Messages

Just to report back. I tried many things but for reasons unknown to me I never got the certificate renewal working again.

I sort of gave up for now. I built a FreeBSD jail on another host, installed Caddy and (after figuring out how to get it started with config files in the correct locations) I just added all my sites to it. Certificates created on the fly, in the background, and it just works.

For now, I am happy. I will probably give it a try in the near future but for now, I am done.

Edit/addition: I do not have issues with Wordpress either (difficulty between http and https) as I did with HAProxy.

Thanks, I did that as well as part of my troubleshooting. Completely different account, same issue.

I think I'll remove the Let's Encrypt plugin, check for any left over files and reinstall and start from scratch. The proxy works fine as far as I can tell. If that doesn't help I'll blow away HAproxy as well.

My setup is simpler. I have 1194/UDP forwarded directly to OPNSense LAN interface. OpenVPN is listening there. I believe I had to disable some NAT or firewall rule to get the packets to flow but I am not sure. Would have to setup a frech one to compare. It was rather straight forward if I recall correctly. Might just be the default gateway as franco mentioned.

Thanks  :)

I did that of course. But sorting out how to invoke + sort out where the various files are stored is in interesting but time consuming exercise so I was looking for a shortcut. Can you point me at where the Let's Encrypt/acme.sh plugin is stored? I can probably pick up the details from that.

Thanks! Happy to try that. Looking at the response of acme.sh ... Any suggestions where I can find how acme.sh is started from the plugin? In other words how the request is constructed? Can I learn that from the plugin?

I increased the log level of the LE plugin as well but that does not show me the commandline structure.

Let me sketch the situtation in the hope that someone has an idea or can point me in the right direction.

I have used Apache as reverse proxy with LE certificates for quite some time for several internally running websites. In an effort to make things less dependent on each other (reverse proxy was running on one of my websites) I decided to move the reverse proxy functionality to a separate machine running OPNsense. Note that OPNsense is running internally (LAN only) and provides DNS/DHCP and time services internally.

I setup HAProxy with Let's Encrypt as per this https://blog.bagro.se/lets-encrypt-with-haproxy-on-opnsense/. HAProxy is running fine and I initially configured a multi-domain certificate against te LE staging environment. Worked fine. But when I switched to the Production environment all I got was validation errors. Log shows

Code Select Expand

detail": "KeyID header contained an invalid account URL: \"https://acme-v02.api.letsencrypt.org/acme/acct/123456789\"
(obviously that is not my account number).

No matter what I changed, different account, staging to prod etc, create new certificates for the separate domains instead of a multi domain cert, I always get this error.

Should I wipe the setup and start clean (I did this already once but did not properly record all the steps) and if so, is there a place a should delete the files?

I have searched for many things, starting with opnsense - haproxy - lets encrypt - error but even if I widen the search I don't get much useful info.

Any pointers and/or suggestions are welcome, even pointing me to different solutions (preferably on OPNsense); I want a working reverse proxy with LE certs.

If you use WAN only where do you "exit" OPNSense? Unless you stay inside the appliance ..

I have a setup running internally and I use LAN only. I use it for DNS/DHCP and I recently setup OpenVPN as well and I am currently setting up HAProxy with Let's Encrypt as reverse proxy. Works very well.

Using the WAN interface means you have to start looking into firewall rules/NAT etc (configure it or disable it) doesn't it? ANd you would have to go out to your LAN network via the WAN interface as well.

Looks like I also encountered this. I successfully setup HAPRoxy with Let's Encrypt against the staging environment. But when I swiched to the production environment I got this response as well. No amount of switching accounts, retrying has solved this so far. Even switching back to staging results in errors. DUe to the various things I changed to understand what is happening I am no longer sure my setup is correct but I would have expected to be able to switch to production after I got things stable against the staging environment.

Any suggestions about that? (not about my current issue, I might have changed too many things now and have to start from scratch)

Addition: I just realise this is in the Legacy forum but I am running the current version (19.7.2) with uptodate plugins.