OPNsense Forum

Archive => 18.1 Legacy Series => Topic started by: Taomyn on March 30, 2018, 11:50:32 am

Title: Unable to renew any LE certificates
Post by: Taomyn on March 30, 2018, 11:50:32 am
OPNsense 18.1.5, I've discovered that Let's Encrypt is unable to renew any of my certificates. I saw this at first:


Code: [Select]
[Fri Mar 30 00:00:01 CEST 2018] DOMAIN_PATH='/var/etc/acme-client/home/desktopcentral.star-one.co.uk'
[Fri Mar 30 00:00:01 CEST 2018] Renew: 'desktopcentral.star-one.co.uk'
[Fri Mar 30 00:00:01 CEST 2018] 'desktopcentral.star-one.co.uk' is not a issued domain, skip.


So I tried to force a renewal:

Code: [Select]

[Fri Mar 30 10:59:54 CEST 2018] DOMAIN_PATH='/var/etc/acme-client/home/desktopcentral.star-one.co.uk'
[Fri Mar 30 10:59:54 CEST 2018] Using ACME_DIRECTORY: https://acme-v01.api.letsencrypt.org/directory
[Fri Mar 30 10:59:54 CEST 2018] _init api for server: https://acme-v01.api.letsencrypt.org/directory
[Fri Mar 30 10:59:54 CEST 2018] GET
[Fri Mar 30 10:59:54 CEST 2018] url='https://acme-v01.api.letsencrypt.org/directory'
[Fri Mar 30 10:59:54 CEST 2018] timeout=
[Fri Mar 30 10:59:54 CEST 2018] _CURL='curl -L --silent --dump-header /var/etc/acme-client/home/http.header '
[Fri Mar 30 10:59:55 CEST 2018] ret='0'
[Fri Mar 30 10:59:55 CEST 2018] ACME_KEY_CHANGE='https://acme-v01.api.letsencrypt.org/acme/key-change'
[Fri Mar 30 10:59:55 CEST 2018] ACME_NEW_AUTHZ='https://acme-v01.api.letsencrypt.org/acme/new-authz'
[Fri Mar 30 10:59:55 CEST 2018] ACME_NEW_ORDER='https://acme-v01.api.letsencrypt.org/acme/new-cert'
[Fri Mar 30 10:59:55 CEST 2018] ACME_NEW_ACCOUNT='https://acme-v01.api.letsencrypt.org/acme/new-reg'
[Fri Mar 30 10:59:55 CEST 2018] ACME_REVOKE_CERT='https://acme-v01.api.letsencrypt.org/acme/revoke-cert'
[Fri Mar 30 10:59:55 CEST 2018] ACME_AGREEMENT='https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf'
[Fri Mar 30 10:59:55 CEST 2018] ACME_NEW_NONCE
[Fri Mar 30 10:59:55 CEST 2018] ACME_VERSION
[Fri Mar 30 10:59:55 CEST 2018] _on_before_issue
[Fri Mar 30 10:59:55 CEST 2018] Le_LocalAddress
[Fri Mar 30 10:59:55 CEST 2018] Check for domain='desktopcentral.star-one.co.uk'
[Fri Mar 30 10:59:55 CEST 2018] _currentRoot='/var/etc/acme-client/challenges'
[Fri Mar 30 10:59:55 CEST 2018] config file is empty, can not read CA_KEY_HASH
[Fri Mar 30 10:59:55 CEST 2018] Using config home:/var/etc/acme-client/home
[Fri Mar 30 10:59:55 CEST 2018] _init api for server: https://acme-v01.api.letsencrypt.org/directory
[Fri Mar 30 10:59:55 CEST 2018] RSA key
[Fri Mar 30 10:59:57 CEST 2018] Registering account
[Fri Mar 30 10:59:57 CEST 2018] url='https://acme-v01.api.letsencrypt.org/acme/new-reg'
[Fri Mar 30 10:59:57 CEST 2018] payload='{"resource": "new-reg", "contact": ["mailto: hostmaster@star-one.co.uk"], "terms-of-service-agreed": true, "agreement": "https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf"}'
[Fri Mar 30 10:59:57 CEST 2018] GET
[Fri Mar 30 10:59:57 CEST 2018] url='https://acme-v01.api.letsencrypt.org/directory'
[Fri Mar 30 10:59:57 CEST 2018] timeout=
[Fri Mar 30 10:59:57 CEST 2018] _CURL='curl -L --silent --dump-header /var/etc/acme-client/home/http.header '
[Fri Mar 30 10:59:57 CEST 2018] ret='0'
[Fri Mar 30 10:59:57 CEST 2018] POST
[Fri Mar 30 10:59:57 CEST 2018] _post_url='https://acme-v01.api.letsencrypt.org/acme/new-reg'
[Fri Mar 30 10:59:57 CEST 2018] _CURL='curl -L --silent --dump-header /var/etc/acme-client/home/http.header '
[Fri Mar 30 10:59:58 CEST 2018] _ret='0'
[Fri Mar 30 10:59:58 CEST 2018] code='409'
[Fri Mar 30 10:59:58 CEST 2018] Already registered
[Fri Mar 30 10:59:58 CEST 2018] _accUri='https://acme-v01.api.letsencrypt.org/acme/reg/10864101'
[Fri Mar 30 10:59:58 CEST 2018] Calc CA_KEY_HASH='gh+Pc2wjEDPcvWkaGeAhpsmb6h7ZNvWmT6sDFmSxtHE='
[Fri Mar 30 10:59:58 CEST 2018] ACCOUNT_THUMBPRINT='yULtRNhXXR-G2i55GYuqH5Wy4bLFdPU_xOBiAO544JA'
[Fri Mar 30 10:59:58 CEST 2018] _on_issue_err
[Fri Mar 30 10:59:58 CEST 2018] Please check log file for more details: /var/log/acme.sh.log


I also tried the "Issue/Renew Certificates Now" button on the GUI:

Code: [Select]
[Fri Mar 30 11:25:03 CEST 2018] DOMAIN_PATH='/var/etc/acme-client/home/desktopcentral.star-one.co.uk'
[Fri Mar 30 11:25:03 CEST 2018] Renew: 'desktopcentral.star-one.co.uk'
[Fri Mar 30 11:25:03 CEST 2018] Using config home:/var/etc/acme-client/home
[Fri Mar 30 11:25:03 CEST 2018] Using ACME_DIRECTORY: https://acme-v01.api.letsencrypt.org/directory
[Fri Mar 30 11:25:03 CEST 2018] _init api for server: https://acme-v01.api.letsencrypt.org/directory
[Fri Mar 30 11:25:03 CEST 2018] GET
[Fri Mar 30 11:25:03 CEST 2018] url='https://acme-v01.api.letsencrypt.org/directory'
[Fri Mar 30 11:25:03 CEST 2018] timeout=
[Fri Mar 30 11:25:03 CEST 2018] _CURL='curl -L --silent --dump-header /var/etc/acme-client/home/http.header '
[Fri Mar 30 11:25:03 CEST 2018] ret='0'
[Fri Mar 30 11:25:03 CEST 2018] ACME_KEY_CHANGE='https://acme-v01.api.letsencrypt.org/acme/key-change'
[Fri Mar 30 11:25:03 CEST 2018] ACME_NEW_AUTHZ='https://acme-v01.api.letsencrypt.org/acme/new-authz'
[Fri Mar 30 11:25:03 CEST 2018] ACME_NEW_ORDER='https://acme-v01.api.letsencrypt.org/acme/new-cert'
[Fri Mar 30 11:25:03 CEST 2018] ACME_NEW_ACCOUNT='https://acme-v01.api.letsencrypt.org/acme/new-reg'
[Fri Mar 30 11:25:03 CEST 2018] ACME_REVOKE_CERT='https://acme-v01.api.letsencrypt.org/acme/revoke-cert'
[Fri Mar 30 11:25:03 CEST 2018] ACME_AGREEMENT='https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf'
[Fri Mar 30 11:25:03 CEST 2018] ACME_NEW_NONCE
[Fri Mar 30 11:25:03 CEST 2018] ACME_VERSION
[Fri Mar 30 11:25:03 CEST 2018] Le_NextRenewTime
[Fri Mar 30 11:25:04 CEST 2018] _on_before_issue
[Fri Mar 30 11:25:04 CEST 2018] Le_LocalAddress
[Fri Mar 30 11:25:04 CEST 2018] Check for domain='desktopcentral.star-one.co.uk'
[Fri Mar 30 11:25:04 CEST 2018] _currentRoot='/var/etc/acme-client/challenges'
[Fri Mar 30 11:25:04 CEST 2018] _saved_account_key_hash is not changed, skip register account.
[Fri Mar 30 11:25:04 CEST 2018] Read key length:
[Fri Mar 30 11:25:04 CEST 2018] Creating domain key
[Fri Mar 30 11:25:04 CEST 2018] Use DEFAULT_DOMAIN_KEY_LENGTH=2048
[Fri Mar 30 11:25:04 CEST 2018] Using config home:/var/etc/acme-client/home
[Fri Mar 30 11:25:04 CEST 2018] Use length 2048
[Fri Mar 30 11:25:04 CEST 2018] Using RSA: 2048
[Fri Mar 30 11:25:04 CEST 2018] The domain key is here: /var/etc/acme-client/home/desktopcentral.star-one.co.uk/desktopcentral.star-one.co.uk.key
[Fri Mar 30 11:25:04 CEST 2018] Create domain key error.
[Fri Mar 30 11:25:04 CEST 2018] pid
[Fri Mar 30 11:25:04 CEST 2018] No need to restore nginx, skip.
[Fri Mar 30 11:25:04 CEST 2018] _clearupdns
[Fri Mar 30 11:25:04 CEST 2018] skip dns.
[Fri Mar 30 11:25:04 CEST 2018] _on_issue_err
[Fri Mar 30 11:25:04 CEST 2018] Please check log file for more details: /var/log/acme.sh.log


I have also seen this in the system log:
Code: [Select]
Mar 30 11:29:33 opnsense: /usr/local/opnsense/scripts/OPNsense/AcmeClient/certhelper.php: AcmeClient: unable to import certificate: desktopcentral.star-one.co.uk
Mar 30 11:29:33 opnsense: /usr/local/opnsense/scripts/OPNsense/AcmeClient/certhelper.php: AcmeClient: unable to import certificate, file not found: /var/etc/acme-client/certs/58c6600191ceb1.19502018/cert.pem
Mar 30 11:29:33 opnsense: /usr/local/opnsense/scripts/OPNsense/AcmeClient/certhelper.php: AcmeClient: issued/renewed certificate: desktopcentral.star-one.co.uk
Mar 30 11:29:31 configd.py: [e0b3f07a-28d5-4bb9-b2b0-967888e9afac] refresh url table aliases
Mar 30 11:29:31 configd.py: generate template container OPNsense/Filter
Mar 30 11:29:28 configd.py: [6d5c1cc7-8088-4120-9ad8-23a9b84bf174] generate template OPNsense/Filter
Mar 30 11:29:26 configd.py: [ca05e60e-a485-4f42-a014-7bdcedbb1e5a] Reloading filter
Mar 30 11:29:15 configd.py: [444048aa-4177-4718-baee-1db5fc3bae5d] cronjob running to sign or renew certificates


Any ideas what is going on? Many of my certificates expire soon so I need to fix it.
Title: Re: Unable to renew any LE certificates
Post by: Taomyn on March 30, 2018, 01:11:47 pm
Just noticed the console requesting to report an issue, which I did, but it could be related to my issue here:

Code: [Select]
User-Agent Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:59.0) Gecko/20100101 Firefox/59.0
FreeBSD 11.1-RELEASE-p8  76d691b36(stable/18.1)
OPNsense 18.1.5-57287f86d [18.1.4-4af180a98] LibreSSL 2.6.4 (amd64)
Plugins os-acme-client-1.13 os-haproxy-2.6 os-monit-1.6 os-smart-1.2 os-upnp-1.2
Time Fri, 30 Mar 2018 13:08:40 +0200




[28-Mar-2018 00:00:08 Europe/Luxembourg] PHP Warning:  cert_action_validator(): Node no longer exists in /usr/local/opnsense/scripts/OPNsense/AcmeClient/certhelper.php on line 122
[29-Mar-2018 00:00:08 Europe/Luxembourg] PHP Warning:  cert_action_validator(): Node no longer exists in /usr/local/opnsense/scripts/OPNsense/AcmeClient/certhelper.php on line 122
[30-Mar-2018 00:00:08 Europe/Luxembourg] PHP Warning:  cert_action_validator(): Node no longer exists in /usr/local/opnsense/scripts/OPNsense/AcmeClient/certhelper.php on line 122
[30-Mar-2018 11:25:10 Europe/Luxembourg] PHP Warning:  cert_action_validator(): Node no longer exists in /usr/local/opnsense/scripts/OPNsense/AcmeClient/certhelper.php on line 122
[30-Mar-2018 11:29:33 Europe/Luxembourg] PHP Warning:  cert_action_validator(): Node no longer exists in /usr/local/opnsense/scripts/OPNsense/AcmeClient/certhelper.php on line 122
[30-Mar-2018 11:30:57 Europe/Luxembourg] PHP Warning:  cert_action_validator(): Node no longer exists in /usr/local/opnsense/scripts/OPNsense/AcmeClient/certhelper.php on line 122