Text only | Text with Images

OPNsense Forum

Archive => 23.1 Legacy Series => Topic started by: litebit on June 02, 2023, 04:47:22 PM

Title: Letsencrypt -
Post by: litebit on June 02, 2023, 04:47:22 PM
Hi,

I'm planning to migrate from pfsense to OPNsense. So I'm checking/testing service by service.
One of these is the ACME client for Letsencrypt. Using the same (or similar) settings from what I have on pfsense, I'm running into an issue on Opnsense...

the domain myvpn.loftnet.xyz exists, and on pfsense, a certificate is issues without any error.
I don't know where the "Domain name contains an invalid character" comes from?
Anyone any idea?

Code Select
2023-06-02T16:40:52 acme.sh [Fri Jun 2 16:40:52 CEST 2023] Diagnosis versions:
2023-06-02T16:40:52 acme.sh [Fri Jun 2 16:40:52 CEST 2023] See: https://github.com/acmesh-official/acme.sh/wiki/How-to-debug-acme.sh
2023-06-02T16:40:52 acme.sh [Fri Jun 2 16:40:52 CEST 2023] Please add '--debug' or '--log' to check more details.
2023-06-02T16:40:52 acme.sh [Fri Jun 2 16:40:52 CEST 2023] _on_issue_err
2023-06-02T16:40:52 acme.sh [Fri Jun 2 16:40:52 CEST 2023] skip dns.
2023-06-02T16:40:52 acme.sh [Fri Jun 2 16:40:52 CEST 2023] dns_entries
2023-06-02T16:40:52 acme.sh [Fri Jun 2 16:40:52 CEST 2023] _clearupdns
2023-06-02T16:40:52 acme.sh [Fri Jun 2 16:40:52 CEST 2023] No need to restore nginx, skip.
2023-06-02T16:40:52 acme.sh [Fri Jun 2 16:40:52 CEST 2023] pid
}
"status": 400
"detail": "Error creating new order :: Cannot issue for \"cert_loftnet_ext_myvpn_v2\": Domain name contains an invalid character",
"type": "urn:ietf:params:acme:error:rejectedIdentifier",
2023-06-02T16:40:52 acme.sh [Fri Jun 2 16:40:52 CEST 2023] Create new order error. Le_OrderFinalize not found. {
2023-06-02T16:40:52 acme.sh [Fri Jun 2 16:40:51 CEST 2023] Le_OrderFinalize
2023-06-02T16:40:51 acme.sh [Fri Jun 2 16:40:51 CEST 2023] Le_LinkOrder
2023-06-02T16:40:51 acme.sh [Fri Jun 2 16:40:51 CEST 2023] code='400'
2023-06-02T16:40:51 acme.sh [Fri Jun 2 16:40:51 CEST 2023] _ret='0'
2023-06-02T16:40:51 acme.sh [Fri Jun 2 16:40:51 CEST 2023] _CURL='curl --silent --dump-header /var/etc/acme-client/home/http.header -L '
2023-06-02T16:40:51 acme.sh [Fri Jun 2 16:40:51 CEST 2023] _post_url='https://acme-v02.api.letsencrypt.org/acme/new-order'
2023-06-02T16:40:51 acme.sh [Fri Jun 2 16:40:51 CEST 2023] POST
2023-06-02T16:40:51 acme.sh [Fri Jun 2 16:40:51 CEST 2023] _ret='0'
2023-06-02T16:40:50 acme.sh [Fri Jun 2 16:40:50 CEST 2023] _CURL='curl --silent --dump-header /var/etc/acme-client/home/http.header -L -I '
2023-06-02T16:40:50 acme.sh [Fri Jun 2 16:40:50 CEST 2023] _post_url='https://acme-v02.api.letsencrypt.org/acme/new-nonce'
2023-06-02T16:40:50 acme.sh [Fri Jun 2 16:40:50 CEST 2023] HEAD
2023-06-02T16:40:48 acme.sh [Fri Jun 2 16:40:48 CEST 2023] RSA key
2023-06-02T16:40:48 acme.sh [Fri Jun 2 16:40:48 CEST 2023] payload='{"identifiers": [{"type":"dns","value":"CERT_LOFTNET_EXT_MYVPN_V2"},{"type":"dns","value":"myvpn.loftnet.xyz"}]}'
2023-06-02T16:40:48 acme.sh [Fri Jun 2 16:40:48 CEST 2023] url='https://acme-v02.api.letsencrypt.org/acme/new-order'
2023-06-02T16:40:48 acme.sh [Fri Jun 2 16:40:48 CEST 2023] d
2023-06-02T16:40:48 acme.sh [Fri Jun 2 16:40:48 CEST 2023] d='myvpn.loftnet.xyz'
2023-06-02T16:40:48 acme.sh [Fri Jun 2 16:40:48 CEST 2023] Getting domain auth token for each domain
2023-06-02T16:40:48 acme.sh [Fri Jun 2 16:40:48 CEST 2023] Multi domain='DNS:CERT_LOFTNET_EXT_MYVPN_V2,DNS:myvpn.loftnet.xyz'
2023-06-02T16:40:48 acme.sh [Fri Jun 2 16:40:48 CEST 2023] _createcsr
2023-06-02T16:40:48 acme.sh [Fri Jun 2 16:40:48 CEST 2023] The domain key is here: /var/etc/acme-client/home/CERT_LOFTNET_EXT_MYVPN_V2/CERT_LOFTNET_EXT_MYVPN_V2.key
2023-06-02T16:40:47 acme.sh [Fri Jun 2 16:40:47 CEST 2023] Using RSA: 4096
2023-06-02T16:40:47 acme.sh [Fri Jun 2 16:40:47 CEST 2023] Use length 4096
2023-06-02T16:40:47 acme.sh [Fri Jun 2 16:40:47 CEST 2023] ACME_DIRECTORY='https://acme-v02.api.letsencrypt.org/directory'
2023-06-02T16:40:47 acme.sh [Fri Jun 2 16:40:47 CEST 2023] Using config home:/var/etc/acme-client/home
2023-06-02T16:40:47 acme.sh [Fri Jun 2 16:40:47 CEST 2023] Creating domain key
2023-06-02T16:40:47 acme.sh [Fri Jun 2 16:40:47 CEST 2023] Read key length:2048
2023-06-02T16:40:47 acme.sh [Fri Jun 2 16:40:47 CEST 2023] _saved_account_key_hash is not changed, skip register account.
2023-06-02T16:40:47 acme.sh [Fri Jun 2 16:40:47 CEST 2023] d
2023-06-02T16:40:47 acme.sh [Fri Jun 2 16:40:47 CEST 2023] _currentRoot='dns_namecheap'
2023-06-02T16:40:47 acme.sh [Fri Jun 2 16:40:47 CEST 2023] Check for domain='myvpn.loftnet.xyz'
2023-06-02T16:40:47 acme.sh [Fri Jun 2 16:40:47 CEST 2023] d='myvpn.loftnet.xyz'
2023-06-02T16:40:47 acme.sh [Fri Jun 2 16:40:47 CEST 2023] _currentRoot='dns_namecheap'
2023-06-02T16:40:47 acme.sh [Fri Jun 2 16:40:47 CEST 2023] Check for domain='CERT_LOFTNET_EXT_MYVPN_V2'
2023-06-02T16:40:47 acme.sh [Fri Jun 2 16:40:47 CEST 2023] d='CERT_LOFTNET_EXT_MYVPN_V2'
2023-06-02T16:40:47 acme.sh [Fri Jun 2 16:40:47 CEST 2023] Le_LocalAddress
2023-06-02T16:40:47 acme.sh [Fri Jun 2 16:40:47 CEST 2023] _chk_alt_domains='myvpn.loftnet.xyz'
2023-06-02T16:40:47 acme.sh [Fri Jun 2 16:40:47 CEST 2023] _chk_main_domain='CERT_LOFTNET_EXT_MYVPN_V2'
2023-06-02T16:40:47 acme.sh [Fri Jun 2 16:40:47 CEST 2023] _on_before_issue
2023-06-02T16:40:47 acme.sh [Fri Jun 2 16:40:47 CEST 2023] Using CA: https://acme-v02.api.letsencrypt.org/directory
2023-06-02T16:40:47 acme.sh [Fri Jun 2 16:40:47 CEST 2023] ACME_NEW_NONCE='https://acme-v02.api.letsencrypt.org/acme/new-nonce'
2023-06-02T16:40:47 acme.sh [Fri Jun 2 16:40:47 CEST 2023] ACME_AGREEMENT='https://letsencrypt.org/documents/LE-SA-v1.3-September-21-2022.pdf'
2023-06-02T16:40:47 acme.sh [Fri Jun 2 16:40:47 CEST 2023] ACME_REVOKE_CERT='https://acme-v02.api.letsencrypt.org/acme/revoke-cert'
2023-06-02T16:40:47 acme.sh [Fri Jun 2 16:40:47 CEST 2023] ACME_NEW_ACCOUNT='https://acme-v02.api.letsencrypt.org/acme/new-acct'
2023-06-02T16:40:47 acme.sh [Fri Jun 2 16:40:47 CEST 2023] ACME_NEW_ORDER='https://acme-v02.api.letsencrypt.org/acme/new-order'
2023-06-02T16:40:47 acme.sh [Fri Jun 2 16:40:47 CEST 2023] ACME_NEW_AUTHZ
2023-06-02T16:40:47 acme.sh [Fri Jun 2 16:40:47 CEST 2023] ACME_KEY_CHANGE='https://acme-v02.api.letsencrypt.org/acme/key-change'
2023-06-02T16:40:47 acme.sh [Fri Jun 2 16:40:47 CEST 2023] ret='0'
2023-06-02T16:40:46 acme.sh [Fri Jun 2 16:40:46 CEST 2023] _CURL='curl --silent --dump-header /var/etc/acme-client/home/http.header -L '
2023-06-02T16:40:46 acme.sh [Fri Jun 2 16:40:46 CEST 2023] timeout=
2023-06-02T16:40:46 acme.sh [Fri Jun 2 16:40:46 CEST 2023] url='https://acme-v02.api.letsencrypt.org/directory'
2023-06-02T16:40:46 acme.sh [Fri Jun 2 16:40:46 CEST 2023] GET
2023-06-02T16:40:46 acme.sh [Fri Jun 2 16:40:46 CEST 2023] _init api for server: https://acme-v02.api.letsencrypt.org/directory
2023-06-02T16:40:46 acme.sh [Fri Jun 2 16:40:46 CEST 2023] Using ACME_DIRECTORY: https://acme-v02.api.letsencrypt.org/directory
2023-06-02T16:40:46 acme.sh [Fri Jun 2 16:40:46 CEST 2023] DOMAIN_PATH='/var/etc/acme-client/home/CERT_LOFTNET_EXT_MYVPN_V2'
2023-06-02T16:40:46 acme.sh [Fri Jun 2 16:40:46 CEST 2023] ACME_DIRECTORY='https://acme-v02.api.letsencrypt.org/directory'
2023-06-02T16:40:46 acme.sh [Fri Jun 2 16:40:46 CEST 2023] Using config home:/var/etc/acme-client/home
2023-06-02T16:40:46 acme.sh [Fri Jun 2 16:40:46 CEST 2023] _alt_domains='myvpn.loftnet.xyz'
2023-06-02T16:40:46 acme.sh [Fri Jun 2 16:40:46 CEST 2023] _main_domain='CERT_LOFTNET_EXT_MYVPN_V2'
2023-06-02T16:40:46 acme.sh [Fri Jun 2 16:40:46 CEST 2023] Running cmd: issue

Title: Re: Letsencrypt -
Post by: sorano on June 02, 2023, 08:59:11 PM
Underscore is not valid.
Title: Re: Letsencrypt -
Post by: litebit on June 02, 2023, 09:44:13 PM
Hi,

so in opnsense you cannot "name" the certificate itself anymore like in pfsense?

Opnsense
(https://i.imgur.com/uIYhBM1.png)

pfsense
(https://i.imgur.com/Y8AhtOx.png)

Changing the name to the domainname works, but now, sadly, the ACME script wipes all my "dynamic A" records at Namecheap.


Title: Re: Letsencrypt -
Post by: sorano on June 03, 2023, 01:57:11 PM
You can name it but you must follow name standards.

https://www.ssl.com/faqs/underscores-not-allowed-in-domain-names/
Title: Re: Letsencrypt -
Post by: KHE on June 03, 2023, 02:12:05 PM
Quote from: litebit on June 02, 2023, 09:44:13 PM
so in opnsense you cannot "name" the certificate itself anymore like in pfsense?

Correct. pfsense has a Name field, where you can use any name you like. It is just a label for internal use in pfsense. In OPNsense there is the description field for this purpose.
The Common Name (CN) field in OPNsense expects the main domain name you want to use and adds it further als the first Alternative Name to the certificate.

KH
Title: Re: Letsencrypt -
Post by: litebit on June 03, 2023, 03:37:11 PM
Ok thanks.

Problem solved, case closed  :)
Text only | Text with Images