ACME - Let's Encrypt Client Certs

DanMc85 · February 05, 2018, 01:38:40 PM

Has anyone else on 18.1 had issues with issuing Let's Encrypt certs using the ACME plugin?
HTTP Challenge Type

First I had to change my OPNSense firewall HTTPS port from a custom one back to 443.
Then I originally had a multi domain (SAN) filled out with a few subdomains.

Whenever I issued the cert it would have validation failed.
However, when I edited the cert just to be the main domain with no SAN's, it completed successfully.
I never had this issue before and always had a full multi-domain cert on prior releases.

Notes: All the subdomains are just CNAME entries pointing to the main domain IP to resolve through DNS.

elektroinside · February 06, 2018, 12:36:40 AM

There's an issue with the plugin, but it is getting fixed soon :) Basically, it needs an upgrade. And if i'm not mistaken, the next version will also support wildcard certs :)

DanMc85 · February 06, 2018, 04:56:19 AM

Nice find...

I just did a search and found this article which confirms what you said:
https://letsencrypt.org/2017/07/06/wildcard-certificates-coming-jan-2018.html

Looks like wildcard will only support DNS validation instead of HTTPS validation for issuing cert.

I use google domains so it would be nice to see API support added... or the ability to generate and manually add a TXT DNS record for validation purposes which the regular ACME plugin supports but the OPNSense GUI does not appear to.

elektroinside · February 06, 2018, 08:14:55 AM

Please request your needed feature here: https://github.com/opnsense/plugins/issues
Thanks

ACME - Let's Encrypt Client Certs

DanMc85

February 05, 2018, 01:38:40 PM

elektroinside

February 06, 2018, 12:36:40 AM #1

DanMc85

February 06, 2018, 04:56:19 AM #2

elektroinside

February 06, 2018, 08:14:55 AM #3