Home
Help
Search
Login
Register
OPNsense Forum
»
English Forums
»
24.1 Legacy Series
»
ACME Client fails to renew since update
« previous
next »
Print
Pages: [
1
]
Author
Topic: ACME Client fails to renew since update (Read 791 times)
hansdampf
Newbie
Posts: 26
Karma: 1
ACME Client fails to renew since update
«
on:
June 20, 2024, 10:20:10 pm »
Hello again,
yesterday i noticed that my acme certs failed to renew:
/usr/local/opnsense/scripts/OPNsense/AcmeClient/lecert.php: AcmeClient: The shell command returned exit code '1': '/usr/local/sbin/acme.sh --renew --syslog 9 --debug 3 --server 'letsencrypt' --dns 'dns_ddnss' --home '/var/etc/acme-client/home' --cert-home '/var/etc/acme-client/cert-home/yyyy.21871376' --certpath '/var/etc/acme-client/certs/yyyy.21871376/cert.pem' --keypath '/var/etc/acme-client/keys/yyyy.21871376/private.key' --capath '/var/etc/acme-client/certs/yyyy.21871376/chain.pem' --fullchainpath '/var/etc/acme-client/certs/yyyy.21871376/fullchain.pem' --domain '*.domain.ddnss.de' --days '1' --keylength 'ec-384' --ecc --accountconf '/var/etc/acme-client/accounts/xxxx.93537913_prod/account.conf''
The cert was successfully created/renewed on April, the only change was the latest update of opnsense (and the prevoious updates), i didnt change any of the acme settings...
On earlier run i had an exit code 2, so i removed the OSCP staple setting:
/usr/local/opnsense/scripts/OPNsense/AcmeClient/lecert.php: AcmeClient: The shell command returned exit code '2': '/usr/local/sbin/acme.sh --renew --syslog 9 --debug 3 --server 'letsencrypt' --dns 'dns_ddnss' --home '/var/etc/acme-client/home' --cert-home '/var/etc/acme-client/cert-home/yyyy.21871376' --certpath '/var/etc/acme-client/certs/yyyy.21871376/cert.pem' --keypath '/var/etc/acme-client/keys/yyyy.21871376/private.key' --capath '/var/etc/acme-client/certs/yyyy.21871376/chain.pem' --fullchainpath '/var/etc/acme-client/certs/yyyy.21871376/fullchain.pem' --domain '*.igorius.ddnss.de' --days '1' --ocsp --keylength 'ec-384' --ecc --accountconf '/var/etc/acme-client/accounts/xxxx.93537913_prod/account.conf''
The txt-record gets written on ddnss.de, but the verification afterwards fails.
At the moment i have to wait a week, i think that 5 tries are reached.
Has anyone else seen that errors?
Logged
newsense
Hero Member
Posts: 1036
Karma: 77
Re: ACME Client fails to renew since update
«
Reply #1 on:
June 21, 2024, 07:31:41 am »
Use the Staging Environment of Let'sEncrypt to avoid any restrictions and test/fix your configuration
Logged
hansdampf
Newbie
Posts: 26
Karma: 1
Re: ACME Client fails to renew since update
«
Reply #2 on:
June 26, 2024, 08:45:26 pm »
I think, i found the problem:
The last entry of the wireguard log shows "#define WITH_DEFAULT_IPV 4"; due to whatever reason my dyndns-provider ddnss.de only propagates IPv6-Address, even with the IPv4 availability.
The ddclient of opnsense shows both IPv4 and IPv6 addresses.
A DNS-test revealed that only the IPv6 is available at different DNS-servers.
So my question is: Exists the option to remove that DEFAULT_IPV 4? Or set it to IPv6? I have seen that there is an option on acme.sh "--listen-v6"...
Or will you add the relevant option to the settings?
Thank you very much!
By the way: Renewal of cert fails with both options, Test-CA and Default CA.
«
Last Edit: June 26, 2024, 08:47:14 pm by hansdampf
»
Logged
Print
Pages: [
1
]
« previous
next »
OPNsense Forum
»
English Forums
»
24.1 Legacy Series
»
ACME Client fails to renew since update