Show Posts
1
19.7 Legacy Series / Trouble with letsencrypt - certificate verified in logs but pending/failed in UI
« on: November 14, 2019, 01:58:59 am »
Banging my head against the wall here.
A new certificate in the UI shows pending/failed for this cert but it shows as validated and installed in the logs...
VERSION INFO:
IMAGE:(scroll right to see the whole image)
TEXT:
But the log shows that it is being issued, validated and installed.
LOGS:
Any idea what I can do here to make it show up properly in the UI. I also need to actually use the certificate in HAProxy but it's not selectable.
A new certificate in the UI shows pending/failed for this cert but it shows as validated and installed in the logs...
VERSION INFO:
Code: [Select]
OPNsense 19.7.6-amd64
FreeBSD 11.2-RELEASE-p14-HBSD
OpenSSL 1.0.2t 10 Sep 2019
IMAGE:(scroll right to see the whole image)
TEXT:
Code: [Select]
www.example.com pending validation failed 2019-11-13, 4:42:17 PMBut the log shows that it is being issued, validated and installed.
LOGS:
Code: [Select]
[Wed Nov 13 19:42:13 EST 2019] ACME_DIRECTORY='https://acme-v02.api.letsencrypt.org/directory'
[Wed Nov 13 19:42:13 EST 2019] DOMAIN_PATH='/var/etc/acme-client/home/www.example.com'
[Wed Nov 13 19:42:13 EST 2019] Using ACME_DIRECTORY: https://acme-v02.api.letsencrypt.org/directory
[Wed Nov 13 19:42:13 EST 2019] _init api for server: https://acme-v02.api.letsencrypt.org/directory
[Wed Nov 13 19:42:13 EST 2019] GET
[Wed Nov 13 19:42:13 EST 2019] url='https://acme-v02.api.letsencrypt.org/directory'
[Wed Nov 13 19:42:13 EST 2019] timeout=
[Wed Nov 13 19:42:13 EST 2019] _CURL='curl -L --silent --dump-header /var/etc/acme-client/home/http.header -g '
[Wed Nov 13 19:42:13 EST 2019] ret='0'
[Wed Nov 13 19:42:13 EST 2019] ACME_KEY_CHANGE='https://acme-v02.api.letsencrypt.org/acme/key-change'
[Wed Nov 13 19:42:13 EST 2019] ACME_NEW_AUTHZ
[Wed Nov 13 19:42:13 EST 2019] ACME_NEW_ORDER='https://acme-v02.api.letsencrypt.org/acme/new-order'
[Wed Nov 13 19:42:13 EST 2019] ACME_NEW_ACCOUNT='https://acme-v02.api.letsencrypt.org/acme/new-acct'
[Wed Nov 13 19:42:13 EST 2019] ACME_REVOKE_CERT='https://acme-v02.api.letsencrypt.org/acme/revoke-cert'
[Wed Nov 13 19:42:13 EST 2019] ACME_AGREEMENT='https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf'
[Wed Nov 13 19:42:13 EST 2019] ACME_NEW_NONCE='https://acme-v02.api.letsencrypt.org/acme/new-nonce'
[Wed Nov 13 19:42:13 EST 2019] ACME_VERSION='2'
[Wed Nov 13 19:42:13 EST 2019] Le_NextRenewTime='1578789378'
[Wed Nov 13 19:42:13 EST 2019] _on_before_issue
[Wed Nov 13 19:42:13 EST 2019] _chk_main_domain='www.example.com'
[Wed Nov 13 19:42:13 EST 2019] _chk_alt_domains
[Wed Nov 13 19:42:13 EST 2019] Le_LocalAddress
[Wed Nov 13 19:42:13 EST 2019] d='www.example.com'
[Wed Nov 13 19:42:13 EST 2019] Check for domain='www.example.com'
[Wed Nov 13 19:42:13 EST 2019] _currentRoot='/var/etc/acme-client/challenges'
[Wed Nov 13 19:42:13 EST 2019] d
[Wed Nov 13 19:42:13 EST 2019] _saved_account_key_hash is not changed, skip register account.
[Wed Nov 13 19:42:13 EST 2019] Signing from existing CSR.
[Wed Nov 13 19:42:13 EST 2019] Getting domain auth token for each domain
[Wed Nov 13 19:42:13 EST 2019] d
[Wed Nov 13 19:42:13 EST 2019] url='https://acme-v02.api.letsencrypt.org/acme/new-order'
[Wed Nov 13 19:42:13 EST 2019] payload='{"identifiers": [{"type":"dns","value":"www.example.com"}]}'
[Wed Nov 13 19:42:13 EST 2019] RSA key
[Wed Nov 13 19:42:14 EST 2019] HEAD
[Wed Nov 13 19:42:14 EST 2019] _post_url='https://acme-v02.api.letsencrypt.org/acme/new-nonce'
[Wed Nov 13 19:42:14 EST 2019] _CURL='curl -L --silent --dump-header /var/etc/acme-client/home/http.header -g -I '
[Wed Nov 13 19:42:14 EST 2019] _ret='0'
[Wed Nov 13 19:42:14 EST 2019] POST
[Wed Nov 13 19:42:14 EST 2019] _post_url='https://acme-v02.api.letsencrypt.org/acme/new-order'
[Wed Nov 13 19:42:14 EST 2019] _CURL='curl -L --silent --dump-header /var/etc/acme-client/home/http.header -g '
[Wed Nov 13 19:42:15 EST 2019] _ret='0'
[Wed Nov 13 19:42:15 EST 2019] code='201'
[Wed Nov 13 19:42:15 EST 2019] Le_LinkOrder='https://acme-v02.api.letsencrypt.org/acme/order/18203393/1506918997'
[Wed Nov 13 19:42:15 EST 2019] Le_OrderFinalize='https://acme-v02.api.letsencrypt.org/acme/finalize/18203393/1506918997'
[Wed Nov 13 19:42:15 EST 2019] url='https://acme-v02.api.letsencrypt.org/acme/authz-v3/1227092248'
[Wed Nov 13 19:42:15 EST 2019] payload
[Wed Nov 13 19:42:15 EST 2019] POST
[Wed Nov 13 19:42:15 EST 2019] _post_url='https://acme-v02.api.letsencrypt.org/acme/authz-v3/1227092248'
[Wed Nov 13 19:42:15 EST 2019] _CURL='curl -L --silent --dump-header /var/etc/acme-client/home/http.header -g '
[Wed Nov 13 19:42:15 EST 2019] _ret='0'
[Wed Nov 13 19:42:15 EST 2019] code='200'
[Wed Nov 13 19:42:15 EST 2019] d='www.example.com'
[Wed Nov 13 19:42:15 EST 2019] Getting webroot for domain='www.example.com'
[Wed Nov 13 19:42:15 EST 2019] _w='/var/etc/acme-client/challenges'
[Wed Nov 13 19:42:15 EST 2019] _currentRoot='/var/etc/acme-client/challenges'
[Wed Nov 13 19:42:15 EST 2019] entry='"type":"http-01","status":"valid","url":"https://acme-v02.api.letsencrypt.org/acme/chall-v3/1227092248/XxhdjA","token":"Mz6G_rGWVo5h3I2Bex-sdg864DRJlJXoDjzM6kYnxuE","validationRecord":[{"url":"http://www.example.com/.well-known/acme-challenge/Mz6G_rGWVo5h3I2Bex-sdg864DRJlJXoDjzM6kYnxuE","hostname":"www.example.com","port":"80","addressesResolved":["xxx.xxx.xxx.xxx"],"addressUsed":"xxx.xxx.xxx.xxx"'
[Wed Nov 13 19:42:15 EST 2019] token='Mz6G_rGWVo5h3I2Bex-sdg864DRJlJXoDjzM6kYnxuE'
[Wed Nov 13 19:42:15 EST 2019] uri='https://acme-v02.api.letsencrypt.org/acme/chall-v3/1227092248/XxhdjA'
[Wed Nov 13 19:42:15 EST 2019] keyauthorization='Mz6G_rGWVo5h3I2Bex-sdg864DRJlJXoDjzM6kYnxuE.82BCX5MHm5ak1HPtihc6YXMZscPcc8Zo5kxRP8MYn5Y'
[Wed Nov 13 19:42:15 EST 2019] www.example.com is already verified.
[Wed Nov 13 19:42:15 EST 2019] keyauthorization='verified_ok'
[Wed Nov 13 19:42:15 EST 2019] dvlist='www.example.com#verified_ok#https://acme-v02.api.letsencrypt.org/acme/chall-v3/1227092248/XxhdjA#http-01#/var/etc/acme-client/challenges'
[Wed Nov 13 19:42:15 EST 2019] d
[Wed Nov 13 19:42:15 EST 2019] vlist='www.example.com#verified_ok#https://acme-v02.api.letsencrypt.org/acme/chall-v3/1227092248/XxhdjA#http-01#/var/etc/acme-client/challenges,'
[Wed Nov 13 19:42:15 EST 2019] d='www.example.com'
[Wed Nov 13 19:42:15 EST 2019] www.example.com is already verified, skip http-01.
[Wed Nov 13 19:42:15 EST 2019] ok, let's start to verify
[Wed Nov 13 19:42:15 EST 2019] www.example.com is already verified, skip http-01.
[Wed Nov 13 19:42:15 EST 2019] pid
[Wed Nov 13 19:42:15 EST 2019] No need to restore nginx, skip.
[Wed Nov 13 19:42:15 EST 2019] _clearupdns
[Wed Nov 13 19:42:15 EST 2019] dns_entries
[Wed Nov 13 19:42:15 EST 2019] skip dns.
[Wed Nov 13 19:42:15 EST 2019] Verify finished, start to sign.
[Wed Nov 13 19:42:15 EST 2019] i='2'
[Wed Nov 13 19:42:15 EST 2019] j='26'
[Wed Nov 13 19:42:15 EST 2019] Lets finalize the order, Le_OrderFinalize: https://acme-v02.api.letsencrypt.org/acme/finalize/18203393/1506918997
[Wed Nov 13 19:42:15 EST 2019] url='https://acme-v02.api.letsencrypt.org/acme/finalize/18203393/1506918997'
[Wed Nov 13 19:42:15 EST 2019] payload='{"csr": "MIIEnzCCAocCAQAwHTEbMBkGA1UEAwwSZ2l0LmFidXNlLml3ZWIuY29tMIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAzZIOKqZtLqlPDX3eQ-y2BFHVNUhwbYm4yegPUJB9r-UgzG7JbpZUXPWNv9xii15OIjF9rYESOQb7XelJEqpp11gm2XB56tgVdmdr4yE8_WpZYC-f7FQbli5KTP_j8-hlfRu3rRhrV7RJkbMeKe5OpvwF6ZvLQ9KqdakHqh4dUQGZMFXD1a29UMdycRoOwk4APd3Eqb8Ze0lIDy-Z5LXlyY0ZjFjutzjSSVlRqsDSFV_nhu2Z2B9MejUtdUnTGgR7nSiNQIyBOutZZxoUdDcz7HPeyDoc2J0WOr2j_OXE3Gb9onhMWW2FzbFh6rKJ21Y9aCClM9ZflgudmKBdJ--gV4gTvkne4SVN7AXQbczg9pmPp9qsUOg2jUMAmhm_0X7ksVVOw6zBvesxeMtkCtO2GzBhLJX3Zm81NJ_MlFdlAqzvsN48ExsxU4Y-GO4PkMuduBRD_wX-7XrfccNF0ddMNMDiGyMXefHeK7WjDd79ozuYWUgNzKkz_VPPZmP6UHdqYaixB2BfKvGi2PKFBOo6YqgmmOrY4qGs0VWfZx68UXabF3GGe4BwjVcAStZtnYn3qpGnJsX0AP0PBX8q7DfXUS_nJygY650xe-NYUcA6U0f8E3yJB8tvhZ_b9Wo1h53yDJIkvA5AR-znpMsRdI0Vco_5qvm7XNm7a2P9g_rqhjMCAwEAAaA9MDsGCSqGSIb3DQEJDjEuMCwwCwYDVR0PBAQDAgXgMB0GA1UdEQQWMBSCEmdpdC5hYnVzZS5pd2ViLmNvbTANBgkqhkiG9w0BAQsFAAOCAgEAuhtZIld6L-drIcZI_pzj7Sn7QfBxeMcJhnQxxcz5yU-Ea2f4_XmUdhG5jmZ8weAE3ZP-L4wdonae4J71ESfk92Vri1Y_EUW3P6goE4tPUpKCr5B-UmVpYcQa64-fNCw9j1oyJHKvdbooVsdmGSdVaqR_kcl2EF5zynVfgAa7TPUwS--1uA8xRqPFLFTTL4QpnWw0zndTXIw1yen95UQvWVKnIMFVP6YUD13tzY0kIM__WxJ_gJy7agJ5EgHe0P99tY2TOUTJoeFndYf_W4vNDAu8BaVJGA5ubqLGbXCPXtZTN7-_TWERZ6HrJioCeUgBUNQ--WNjvmv52CfPqX24FO0dObA_PmnxLpv_V2AgLYOjGfJHTGISt0g43THdyS9IeHuTxy1ig9-vXQ-azaeuFZIdX4ppJUpLRqJBpThyA8TXI1igQoZ6L0LCkP2JSMPupiE7v7eGMeJ-VJ1TVqXQGbGdb-po1FxF9otVWEq1ziZjDjGb99gf9h6iIk-SUW4996dGfiqOlYKsCaAsoMpt2nEdkXjyBx0fPlUhcvj4uyZ4LaKxYa8rHvUGe8zi-SoWNGYbW1X-89mhjeoxBi5J3mpKRHy5b7-225SOpxN0BXMeYakKSjsRMocQgityOl-m1BGqnZq0ArDFrVSbMJCe_wvGSLsZehuew0ODRPYkzHc"}'
[Wed Nov 13 19:42:15 EST 2019] POST
[Wed Nov 13 19:42:15 EST 2019] _post_url='https://acme-v02.api.letsencrypt.org/acme/finalize/18203393/1506918997'
[Wed Nov 13 19:42:15 EST 2019] _CURL='curl -L --silent --dump-header /var/etc/acme-client/home/http.header -g '
[Wed Nov 13 19:42:16 EST 2019] _ret='0'
[Wed Nov 13 19:42:16 EST 2019] code='200'
[Wed Nov 13 19:42:16 EST 2019] Order status is valid.
[Wed Nov 13 19:42:16 EST 2019] Le_LinkCert='https://acme-v02.api.letsencrypt.org/acme/cert/04f2f79d7df8c6b7745d0a84c0a2a133704f'
[Wed Nov 13 19:42:16 EST 2019] Download cert, Le_LinkCert: https://acme-v02.api.letsencrypt.org/acme/cert/04f2f79d7df8c6b7745d0a84c0a2a133704f
[Wed Nov 13 19:42:16 EST 2019] url='https://acme-v02.api.letsencrypt.org/acme/cert/04f2f79d7df8c6b7745d0a84c0a2a133704f'
[Wed Nov 13 19:42:16 EST 2019] payload
[Wed Nov 13 19:42:16 EST 2019] POST
[Wed Nov 13 19:42:16 EST 2019] _post_url='https://acme-v02.api.letsencrypt.org/acme/cert/04f2f79d7df8c6b7745d0a84c0a2a133704f'
[Wed Nov 13 19:42:16 EST 2019] _CURL='curl -L --silent --dump-header /var/etc/acme-client/home/http.header -g '
[Wed Nov 13 19:42:16 EST 2019] _ret='0'
[Wed Nov 13 19:42:16 EST 2019] code='200'
[Wed Nov 13 19:42:16 EST 2019] Found cert chain
[Wed Nov 13 19:42:16 EST 2019] _end_n='36'
[Wed Nov 13 19:42:16 EST 2019] Le_LinkCert='https://acme-v02.api.letsencrypt.org/acme/cert/04f2f79d7df8c6b7745d0a84c0a2a133704f'
[Wed Nov 13 19:42:16 EST 2019] Cert success.
[Wed Nov 13 19:42:16 EST 2019] Your cert is in /var/etc/acme-client/home/www.example.com/www.example.com.cer
[Wed Nov 13 19:42:16 EST 2019] v2 chain.
[Wed Nov 13 19:42:16 EST 2019] The intermediate CA cert is in /var/etc/acme-client/home/www.example.com/ca.cer
[Wed Nov 13 19:42:16 EST 2019] And the full chain certs is there: /var/etc/acme-client/home/www.example.com/fullchain.cer
[Wed Nov 13 19:42:17 EST 2019] Installing cert to:/var/etc/acme-client/certs/5dcc88dd2fce17.31790163/cert.pem
[Wed Nov 13 19:42:17 EST 2019] Installing CA to:/var/etc/acme-client/certs/5dcc88dd2fce17.31790163/chain.pem
[Wed Nov 13 19:42:17 EST 2019] Installing key to:/var/etc/acme-client/keys/5dcc88dd2fce17.31790163/private.key
Any idea what I can do here to make it show up properly in the UI. I also need to actually use the certificate in HAProxy but it's not selectable.