Messages

This behavior seems to be caused be the re-import implementation as reported here:

https://github.com/opnsense/plugins/issues/2721

Renewal calculates 60 days for the import date instead of the issue date of the certificate.

[SOLVED]
It has been fixed by freanki with this patches:

https://github.com/opnsense/plugins/issues/2721#issuecomment-1005589449

Thanks to everybody helping and freanki for fixing this!

@opn_nwo
Thank you for confirming this behavior. Makes me think, this is not (only) a configuration error on my side.

@KHE
Thanks for your reply as well, although you seem to have had a totally different problem, since we don't get auto renew to begin with. I found the sftp upload automation fix too, but sftp upload is not used on my side. Therefore installing the patch did not resolve my problem, as expected.

I think, i will try some more debugging with my limited knowledge and then submit a bug report, if i cant find a solution.

Hey,

i have a road warrior setup and can ping my clients, depending on which source net i ping from. I would say, you need to provide more information on your specific setup and where you want to ping your clients from, e.g. ping from opnsense fails or LAN net, did you setup the optional NAT from the guide, what firewall rules in and out WG and so on. The guide does not cover all, its more of point to start with in my opinion, even the proposed outgoing rule makes no choice of the destination:

Code Select Expand

Specify the IPs that client peers should be able to access, eg "any" or specific IPs/subnets

Can you provide more information?

Hey guys,

i am out of ideas how to fix or debug a problem i currently face with my acme client and LE cert setup. I have several LE certs, which were usually updated by the acme client automation, in case they had 30 days or less until they would become invalid. But currently this process seems somehow broken, because acme client automation runs from cron like its supposed to, but acme client does not renew those certs anymore and only reports to syslog:

Code Select Expand

AcmeClient: issue/renewal not required for certificate: *my-cert-name*

Regardless this cert is well below the usual 30 days according to system/trust:

Code Select Expand

Valid Until: Tue, 14 Dec 2021 22:05:28 +0100

I tried setting the debug level on the acme client, but this doesn't seem to affect the syslog behavior of the plugin. forcefully renew a cert does still work. So, i don't know where to look anymore. Did the 30 day threshold change? I would rather not test it by waiting till my cert expire.

Does anyone have a clue?

Thank you in advance, Steve

[SOLVED]
It has been fixed by freanki with this patches:

https://github.com/opnsense/plugins/issues/2721#issuecomment-1005589449

Thanks to everybody helping and freanki for fixing this!

[intermediate]

@SecAficionado My problems are gone with the LE plugin hotfix and another renewal after that. Thanks for updating the original post.

On github fraenki explains the problem like this:

...When doing this the certificate is referenced to the CA by using the caref attribute. However, this attribute is never updated. As a result applications like HAProxy will send an invalid certificate chain, effectively breaking SSL communication.

I'm wildly guessing here, but it think LE changed only the intermediate CA and the LE plugin run into a bug with building the chain for that. So it might be true, that the root CA has not been changed by LE yet.

As marked in orange here
https://letsencrypt.org/2020/09/17/new-root-and-intermediates.html#the-new-certificates

Look at GitHub issues, there is already a hotfix command available

https://github.com/opnsense/plugins/issues/2126

Thanks!

[renewed/issued]

So all certs issued now are still with the old CA. It starts for certs which are renewed/issued in January 2021.
So if you renew a cert at the the end of this month it will be running with the old ca for 3 months.

As i was trying to say in my post: I can not confirm this. It seems to me, that they are using the new CA already...

[monit]

Thanks SecAficionado for bringing this to general discussion.

I cannot confirm, that it will start in January 2021. Might it be when the certs is valid till January 2021? My first LE-cert was affected two days ago, when renewed on Dec 2nd.

Code Select Expand


        Signature Algorithm: sha256WithRSAEncryption
        Issuer: C = US, O = Let's Encrypt, CN = R3
        Validity
            Not Before: Dec  2 07:41:11 2020 GMT
            Not After : Mar  2 07:41:11 2021 GMT

        Authority Information Access:
                OCSP - URI:http://r3.o.lencr.org
                CA Issuers - URI:http://r3.i.lencr.org/


I presume, it will affect more and more users over the next days and weeks. It causes warnings on several android clients e.g. nextcloud. And no, they aren't old nor outdated versions. Updated Android 10 is also affected. From my understanding, the client warnings cannot be solved by opnsense, but through root CA updates on the clients.

But there is "problems" within opnsense with the new LE CA as well.

I use monit plugin to watch the validity and expiration on my LE certs on my haproxy:

Code Select Expand

failed port 443 protocol https with ssl options {verify: enable} and certificate valid > 28 days retry 3

It basically warns me when LE plugin automatic renew might have failed, but before the cert expires. Now it tells me, that the certs issuer could not be verified:

Code Select Expand

SSL server certificate verification error: unable to get local issuer certificate

This becomes also a problem, if you backup your opnsense config on a webdav with this cert, like i do. It does fail with out a cert, which opnsense considers valid (this is -of cause- correct behavior, but makes config backup fail).

Code Select Expand

System Log shows entry from "php" with [...]"ssl_verify_result":20[...]

From my understanding (which i consider limited), opnsense requires a root CA update for the new LE CA as well. Can anyone confirm this and / or is there a way to fix this without an update of opnsense e.g. from console?
You mention a switch to keep the old CA. Is there a way to use this with the LE plugin?

Any help or hints are much appreciated.

Thanks Steve