OPNsense Forum
Archive => 19.7 Legacy Series => Topic started by: aschaapherder on September 16, 2019, 07:50:12 pm
-
Let me sketch the situtation in the hope that someone has an idea or can point me in the right direction.
I have used Apache as reverse proxy with LE certificates for quite some time for several internally running websites. In an effort to make things less dependent on each other (reverse proxy was running on one of my websites) I decided to move the reverse proxy functionality to a separate machine running OPNsense. Note that OPNsense is running internally (LAN only) and provides DNS/DHCP and time services internally.
I setup HAProxy with Let's Encrypt as per this https://blog.bagro.se/lets-encrypt-with-haproxy-on-opnsense/ (https://blog.bagro.se/lets-encrypt-with-haproxy-on-opnsense/). HAProxy is running fine and I initially configured a multi-domain certificate against te LE staging environment. Worked fine. But when I switched to the Production environment all I got was validation errors. Log shows
detail": "KeyID header contained an invalid account URL: \"https://acme-v02.api.letsencrypt.org/acme/acct/123456789\"(obviously that is not my account number).
No matter what I changed, different account, staging to prod etc, create new certificates for the separate domains instead of a multi domain cert, I always get this error.
Should I wipe the setup and start clean (I did this already once but did not properly record all the steps) and if so, is there a place a should delete the files?
I have searched for many things, starting with opnsense - haproxy - lets encrypt - error but even if I widen the search I don't get much useful info.
Any pointers and/or suggestions are welcome, even pointing me to different solutions (preferably on OPNsense); I want a working reverse proxy with LE certs.
-
The problem is in the acme plugin so switching the reverse proxy will not help. You can try to run the acme commands directly on CLI to generate a valid cert.
-
Thanks! Happy to try that. Looking at the response of acme.sh ... Any suggestions where I can find how acme.sh is started from the plugin? In other words how the request is constructed? Can I learn that from the plugin?
I increased the log level of the LE plugin as well but that does not show me the commandline structure.
-
Just look at the config commands - they should contain most information how things are invoked.
-
Thanks :)
I did that of course. But sorting out how to invoke + sort out where the various files are stored is in interesting but time consuming exercise so I was looking for a shortcut. Can you point me at where the Let's Encrypt/acme.sh plugin is stored? I can probably pick up the details from that.
-
Try creating a new account and certificate in the plugin. This start registration on the Production environment.
-
Thanks, I did that as well as part of my troubleshooting. Completely different account, same issue.
I think I'll remove the Let's Encrypt plugin, check for any left over files and reinstall and start from scratch. The proxy works fine as far as I can tell. If that doesn't help I'll blow away HAproxy as well.
-
Just to report back. I tried many things but for reasons unknown to me I never got the certificate renewal working again.
I sort of gave up for now. I built a FreeBSD jail on another host, installed Caddy and (after figuring out how to get it started with config files in the correct locations) I just added all my sites to it. Certificates created on the fly, in the background, and it just works.
For now, I am happy. I will probably give it a try in the near future but for now, I am done.
Edit/addition: I do not have issues with Wordpress either (difficulty between http and https) as I did with HAProxy.
-
Hi, I have the same issue... I setup my system using the LE Staging environment and it works as expected. But, when I switch it to the LE Production environment I receive a message showing that process fail to create the certificates. Please, I appreciate if someone could help me and give me some directions.