Let's Encrypt: Doesn't seem to know it's working?

[lrosenman]

I've got a valid LE cert on my FW, but the certifcates in the GUI show validation failed, and I can't seem to find the cronjob.

ideas?

(I force renewed from the GUI, hence the new issue date).

[FingerlessGloves]

So chrome/firefox, shows a letsencrypt certificate?

I noticed your domain home-fw.lerctr.org points to a local network address 192.168.200.11

[lrosenman]

yep.

https://www.lerctr.org/~ler/cert.png

(since the attachment limit is too small).

I'm *VERY* knowledgeable, and a FreeBSD ports committer FWIW.

[FingerlessGloves]

What validation method you using?

[lrosenman]

dns-01 / nsupdate to my nameserver.  NOTE: acme issues the cert, but the GUI doesn't seem to know that.

[FingerlessGloves]

If you look in to the source code (https://github.com/opnsense/plugins/blob/a18c04031f682eb5bf77487bb4d5b897ec34ed88/security/acme-client/src/opnsense/scripts/OPNsense/AcmeClient/certhelper.php) line 226 is the part of the if statement I think your getting.

So if you follow the run_acme_validation() function it builds the command to check the status of the certificate, so the check must be failing due to some reason. The logs might help you there.

You haven't removed the TXT record have you?

[lrosenman]

The DNS-01 challenge creates, then auths, then deletes the TXT record, so it will *NOT* exist, except during the renewal process.

I'll have to go look at the script later.

[lrosenman]

If it's looking for dns01, but the validation method is actually DNS-01, that's a problem.....

[FingerlessGloves]

The DNS-01 challenge creates, then auths, then deletes the TXT record, so it will *NOT* exist, except during the renewal process.

I'll have to go look at the script later.

I'm no expert but I thought the DNS record had to stay there?

If it's looking for dns01, but the validation method is actually DNS-01, that's a problem.....

I think they just remove the - in the logic.

[lrosenman]

 

I'm no expert but I thought the DNS record had to stay there?

Nope.  The record is created by the NSUPDATE helper, checked by acme during cert authorization, they removed
by the NSUPDATE helper.

If it's looking for dns01, but the validation method is actually DNS-01, that's a problem.....

I think they just remove the - in the logic.

and what about cAsE-sEnSiTiViTy?

[pingus]

Have the same problem: https://forum.opnsense.org/index.php?topic=11350.msg51317#msg51317

[lrosenman]

YAY!  it's not just me

[bulmaro]

I have the same problem with my certificate, someone already solved the problem?

[lrosenman]

Not yet.  Waiting for someone with some clue to chime in.

[bulmaro]

I inform you, with the last update 19.1.6 the certificate no longer marks error