OPNsense Forum
Archive => 21.7 Legacy Series => Topic started by: Steve79 on November 30, 2021, 11:43:46 am
-
Hey guys,
i am out of ideas how to fix or debug a problem i currently face with my acme client and LE cert setup. I have several LE certs, which were usually updated by the acme client automation, in case they had 30 days or less until they would become invalid. But currently this process seems somehow broken, because acme client automation runs from cron like its supposed to, but acme client does not renew those certs anymore and only reports to syslog:
AcmeClient: issue/renewal not required for certificate: *my-cert-name*
Regardless this cert is well below the usual 30 days according to system/trust:
Valid Until: Tue, 14 Dec 2021 22:05:28 +0100
I tried setting the debug level on the acme client, but this doesn't seem to affect the syslog behavior of the plugin. forcefully renew a cert does still work. So, i don't know where to look anymore. Did the 30 day threshold change? I would rather not test it by waiting till my cert expire.
Does anyone have a clue?
Thank you in advance, Steve
[SOLVED]
It has been fixed by freanki with this patches:
https://github.com/opnsense/plugins/issues/2721#issuecomment-1005589449
Thanks to everybody helping and freanki for fixing this!
-
I can also confirm this. Yesterday I had to manually renew my cert and restart the webgui. Some of the recent updates must have broken something.
-
My cert got renewed automatically yesterday, but all existing automations are broken.
You need to reset the type in the configuration of the automations. All settings and credentials are still there, if you select the correct type. I have no idea which version broke it, the last time it got used was on September 30th.
But for the cron job, I would check the settings and maybe disable, save and then enable it again. Maybe this fixes something. If not, then delete and create it again.
KH
-
Ok, all my certificates where updated, but sftp automation was not working.
To fix use:
opnsense-patch -c plugins 57ada90e890832b67ad93f54bed2ee26bde4b669
Issue in github (https://github.com/opnsense/plugins/issues/2671#issuecomment-982047655)
-
@opn_nwo
Thank you for confirming this behavior. Makes me think, this is not (only) a configuration error on my side.
@KHE
Thanks for your reply as well, although you seem to have had a totally different problem, since we don't get auto renew to begin with. I found the sftp upload automation fix too, but sftp upload is not used on my side. Therefore installing the patch did not resolve my problem, as expected.
I think, i will try some more debugging with my limited knowledge and then submit a bug report, if i cant find a solution.
-
Note: under the new 21.7.6, all automations are being reset to "restart GUI".
-
This behavior seems to be caused be the re-import implementation as reported here:
https://github.com/opnsense/plugins/issues/2721
Renewal calculates 60 days for the import date instead of the issue date of the certificate.
[SOLVED]
It has been fixed by freanki with this patches:
https://github.com/opnsense/plugins/issues/2721#issuecomment-1005589449
Thanks to everybody helping and freanki for fixing this!