Acme - DST Root CA X3 Expiration

[GreenMatter]

I use latest and greatest version 21.7.3_1. OPNsense Acme client keeps renewing SSL cert using expired CA:
OPNsense ACME:

   
• DST Root CA X3 -> R3 -> Server SSL cert

and for example Freebsd (TrueNAS) acme.sh client in version of 2.8.6 or latest 3.0.1 uses following:

   
• ISRG Root X1 -> R3 -> Server SSL cert

As per https://letsencrypt.org/docs/dst-root-ca-x3-expiration-september-2021/ X3 CA is already expired.
I can't find location/path of acme client in OPNsense; anyway, how can I get it fixed?

[Greelan]

See this thread: https://forum.opnsense.org/index.php?topic=24950

[GreenMatter]

See this thread: https://forum.opnsense.org/index.php?topic=24950

Thanks, been looking by "acme" phrase  :o . I hit renewal rate threshold and I need to wait, but it seems that solution is to delete expired R3 CA cert.?

[KHE]

Hi,

the steps are:

• Delete the expired R3 CA cert.
• Renew all your certs.
• Reassign your certs where the old ones where used.

KH

[GreenMatter]

Question about rate limiting. I'd tried to renew manually something like 4-5 times and I hit the limit already:

Code Select Expand


Create new order error. Le_OrderFinalize not found. {
  "type": "urn:ietf:params:acme:error:rateLimited",
  "detail": "Error creating new order :: too many certificates (5) already issued for this exact set of domains in the last 168 hours: example.com: see https://letsencrypt.org/docs/rate-limits/",
  "status": 429
}

Above is output of acme.sh from my TrueNAS. As per LE website, limit is 50 certs per week, or I have missed something like above "(5)" means current limit?

The main limit is Certificates per Registered Domain (50 per week). A registered domain is, generally speaking, the part of the domain you purchased from your domain name registrar. For instance, in the name www.example.com, the registered domain is example.com. In new.blog.example.co.uk, the registered domain is example.co.uk. We use the Public Suffix List to calculate the registered domain. Exceeding the Certificates Per Registered Domain limit is reported with the error message too many certificates already issued, possibly with additional details.

[Fright]

later on the same page:

Renewals are treated specially: they don't count against your Certificates per Registered Domain limit, but they are subject to a Duplicate Certificate limit of 5 per week. Note: renewals used to count against your Certificate per Registered Domain limit until March 2019, but they don't anymore. Exceeding the Duplicate Certificate limit is reported with the error message too many certificates already issued for exact set of domains.

A certificate is considered a renewal (or a duplicate) of an earlier certificate if it contains the exact same set of hostnames, ignoring capitalization and ordering of hostnames. For instance, if you requested a certificate for the names [www.example.com, example.com], you could request four more certificates for [www.example.com, example.com] during the week. If you changed the set of hostnames by adding [blog.example.com], you would be able to request additional certificates.

[GreenMatter]

later on the same page:

Renewals are treated specially: they don't count against your Certificates per Registered Domain limit, but they are subject to a Duplicate Certificate limit of 5 per week. Note: renewals used to count against your Certificate per Registered Domain limit until March 2019, but they don't anymore. Exceeding the Duplicate Certificate limit is reported with the error message too many certificates already issued for exact set of domains.
.....

F...., I had to be blind! Or too much focused on getting certs renewed. Thanks All!