OPNsense
  • Home
  • Help
  • Search
  • Login
  • Register

  • OPNsense Forum »
  • English Forums »
  • 24.1 Legacy Series »
  • ACME plugin: can't obtain production certificate using DNS challenge
« previous next »
  • Print
Pages: [1]

Author Topic: ACME plugin: can't obtain production certificate using DNS challenge  (Read 1204 times)

Tugdualenligne

  • Newbie
  • *
  • Posts: 13
  • Karma: 0
    • View Profile
ACME plugin: can't obtain production certificate using DNS challenge
« on: March 03, 2024, 12:16:37 pm »
but I can obtain Let's Encrypt staging certificates.
Very strange issue. Any help appreciated
Here's my error logs:
2024-03-02T18:57:52   opnsense   AcmeClient: validation for certificate failed: oceanos.XXXX.fr
2024-03-02T18:57:52   opnsense   AcmeClient: domain validation failed (dns01)
2024-03-02T18:57:52   opnsense   /usr/local/opnsense/scripts/OPNsense/AcmeClient/lecert.php: AcmeClient: The shell command returned exit code '1': '/usr/local/sbin/acme.sh --issue --syslog 6 --log-level 1 --server 'letsencrypt' --dns 'dns_gandi_livedns' --home '/var/etc/acme-client/home' --cert-home '/var/etc/acme-client/cert-home/65da763b0ae855.58243047' --certpath '/var/etc/acme-client/certs/65da763b0ae855.58243047/cert.pem' --keypath '/var/etc/acme-client/keys/65da763b0ae855.58243047/private.key' --capath '/var/etc/acme-client/certs/65da763b0ae855.58243047/chain.pem' --fullchainpath '/var/etc/acme-client/certs/65da763b0ae855.58243047/fullchain.pem' --domain 'oceanos.XXXX.fr' --domain 'oceanos.XXXX.fr' --days '1' --force --ocsp --keylength '4096' --accountconf '/var/etc/acme-client/accounts/65da74b1412297.72803520_prod/account.conf''
2024-03-02T18:57:47   opnsense   AcmeClient: using challenge type: DNS-challenge
2024-03-02T18:57:47   opnsense   AcmeClient: account is registered: ACME
2024-03-02T18:57:47   opnsense   AcmeClient: using CA: letsencrypt
2024-03-02T18:57:47   opnsense   AcmeClient: issue certificate: oceanos.XXXX.fr

And

2024-03-02T18:57:51   acme.sh   [Sat Mar 2 18:57:51 CET 2024] See: https://github.com/acmesh-official/acme.sh/wiki/How-to-debug-acme.sh
2024-03-02T18:57:51   acme.sh   [Sat Mar 2 18:57:51 CET 2024] Please add '--debug' or '--log' to check more details.
2024-03-02T18:57:51   acme.sh   [Sat Mar 2 18:57:51 CET 2024] Error add txt for domain:_acme-challenge.oceanos.XXXX.fr
2024-03-02T18:57:50   acme.sh   [Sat Mar 2 18:57:50 CET 2024] Adding txt value: SHslfCqq9nxoy4A_rKvmsJp4LF_anCWl0iluEB3jU_Y for domain: _acme-challenge.oceanos.XXXX.fr
2024-03-02T18:57:50   acme.sh   [Sat Mar 2 18:57:50 CET 2024] Getting webroot for domain='oceanos.XXXX.fr'
2024-03-02T18:57:50   acme.sh   [Sat Mar 2 18:57:50 CET 2024] Getting webroot for domain='oceanos.XXXX.fr'
2024-03-02T18:57:48   acme.sh   [Sat Mar 2 18:57:48 CET 2024] Getting domain auth token for each domain
2024-03-02T18:57:48   acme.sh   [Sat Mar 2 18:57:48 CET 2024] Multi domain='DNS:oceanos.XXXX.fr,DNS:oceanos.XXXX.fr'
2024-03-02T18:57:48   acme.sh   [Sat Mar 2 18:57:48 CET 2024] Using CA: https://acme-v02.api.letsencrypt.org/directory


Issue logged here https://github.com/opnsense/plugins/issues/3844
« Last Edit: March 03, 2024, 01:14:38 pm by Tugdualenligne »
Logged

ryp43

  • Newbie
  • *
  • Posts: 27
  • Karma: 0
    • View Profile
Re: ACME plugin: can't obtain production certificate using DNS challenge
« Reply #1 on: June 05, 2024, 01:45:11 pm »
I'm having the same issue

   AcmeClient: validation for certificate failed: XXX.XXX.XXX
2024-06-05T14:42:54   opnsense   AcmeClient: domain validation failed (dns01)
2024-06-05T14:42:54   opnsense   /usr/local/opnsense/scripts/OPNsense/AcmeClient/lecert.php: AcmeClient: The shell command returned exit code '2': '/usr/local/sbin/acme.sh --renew --syslog 6 --log-level 1 --server 'letsencrypt' --dns 'dns_cf' --dnssleep '120' --home '/var/etc/acme-client/home' --cert-home '/var/etc/acme-client/cert-home/6244690401b582.96545326' --certpath '/var/etc/acme-client/certs/6244690401b582.96545326/cert.pem' --keypath '/var/etc/acme-client/keys/6244690401b582.96545326/private.key' --capath '/var/etc/acme-client/certs/6244690401b582.96545326/chain.pem' --fullchainpath '/var/etc/acme-client/certs/6244690401b582.96545326/fullchain.pem' --domain 'XXX.XXX.XXX' --days '1' --keylength '4096' --accountconf '/var/etc/acme-client/accounts/624465c1ebd1a0.95366960_prod/account.conf''
2024-06-05T14:42:53   opnsense   AcmeClient: using challenge type: Cloudflare DNS Validation
2024-06-05T14:42:53   opnsense   AcmeClient: account is registered: YYY WEB GUI Cert Accoiunt
2024-06-05T14:42:53   opnsense   AcmeClient: using CA: letsencrypt
Logged

Monviech (Cedrik)

  • Global Moderator
  • Hero Member
  • *****
  • Posts: 1601
  • Karma: 176
    • View Profile
Re: ACME plugin: can't obtain production certificate using DNS challenge
« Reply #2 on: June 05, 2024, 01:53:37 pm »
Cloudflare:

https://forum.opnsense.org/index.php?topic=39669.msg200187#msg200187
Logged
Hardware:
DEC740
  • Print
Pages: [1]
« previous next »
  • OPNsense Forum »
  • English Forums »
  • 24.1 Legacy Series »
  • ACME plugin: can't obtain production certificate using DNS challenge
 

OPNsense is an OSS project © Deciso B.V. 2015 - 2024 All rights reserved
  • SMF 2.0.19 | SMF © 2021, Simple Machines
    Privacy Policy     | XHTML | RSS | WAP2