Print Page - ACME client: Error getting validation data

Title: ACME client: Error getting validation data
Post by: opn_minded on February 08, 2024, 03:50:29 PM

hi there,
i'm running on OPNsense 24.1.1. nextcloud behind haproxy/acme working fine since ages, so i never paid attention for the automatic cert-renewals as this was a working process. today my client told me that the cert was outdated, so i had a look into the acme/LE certs and yes, it's past its renewal date. i'm using http-01 challenge.

my question to you; were there any changes to haproxy/acme since december 2023 (i'm not aware of any that would require a change in settings)?

what happens when i force-renew a certain certificate..

syslog

Code Select

AcmeClient: validation for certificate failed: <REDACTED>

acme log

Code Select

[Thu Feb 8 15:28:32 CET 2024] Invalid status, <REDACTED>:Verify error detail:<REDACTED>: Fetching https://<REDACTED>/.well-known/acme-challenge/<REDACTED>: Error getting validation data

/var/log/acme.sh.log doesn't show anything additional.

oc i've also tried to run w/o haproxy.

many thanks for your time!

Title: Re: ACME client: Error getting validation data
Post by: muchacha_grande on February 08, 2024, 04:22:26 PM

Hi opn_minded, I've reported this issue here in the forum some days ago, and after that some other users reported this as well.
Here are the reports:
https://forum.opnsense.org/index.php?topic=38585.0
https://forum.opnsense.org/index.php?topic=38535.0
https://forum.opnsense.org/index.php?topic=38484.0 (this is my report)

As in your case, I have realized that the certificates were not being renewed some days after the first error occurred.
Because I have other certificates that had successfully renewed before, I can infer that the problem started to happen between January, 1st and 22nd. There was an update in the middle. The 23.7.11 update.

Title: Re: ACME client: Error getting validation data
Post by: opn_minded on February 09, 2024, 09:43:45 AM

hi mate,
thanks for sharing your insights and the links to the other reports.

good news; i got it working again.

as for the acme-client:

reset acme-client
remove acme-client
re-install acme-client

as for NAT:

i changed the port forward (had a custom port) and adopted according to https://letsencrypt.org/docs/challenge-types/#http-01-challenge

as for haproxy:

i changed the listening port for http-challenges

that's basically it. afterwards i've re-created the settings in the acme-client and force-refreshed my cert. it was provided immediately w/o any errors.

hope that helps!

Title: Re: ACME client: Error getting validation data
Post by: muchacha_grande on February 09, 2024, 12:50:09 PM

Excelent, glad to see you resolved it.

May be the solution is uninstall and reinstall as you did.

Don't think its a matter of configuration because it has worked for years and it suddenly failed.

OPNsense Forum

Archive => 24.1, 24.4 Legacy Series => Topic started by: opn_minded on February 08, 2024, 03:50:29 PM