As of 1 Jan 2023, ACME client is renewing LetsEncrypt cert daily. Further investigation indicates it is not registering the new certs in OPNsense `System > Trust > Certificates`.
Navigating to `Services > ACME client > Log Files` reports it thinks the cert needs to be renewed: "AcmeClient: certificate must be issued/renewed: opnsense.example.com". Logs show successful renewal.
In the `Services > ACME client > Certificates` shows the cert has been renewed.
However, `System > Trust > Certificates` shows the old cert, and checking the cert with my browser shows the old cert. So somehow the ACME client is not writing the cert to OPNsense's trust storage.
I have tried to reimport the cert, but nothing changes. Rebooting also does not resolve the issue.
Further info:
I had previously run into an issue where the webUI wasn't registering the new cert, and I resolved that by adding an automation to restart the webUI. However in that case (IIRC), the cert did not keep on renewing, it was simply that the browser would show warnings about the expired cert.
Running
OPNsense 22.7.10_2-amd64
FreeBSD 13.1-RELEASE-p5
OpenSSL 1.1.1s 1 Nov 2022
I'm having this same issue. The Trust store isn't being updated but the cert has been renewed via acme client. I'll sync to haproxy and then the next day haproxy will be back with the old expired cert. Reload haproxy and it has the new one, every day.
see also: https://github.com/opnsense/plugins/issues/3127
Quote from: namnnumbr on January 05, 2023, 03:52:47 PM
see also: https://github.com/opnsense/plugins/issues/3127
This is exactly the issue. I'll have to follow it there. Issue was resolved by rebooting opnsense early this morning. I'll have to try scheduling a webui restart.
If you can, add your logs so the devs realize the issue is live. The issue is older, so I want to bump the activity.