OPNsense Forum

Archive => 18.1 Legacy Series => Topic started by: mvdheuvel on March 25, 2018, 09:48:35 AM

Title: Let's Encrypt wildcard acme.sh 2.7.8
Post by: mvdheuvel on March 25, 2018, 09:48:35 AM
Does anyone have a idea when to expect the release of acme.sh version 2.7.8 with the Let's Encrypt wildcard and de acme v2 implementation.
Title: Re: Let's Encrypt wildcard acme.sh 2.7.8
Post by: franco on March 25, 2018, 08:39:24 PM
We have 2.7.8 queued up for 18.1.6. I'm not sure if it works automatically tough.

LE is maintained by a community contributor so that's all I can say.

Title: Re: Let's Encrypt wildcard acme.sh 2.7.8
Post by: mvdheuvel on March 26, 2018, 12:13:43 PM
Hi Franco,

Thank's for the response.

Title: Re: Let's Encrypt wildcard acme.sh 2.7.8
Post by: doug.dimick on March 27, 2018, 10:21:00 PM
I'm issuing wildcard certs with plugin v1.13 without any problems.
Title: Re: Let's Encrypt wildcard acme.sh 2.7.8
Post by: Maurice on March 28, 2018, 10:48:44 AM
Quote from: doug.dimick on March 27, 2018, 10:21:00 PM
I'm issuing wildcard certs with plugin v1.13 without any problems.

I can confirm this, works fine!
Title: Re: Let's Encrypt wildcard acme.sh 2.7.8
Post by: armouredking on March 30, 2018, 04:42:22 AM
Well I'm not. Broken for me on 18.1.5 and 1.13, errors out for 415.

[Thu Mar 29 19:25:56 MST 2018] Please check log file for more details: /var/log/acme.sh.log
[Thu Mar 29 19:25:56 MST 2018] _on_issue_err
[Thu Mar 29 19:25:56 MST 2018] Register account Error: {"type":"urn:ietf:params:acme:error:malformed","detail":"Invalid Content-Type header on POST. Content-Type must be \"application/jose+json\"","status": 415}
[Thu Mar 29 19:25:56 MST 2018] code='415'
[Thu Mar 29 19:25:56 MST 2018] _ret='0'
[Thu Mar 29 19:25:55 MST 2018] _CURL='curl -L --silent --dump-header /var/etc/acme-client/home/http.header '
[Thu Mar 29 19:25:55 MST 2018] _post_url='https://acme-v02.api.letsencrypt.org/acme/new-acct'
[Thu Mar 29 19:25:55 MST 2018] POST
[Thu Mar 29 19:25:55 MST 2018] _ret='0'
[Thu Mar 29 19:25:55 MST 2018] _CURL='curl -L --silent --dump-header /var/etc/acme-client/home/http.header '
[Thu Mar 29 19:25:55 MST 2018] _post_url='https://acme-v02.api.letsencrypt.org/acme/new-nonce'

Only happens when attempting to register the wildcard. The certificate for the OPNSense webapp was done using just the subdomain and works fine.

[Thu Feb 1 17:50:24 MST 2018] Installing full chain to:/var/etc/acme-client/certs/5a73b3f4bea6a8.46110666/fullchain.pem
[Thu Feb 1 17:50:24 MST 2018] Installing key to:/var/etc/acme-client/keys/5a73b3f4bea6a8.46110666/private.key
[Thu Feb 1 17:50:24 MST 2018] Installing CA to:/var/etc/acme-client/certs/5a73b3f4bea6a8.46110666/chain.pem
[Thu Feb 1 17:50:24 MST 2018] Installing cert to:/var/etc/acme-client/certs/5a73b3f4bea6a8.46110666/cert.pem
[Thu Feb 1 17:50:24 MST 2018] _on_issue_success

It is at least contacting the v2 endpoint for the wildcard so that's good. But something isn't right still.
Title: Re: Let's Encrypt wildcard acme.sh 2.7.8
Post by: Maurice on April 04, 2018, 07:29:03 PM
Don't know exactly what the error message is supposed to mean, but some things to consider:
I was able to issue two production wildcard certs with OPNsense 18.1.5 / os-acme-client 1.13 (acme.sh 2.7.6_2) using the OVH DNS API.
Title: Re: Let's Encrypt wildcard acme.sh 2.7.8
Post by: doug.dimick on April 05, 2018, 10:07:44 PM
I'm successfully using *.domain.com as my CN (along with DNS-01 validation).
Title: Re: Let's Encrypt wildcard acme.sh 2.7.8
Post by: armouredking on April 06, 2018, 07:38:56 AM
I'm aware of the requirements, but that isn't the issue. The issue so far as I can tell appears to be the registration request on the V2 servers from the GUI. I can't get the GUI to give me a more indepth log file for Let's Encrypt / ACME, so I'm unclear how to proceed troubleshooting this.

As can be seen:

[Thu Apr 5 22:28:34 MST 2018] Please check log file for more details: /var/log/acme.sh.log
[Thu Apr 5 22:28:34 MST 2018] _on_issue_err
[Thu Apr 5 22:28:34 MST 2018] Register account Error: {"type":"urn:ietf:params:acme:error:malformed","detail":"Invalid Content-Type header on POST. Content-Type must be \"application/jose+json\"","status": 415}
[Thu Apr 5 22:28:34 MST 2018] code='415'
[Thu Apr 5 22:28:34 MST 2018] _ret='0'
[Thu Apr 5 22:28:33 MST 2018] _CURL='curl -L --silent --dump-header /var/etc/acme-client/home/http.header '
[Thu Apr 5 22:28:33 MST 2018] _post_url='https://acme-v02.api.letsencrypt.org/acme/new-acct'
[Thu Apr 5 22:28:33 MST 2018] POST
[Thu Apr 5 22:28:33 MST 2018] _ret='0'
[Thu Apr 5 22:28:33 MST 2018] _CURL='curl -L --silent --dump-header /var/etc/acme-client/home/http.header '
[Thu Apr 5 22:28:33 MST 2018] _post_url='https://acme-v02.api.letsencrypt.org/acme/new-nonce'
[Thu Apr 5 22:28:33 MST 2018] HEAD
[Thu Apr 5 22:28:33 MST 2018] payload='{"contact": ["mailto: redacted@email"], "termsOfServiceAgreed": true}'
[Thu Apr 5 22:28:33 MST 2018] url='https://acme-v02.api.letsencrypt.org/acme/new-acct'
[Thu Apr 5 22:28:33 MST 2018] Registering account
[Thu Apr 5 22:28:32 MST 2018] RSA key
[Thu Apr 5 22:28:32 MST 2018] _init api for server: https://acme-v02.api.letsencrypt.org/directory
[Thu Apr 5 22:28:32 MST 2018] Using config home:/var/etc/acme-client/home
[Thu Apr 5 22:28:32 MST 2018] config file is empty, can not read CA_KEY_HASH
[Thu Apr 5 22:28:32 MST 2018] _currentRoot='dns_cf'
[Thu Apr 5 22:28:32 MST 2018] Check for domain='*.redacted.domain'
[Thu Apr 5 22:28:32 MST 2018] _currentRoot='dns_cf'
[Thu Apr 5 22:28:32 MST 2018] Check for domain='redacted.domain'
[Thu Apr 5 22:28:32 MST 2018] Le_LocalAddress
[Thu Apr 5 22:28:32 MST 2018] _on_before_issue
[Thu Apr 5 22:28:31 MST 2018] ACME_VERSION='2'
[Thu Apr 5 22:28:31 MST 2018] ACME_NEW_NONCE='https://acme-v02.api.letsencrypt.org/acme/new-nonce'
[Thu Apr 5 22:28:31 MST 2018] ACME_AGREEMENT='https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf'
[Thu Apr 5 22:28:31 MST 2018] ACME_REVOKE_CERT='https://acme-v02.api.letsencrypt.org/acme/revoke-cert'
[Thu Apr 5 22:28:31 MST 2018] ACME_NEW_ACCOUNT='https://acme-v02.api.letsencrypt.org/acme/new-acct'
[Thu Apr 5 22:28:31 MST 2018] ACME_NEW_ORDER='https://acme-v02.api.letsencrypt.org/acme/new-order'
[Thu Apr 5 22:28:31 MST 2018] ACME_NEW_AUTHZ
[Thu Apr 5 22:28:31 MST 2018] ACME_KEY_CHANGE='https://acme-v02.api.letsencrypt.org/acme/key-change'
[Thu Apr 5 22:28:31 MST 2018] ret='0'
[Thu Apr 5 22:28:30 MST 2018] _CURL='curl -L --silent --dump-header /var/etc/acme-client/home/http.header '
[Thu Apr 5 22:28:30 MST 2018] timeout=
[Thu Apr 5 22:28:30 MST 2018] url='https://acme-v02.api.letsencrypt.org/directory'
[Thu Apr 5 22:28:30 MST 2018] GET
[Thu Apr 5 22:28:30 MST 2018] _init api for server: https://acme-v02.api.letsencrypt.org/directory
[Thu Apr 5 22:28:30 MST 2018] Using ACME_DIRECTORY: https://acme-v02.api.letsencrypt.org/directory
[Thu Apr 5 22:28:30 MST 2018] DOMAIN_PATH='/var/etc/acme-client/home/redacted.domain'
[Thu Apr 5 22:22:36 MST 2018] Cert for *.redacted.domain /var/etc/acme-client/home/*.redacted.domain/*.redacted.domain.cer is not found, skip.
[Thu Apr 5 22:22:36 MST 2018] DOMAIN_PATH='/var/etc/acme-client/home/*.redacted.domain'
[Thu Apr 5 00:00:05 MST 2018] Please check log file for more details: /var/log/acme.sh.log
[Thu Apr 5 00:00:05 MST 2018] _on_issue_err

The log file is showing the issue at the registering account step on the V2 server. Personal details redacted to protect the guilty.

I also seem to have some sort of PHP crash issue that may or may not be related to the ACME script that I submitted via the crash reporter.