1
22.7 Legacy Series / ACME client not updating certs into OPNsense trust storage
« on: January 05, 2023, 02:28:33 pm »
As of 1 Jan 2023, ACME client is renewing LetsEncrypt cert daily. Further investigation indicates it is not registering the new certs in OPNsense `System > Trust > Certificates`.
Navigating to `Services > ACME client > Log Files` reports it thinks the cert needs to be renewed: "AcmeClient: certificate must be issued/renewed: opnsense.example.com". Logs show successful renewal.
In the `Services > ACME client > Certificates` shows the cert has been renewed.
However, `System > Trust > Certificates` shows the old cert, and checking the cert with my browser shows the old cert. So somehow the ACME client is not writing the cert to OPNsense's trust storage.
I have tried to reimport the cert, but nothing changes. Rebooting also does not resolve the issue.
Further info:
I had previously run into an issue where the webUI wasn't registering the new cert, and I resolved that by adding an automation to restart the webUI. However in that case (IIRC), the cert did not keep on renewing, it was simply that the browser would show warnings about the expired cert.
Running
OPNsense 22.7.10_2-amd64
FreeBSD 13.1-RELEASE-p5
OpenSSL 1.1.1s 1 Nov 2022
Navigating to `Services > ACME client > Log Files` reports it thinks the cert needs to be renewed: "AcmeClient: certificate must be issued/renewed: opnsense.example.com". Logs show successful renewal.
In the `Services > ACME client > Certificates` shows the cert has been renewed.
However, `System > Trust > Certificates` shows the old cert, and checking the cert with my browser shows the old cert. So somehow the ACME client is not writing the cert to OPNsense's trust storage.
I have tried to reimport the cert, but nothing changes. Rebooting also does not resolve the issue.
Further info:
I had previously run into an issue where the webUI wasn't registering the new cert, and I resolved that by adding an automation to restart the webUI. However in that case (IIRC), the cert did not keep on renewing, it was simply that the browser would show warnings about the expired cert.
Running
OPNsense 22.7.10_2-amd64
FreeBSD 13.1-RELEASE-p5
OpenSSL 1.1.1s 1 Nov 2022