Renew of ECC Let's Encrypt Certificates fails.

[Cerberus]

Hi,

i have several OPNsense installations that has issues renewing ECC certificates are failing, RSA certificates working without issues. It looks like the renew script is missing a parameter --ecc before running Let's Encrypt to renew the certificate.

[Mon Jan 25 00:00:01 CET 2021]   'my.domain.com' is not an issued domain, skip.
[Mon Jan 25 00:00:01 CET 2021]   Renew: 'my.domain.com'
[Mon Jan 25 00:00:01 CET 2021]   DOMAIN_PATH='/var/etc/acme-client/home/my.domain.com'
[Mon Jan 25 00:00:01 CET 2021]   The domain 'my.domain.com' seems to have a ECC cert already, please add '--ecc' parameter if you want to use that cert.
[Mon Jan 25 00:00:01 CET 2021]   _ACME_SERVER_HOST='acme-v02.api.letsencrypt.org'
[Mon Jan 25 00:00:01 CET 2021]   ACME_DIRECTORY='https://acme-v02.api.letsencrypt.org/directory'
[Mon Jan 25 00:00:01 CET 2021]   default_acme_server

Anyone else getting this? it doesnt matter if i use DNS or port forward authentication.

[Cerberus]

No one? looks like i have to go back to RSA then.

[Greelan]

I don't use the LE plugin but that does sound like a bug. I assume the ECC cert was originally created using the plugin and it is just the renew that is failing?

If it is a bug, suggest opening an issue on GitHub.

[Maurice]

I've seen the same error message with one ECC cert while another one renewed just fine. I didn't have time yet for an in-depth investigation. I'll have to renew an ECC cert in about a week and will report back.

[Maurice]

Okay, I was able to reproduce this and it might be related to OCSP Must Staple.

Please check this GitHub issue and comment whether you observe the same behavior:
https://github.com/opnsense/plugins/issues/2223

Cheers

Maurice