Text only | Text with Images

OPNsense Forum

English Forums => General Discussion => Topic started by: muchacha_grande on January 31, 2024, 11:03:06 PM

Title: [SOLVED] ACME Challenge HTTP-01 stopped working
Post by: muchacha_grande on January 31, 2024, 11:03:06 PM
First of all, I've already solved the problem changing to DNS-01 challenge using cPanel API. But the issue is that I have 6 domains behind Nginx reverse proxy and the last successful renewal was on January, 1st. After that the next renew event on January, 22nd failed and I received an email from Letsencrypt warning me about the failure.
Between the two renew events there was an update from 23.7.10 to 23.7.11 and no other changes.
The renewal was done using HTTP-01 challenge and it worked fine for some years. 

I found this github issue https://github.com/opnsense/plugins/issues/1967#issue-675753796
The error that is reported in this github issue is the same than the reported on my case and there is a change listed in the 23.7.11 log that, in my opinion, could be related:

[system: include IPv6 link-local interface addresses for web GUI and OpenSSH (contributed by Maurice Walker)]

I opened this issue as a placeholder in case someone else has encountered this problem.
Title: Re: ACME Challenge HTTP-01 stopped working
Post by: JustMeHere on February 19, 2024, 03:59:20 AM
I've got a problem too.  The ACME client on HTTP challenges is not seeing the IP Address of the WAN.   Renewal worked on Jan 15 and failed on Feb 15 2024.

I checked the WAN's IP.  It is correct, but the logs show the IPs listed below.   The format of the log has changed during this time.  It must be an update to the client that is an issue.   I have 1 WAN port and 4 LAN ports only the two LAN ports configured below are connected.  The new client does not appear to see the WAN port.

2024-02-18T21:39:58-05:00   opnsense   AcmeClient: using IPv4 address: 192.168.3.1
2024-02-18T21:39:58-05:00   opnsense   AcmeClient: using IPv4 address: 192.168.1.1

From when it worked:

2024-01-26T18:38:05   opnsense[2844]   AcmeClient: using IPv4 address: 73.88.76.86
2024-01-26T18:38:05   opnsense[2844]   AcmeClient: using IPv4 address: 192.168.1.1
Title: Re: ACME Challenge HTTP-01 stopped working
Post by: bazbaz on February 19, 2024, 05:06:11 PM
try to manually assign the external IP address in challenge's options
Title: Re: ACME Challenge HTTP-01 stopped working
Post by: muchacha_grande on February 19, 2024, 05:29:28 PM
In my case, according to the log, ACME is detecting the IP correctly.
Title: Re: ACME Challenge HTTP-01 stopped working
Post by: tuxlemmi on February 19, 2024, 06:00:21 PM
Quote from: bazbaz on February 19, 2024, 05:06:11 PM
try to manually assign the external IP address in challenge's options

this works for my setup.

Thanks
Title: Re: ACME Challenge HTTP-01 stopped working
Post by: JustMeHere on February 19, 2024, 10:46:53 PM
Quote from: bazbaz on February 19, 2024, 05:06:11 PM
try to manually assign the external IP address in challenge's options

Thanks, this could work, but I'm on a dynamic IP address.

Seems like there's a bug since multiple people are reporting this.
Title: Re: ACME Challenge HTTP-01 stopped working
Post by: muchacha_grande on February 21, 2024, 09:08:31 PM
This problem was addressed on 24.1.2 update
Text only | Text with Images