2021, 11:07:07 AM
later on the same page:
QuoteRenewals are treated specially: they don't count against your Certificates per Registered Domain limit, but they are subject to a Duplicate Certificate limit of 5 per week. Note: renewals used to count against your Certificate per Registered Domain limit until March 2019, but they don't anymore. Exceeding the Duplicate Certificate limit is reported with the error message too many certificates already issued for exact set of domains.
.....
F...., I had to be blind! Or too much focused on getting certs renewed. Thanks All!