OPNsense Forum

Archive => 18.1 Legacy Series => Topic started by: DanMc85 on February 05, 2018, 01:38:40 pm

Title: ACME - Let's Encrypt Client Certs
Post by: DanMc85 on February 05, 2018, 01:38:40 pm

Has anyone else on 18.1 had issues with issuing Let's Encrypt certs using the ACME plugin?
HTTP Challenge Type

First I had to change my OPNSense firewall HTTPS port from a custom one back to 443.
Then I originally had a multi domain (SAN) filled out with a few subdomains.

Whenever I issued the cert it would have validation failed.
However, when I edited the cert just to be the main domain with no SAN's, it completed successfully.
I never had this issue before and always had a full multi-domain cert on prior releases.


Notes: All the subdomains are just CNAME entries pointing to the main domain IP to resolve through DNS.
Title: Re: ACME - Let's Encrypt Client Certs
Post by: elektroinside on February 06, 2018, 12:36:40 am
There's an issue with the plugin, but it is getting fixed soon :) Basically, it needs an upgrade. And if i'm not mistaken, the next version will also support wildcard certs :)
Title: Re: ACME - Let's Encrypt Client Certs
Post by: DanMc85 on February 06, 2018, 04:56:19 am
Nice find...

I just did a search and found this article which confirms what you said:
https://letsencrypt.org/2017/07/06/wildcard-certificates-coming-jan-2018.html

Looks like wildcard will only support DNS validation instead of HTTPS validation for issuing cert.

I use google domains so it would be nice to see API support added... or the ability to generate and manually add a TXT DNS record for validation purposes which the regular ACME plugin supports but the OPNSense GUI does not appear to.
Title: Re: ACME - Let's Encrypt Client Certs
Post by: elektroinside on February 06, 2018, 08:14:55 am
Please request your needed feature here: https://github.com/opnsense/plugins/issues
Thanks