Let's Encrypt: Doesn't seem to know it's working?

Started by lrosenman, April 04, 2019, 03:35:59 PM

Previous topic - Next topic
Print
Go Down Pages1 2
User actions
April 04, 2019, 03:35:59 PM
I've got a valid LE cert on my FW, but the certifcates in the GUI show validation failed, and I can't seem to find the cronjob.

ideas?

(I force renewed from the GUI, hence the new issue date).
April 04, 2019, 08:30:25 PM #1
So chrome/firefox, shows a letsencrypt certificate?

I noticed your domain home-fw.lerctr.org points to a local network address 192.168.200.11
Adventuring through internet pipes
My Blog
April 04, 2019, 08:35:31 PM #2
yep.

https://www.lerctr.org/~ler/cert.png

(since the attachment limit is too small).

I'm *VERY* knowledgeable, and a FreeBSD ports committer FWIW.
April 04, 2019, 08:48:01 PM #3
What validation method you using?
Adventuring through internet pipes
My Blog
April 04, 2019, 08:49:20 PM #4
dns-01 / nsupdate to my nameserver.  NOTE: acme issues the cert, but the GUI doesn't seem to know that.
April 04, 2019, 09:03:31 PM #5
If you look in to the source code (https://github.com/opnsense/plugins/blob/a18c04031f682eb5bf77487bb4d5b897ec34ed88/security/acme-client/src/opnsense/scripts/OPNsense/AcmeClient/certhelper.php) line 226 is the part of the if statement I think your getting.

So if you follow the run_acme_validation() function it builds the command to check the status of the certificate, so the check must be failing due to some reason. The logs might help you there.

You haven't removed the TXT record have you?
Adventuring through internet pipes
My Blog
April 04, 2019, 10:01:39 PM #6
The DNS-01 challenge creates, then auths, then deletes the TXT record, so it will *NOT* exist, except during the renewal process.

I'll have to go look at the script later.

April 04, 2019, 10:36:40 PM #7
If it's looking for dns01, but the validation method is actually DNS-01, that's a problem.....

April 06, 2019, 02:08:18 PM #8
Quote from: lrosenman on April 04, 2019, 10:01:39 PM
The DNS-01 challenge creates, then auths, then deletes the TXT record, so it will *NOT* exist, except during the renewal process.

I'll have to go look at the script later.

I'm no expert but I thought the DNS record had to stay there?

Quote from: lrosenman on April 04, 2019, 10:36:40 PM
If it's looking for dns01, but the validation method is actually DNS-01, that's a problem.....

I think they just remove the - in the logic.
Adventuring through internet pipes
My Blog
April 06, 2019, 06:09:27 PM #9
 
Quote from: Jonny on April 06, 2019, 02:08:18 PM

I'm no expert but I thought the DNS record had to stay there?
Nope.  The record is created by the NSUPDATE helper, checked by acme during cert authorization, they removed
by the NSUPDATE helper.
Quote from: Jonny on April 06, 2019, 02:08:18 PM
Quote from: lrosenman on April 04, 2019, 10:36:40 PM
If it's looking for dns01, but the validation method is actually DNS-01, that's a problem.....

I think they just remove the - in the logic.
and what about cAsE-sEnSiTiViTy?
April 06, 2019, 07:40:07 PM #10
April 06, 2019, 07:42:16 PM #11
YAY!  it's not just me :)
April 09, 2019, 11:26:02 PM #12
I have the same problem with my certificate, someone already solved the problem?
April 09, 2019, 11:28:29 PM #13
Not yet.  Waiting for someone with some clue to chime in.
April 11, 2019, 06:59:37 PM #14
I inform you, with the last update 19.1.6 the certificate no longer marks error
Print
Go Up Pages1 2
User actions