Let's Encrypt: while renewal of Certificate - lost internet connections/access

[Mr. Browny]

Hello together,

ich had a really strange problem.
Whenever I request/renew a certificate I have to reboot the firewall to get my Internet connection back.
The firewall had furthermore a connection to the internet, but no traffic going out.
This happens always if a start renewal of a certifcate.

If i reboot firewall or reload filters at ssh console with "configctl filter reload", the connection is getting functional.

An other user had the same problem like me: https://forum.opnsense.org/index.php?topic=4792.0
But in my opinion it looks like an error in Opnsense or let´s encrypt.

There are now error message in system - general logs except the following one:

2021-02-15T22:28:57   sshd[37286]   Unable to negotiate with 185.239.242.158 port 57798: no matching key exchange method found. Their offer: diffie-hellman-group14-sha1,diffie-hellman-group-exchange-sha1,diffie-hellman-group1-sha1 [preauth]   
2021-02-15T22:28:18   sshd[86814]   Unable to negotiate with 185.239.242.158 port 34914: no matching key exchange method found. Their offer: diffie-hellman-group14-sha1,diffie-hellman-group-exchange-sha1,diffie-hellman-group1-sha1 [preauth]   
2021-02-15T22:28:18   opnsense[84212]   AcmeClient: using challenge type: http_portfwd_on_wan   
2021-02-15T22:28:18   opnsense[84212]   AcmeClient: using IPv4 address: 87.aaa.bbb.cc   
2021-02-15T22:28:18   opnsense[84212]   AcmeClient: using IPv4 address: 192.168.21.1   
2021-02-15T22:28:18   opnsense[84212]   AcmeClient: using IPv4 address: 87.xxx.yyy.zz   
2021-02-15T22:28:18   opnsense[84212]   AcmeClient: account is registered: DynDns my   
2021-02-15T22:28:18   opnsense[84212]   AcmeClient: issue certificate: mydyndnsdomain.hoster.eu

Meta-Data:
OPNsense 21.1.1-amd64
FreeBSD 12.1-RELEASE-p13-HBSD
OpenSSL 1.1.1i 8 Dec 2020
os-acme-client (installed)   2.3   Let's Encrypt client

Do someone know this behavior?

[fraenki]

2021-02-15T22:28:18   opnsense[84212]   AcmeClient: using challenge type: http_portfwd_on_wan   
2021-02-15T22:28:18   opnsense[84212]   AcmeClient: using IPv4 address: 87.aaa.bbb.cc   
2021-02-15T22:28:18   opnsense[84212]   AcmeClient: using IPv4 address: 192.168.21.1   
2021-02-15T22:28:18   opnsense[84212]   AcmeClient: using IPv4 address: 87.xxx.yyy.zz   
2021-02-15T22:28:18   opnsense[84212]   AcmeClient: account is registered: DynDns my   
2021-02-15T22:28:18   opnsense[84212]   AcmeClient: issue certificate: mydyndnsdomain.hoster.eu

I'd assume you are using the HTTP-01 challenge type with "OPNsense Web Service (automatic port forward)" selected. In this mode the Let's Encrypt plugin tries to _guess_ the correct settings for your firewall and automatically generates firewall rules accordingly. This can easily go wrong. You've likely hit a bug.

Please provide the exact challenge type settings (a screenshot is sufficient). Furthermore the contents of the following files will help me to understand what went wrong (the ID "abcdefgh.12345678" is a placeholder, search for the correct one):
 

Code Select Expand

root@opnsense:~ # ls -l /var/etc/acme-client/configs/abcdefgh.12345678
total 8
-rwxr-x---  1 root  wheel  325 Apr 29  2019 acme_anchor_rules*
-rwxr-x---  1 root  wheel   25 Apr 29  2019 acme_anchor_setup*

As a sidenote: I highly recommend using a DNS-01 challenge type whenever possible. It is extremely reliable and hard to break. :)


Regards
- Frank

[Mr. Browny]

Hi Frank,
thanks for your reply and the tips.

you are right, i am using HTTP-01 to generate a valid lets encrypt cert.

I followed your hint and changed the generation to DNS-01 with haproxy.
Now it is working fine and the described problem is gone.

Thank you very much.