OPNsense Forum

Think this was fixed, was it a patch that fixed it?

[Fri Feb  2 14:10:45 EET 2018] original='{
  "type": "urn:acme:error:malformed",
  "detail": "Provided agreement URL [https://letsencrypt.org/documents/LE-SA-v1.1.1-August-1-2016.pdf] does not match current agreement URL [https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf]",
  "status": 400
}'

Still not quite, have to ask Frank on the status... acme.sh was updated, but did not fix this (expectations that it would were not clear anyway at least that is what one user reported testing it).


Cheers,
Franco

Okay Franco,

Thank you!

I have always found the ACME client to be a pain to use especially when you have to renew a certificate and you are using the DNS validation.  ZeroSSL is much more easier to use and then to import the certificate. 

Quote from: elektroinside on February 02, 2018, 01:16:14 PM
Think this was fixed, was it a patch that fixed it?

[Fri Feb  2 14:10:45 EET 2018] original='{
  "type": "urn:acme:error:malformed",
  "detail": "Provided agreement URL [https://letsencrypt.org/documents/LE-SA-v1.1.1-August-1-2016.pdf] does not match current agreement URL [https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf]",
  "status": 400
}'

I've been pretty sure that acme.sh 2.7.5 would fix this error:
https://github.com/opnsense/plugins/issues/470

Apparently I was wrong. It will not be fixed until acme.sh 2.7.6 is released. I'll reopen this issue.


Regards
- Frank

No worries :)

Thank you.

Hello,

Some additional info to 400 tos error:

Quote
PHP Warning:  cert_action_validator(): Node no longer exists in
/usr/local/opnsense/scripts/OPNsense/AcmeClient/certhelper.php on line 122
PHP Warning:  cert_action_validator(): Node no longer exists in /usr/local/opnsense/scripts/OPNsense/AcmeClient/certhelper.php on line 122

Crash always happens after cert issue attempt.

It's a cosmetic PHP issue since 7.0, ticket here....

https://github.com/opnsense/plugins/issues/333


Cheers,
Franco

I had enough of that agreement error so I "hacked" acme.sh to take the correct one.
I also needed to comment a validation because of a freak error, but it worked... got a new cert.

acme.sh 2.7.6 has been released 3 days ago, any ETA on LE package update?

Thanks.

As soon as it hits FreeBSD as it is tested as it is shipped in OPNsense. :)


Cheers,
Franco

ouch! well, updated acme.sh by myself and everything works fine  :o

Nice!  Will you share your solution with everyone? :)

Quote from: franco on February 12, 2018, 03:49:19 PM
Nice!  Will you share your solution with everyone? :)

There is no special magic involved. I just replaced /usr/local/sbin/acme.sh with a new one and set permissions to 0555 using WinSCP  :o

Confirming it works (replacing with the new one) :)
No other hacks, just chmod 0555

FYI, without 0555, it will fail to validate this:

    if [ ! -f "$CERT_KEY_PATH" ] || [ "$_key_length" != "$_key" ] || [ "$Le_ForceNewDomainKey" = "1" ]; then
      if ! createDomainKey "$_main_domain" "$_key_length"; then
        _err "Create domain key error."
        _clearup
        _on_issue_err "$_post_hook"
        return 1
      fi
    fi

So it's a permissions issue.

I would like to see someone (hint! hint!) write up a nice tutorial on using the acme client plugin to create certs.

Does anybody know when the update for acme 2.6.7 (ETA on LE package) is coming ??

Sorry 2.7.6 of course

I will ping the FreeBSD maintainer.

https://bsd.network/@dvl/99531493305337397

Nice :) Thanks, Franco!

Thanks Franco, how can we update the acme package ??

# opnsense-code tools ports
# cd /usr/ports/sysutils/acme.sh
# make
# make deinstall
# make install

Will also be in 18.1.3, but that takes two more weeks.


Cheers,
Franco

Thank you, it works! In your description is a mistake

The correct directory is:

# cd /usr/ports/security/acme.sh

I am very exicited about the quick answers here. Thank you at all people !!

Can't get a cert issued. Log shows 'Create domain key error'
I can see the key file was created.

What am I doing wrong?

Quote from: dcol on February 24, 2018, 08:31:00 PM
Can't get a cert issued. Log shows 'Create domain key error'
I can see the key file was created.

What am I doing wrong?

Well, um, bro, update your acme.sh script or wait for 8.1.3 in a week or so  8) How to?  :o This has been answered few times some posts above  :-\

acme.sh was updated. This is not the reason.

Quoteacme.sh was updated. This is not the reason.

Still Create domain key error ?

I did what franco posted:

# opnsense-code tools ports
# cd /usr/ports/sysutils/acme.sh
# make
# make deinstall
# make install

After that i deleted the certificated that are in a failed status und created them successfully again.

Quote from: dcol on February 25, 2018, 06:21:19 PM
acme.sh was updated. This is not the reason.

Well, there is very only thing left: Your validation method fails. Personally, I always used a non-standard port for GUI so a HTTP-01 method never worked for me. I use DNS-01 with Hurricane Electric. I've configured DigitalOcean 2 droplets in a week and both works with DNS-01 challenge and doesn't validate with HTTP-01.