OPNsense Forum
Archive => 18.1 Legacy Series => Topic started by: elektroinside on February 02, 2018, 01:16:14 pm
-
Think this was fixed, was it a patch that fixed it?
[Fri Feb 2 14:10:45 EET 2018] original='{
"type": "urn:acme:error:malformed",
"detail": "Provided agreement URL [https://letsencrypt.org/documents/LE-SA-v1.1.1-August-1-2016.pdf] does not match current agreement URL [https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf]",
"status": 400
}'
-
Still not quite, have to ask Frank on the status... acme.sh was updated, but did not fix this (expectations that it would were not clear anyway at least that is what one user reported testing it).
Cheers,
Franco
-
Okay Franco,
Thank you!
-
I have always found the ACME client to be a pain to use especially when you have to renew a certificate and you are using the DNS validation. ZeroSSL is much more easier to use and then to import the certificate.
-
Think this was fixed, was it a patch that fixed it?
[Fri Feb 2 14:10:45 EET 2018] original='{
"type": "urn:acme:error:malformed",
"detail": "Provided agreement URL [https://letsencrypt.org/documents/LE-SA-v1.1.1-August-1-2016.pdf] does not match current agreement URL [https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf]",
"status": 400
}'
I've been pretty sure that acme.sh 2.7.5 would fix this error:
https://github.com/opnsense/plugins/issues/470
Apparently I was wrong. It will not be fixed until acme.sh 2.7.6 is released. I'll reopen this issue.
Regards
- Frank
-
No worries :)
Thank you.
-
Hello,
Some additional info to 400 tos error:
PHP Warning: cert_action_validator(): Node no longer exists in
/usr/local/opnsense/scripts/OPNsense/AcmeClient/certhelper.php on line 122
PHP Warning: cert_action_validator(): Node no longer exists in /usr/local/opnsense/scripts/OPNsense/AcmeClient/certhelper.php on line 122
Crash always happens after cert issue attempt.
-
It's a cosmetic PHP issue since 7.0, ticket here....
https://github.com/opnsense/plugins/issues/333
Cheers,
Franco
-
I had enough of that agreement error so I "hacked" acme.sh to take the correct one.
I also needed to comment a validation because of a freak error, but it worked... got a new cert.
-
acme.sh 2.7.6 has been released 3 days ago, any ETA on LE package update?
Thanks.
-
As soon as it hits FreeBSD as it is tested as it is shipped in OPNsense. :)
Cheers,
Franco
-
ouch! well, updated acme.sh by myself and everything works fine :o
-
Nice! Will you share your solution with everyone? :)
-
Nice! Will you share your solution with everyone? :)
There is no special magic involved. I just replaced /usr/local/sbin/acme.sh with a new one and set permissions to 0555 using WinSCP :o
-
Confirming it works (replacing with the new one) :)
No other hacks, just chmod 0555
FYI, without 0555, it will fail to validate this:
if [ ! -f "$CERT_KEY_PATH" ] || [ "$_key_length" != "$_key" ] || [ "$Le_ForceNewDomainKey" = "1" ]; then
if ! createDomainKey "$_main_domain" "$_key_length"; then
_err "Create domain key error."
_clearup
_on_issue_err "$_post_hook"
return 1
fi
fi
-
So it's a permissions issue.
I would like to see someone (hint! hint!) write up a nice tutorial on using the acme client plugin to create certs.
-
Does anybody know when the update for acme 2.6.7 (ETA on LE package) is coming ??
-
Sorry 2.7.6 of course
-
I will ping the FreeBSD maintainer.
-
https://bsd.network/@dvl/99531493305337397
-
Nice :) Thanks, Franco!
-
Thanks Franco, how can we update the acme package ??
-
# opnsense-code tools ports
# cd /usr/ports/sysutils/acme.sh
# make
# make deinstall
# make install
Will also be in 18.1.3, but that takes two more weeks.
Cheers,
Franco
-
Thank you, it works! In your description is a mistake
The correct directory is:
# cd /usr/ports/security/acme.sh
I am very exicited about the quick answers here. Thank you at all people !!
-
Can't get a cert issued. Log shows 'Create domain key error'
I can see the key file was created.
What am I doing wrong?
-
Can't get a cert issued. Log shows 'Create domain key error'
I can see the key file was created.
What am I doing wrong?
Well, um, bro, update your acme.sh script or wait for 8.1.3 in a week or so 8) How to? :o This has been answered few times some posts above :-\
-
acme.sh was updated. This is not the reason.
-
acme.sh was updated. This is not the reason.
Still Create domain key error ?
I did what franco posted:
# opnsense-code tools ports
# cd /usr/ports/sysutils/acme.sh
# make
# make deinstall
# make install
After that i deleted the certificated that are in a failed status und created them successfully again.
-
acme.sh was updated. This is not the reason.
Well, there is very only thing left: Your validation method fails. Personally, I always used a non-standard port for GUI so a HTTP-01 method never worked for me. I use DNS-01 with Hurricane Electric. I've configured DigitalOcean 2 droplets in a week and both works with DNS-01 challenge and doesn't validate with HTTP-01.