ACME Client Drops WAN Connection

[leacho73]

Hi All,

Has anyone else had issues with the built in ACME Client in 21.7.x of OPNSense?

I'm having an issue where if I try to renew any certificates, whenever I select Issue/Renew certificate, my WAN connection drops - and I loose all connections to the internet until the ACME job times out - the connections then re-establish.

Thanks
Leacho

[joeyboon]

Hi,

Same issue here on:

OPNsense 21.10.1-amd64
FreeBSD 12.1-RELEASE-p21-HBSD
OpenSSL 1.1.1l 24 Aug 2021
ACME Client plugin:    3.4

During cert renewal the timeout causes all connections to be dropped. So there seem to be two issues. Cert not properly renewing and connections being dropped during the process.

ACME log:
2021-12-19T11:11:29   acme.sh[44099]   Can not init api for: https://acme-v02.api.letsencrypt.org/directory.
2021-12-19T11:11:28   acme.sh[58460]   Please refer to https://curl.haxx.se/libcurl/c/libcurl-errors.html for error code: 6
2021-12-19T11:11:10   acme.sh[68125]   Sleep 10 and retry.
2021-12-19T11:11:10   acme.sh[36103]   Can not init api for: https://acme-v02.api.letsencrypt.org/directory.
2021-12-19T11:11:09   acme.sh[2756]   Please refer to https://curl.haxx.se/libcurl/c/libcurl-errors.html for error code: 6
2021-12-19T11:10:51   acme.sh[76135]   Sleep 10 and retry.

System Log:
2021-12-19T03:07:21   opnsense-business[73486]   AcmeClient: validation for certificate failed: REDACTED
2021-12-19T03:07:21   opnsense-business[73486]   AcmeClient: domain validation failed (http01)
2021-12-19T03:00:00   opnsense-business[73486]   AcmeClient: using challenge type: REDACTED
2021-12-19T03:00:00   opnsense-business[73486]   AcmeClient: using IPv4 address: REDACTED
2021-12-19T03:00:00   opnsense-business[73486]   AcmeClient: using IPv4 address: REDACTED
2021-12-19T03:00:00   opnsense-business[73486]   AcmeClient: account is registered: REDACTED
2021-12-19T03:00:00   opnsense-business[73486]   AcmeClient: using CA: letsencrypt
2021-12-19T03:00:00   opnsense-business[73486]   AcmeClient: renew certificate: REDACTED
2021-12-19T03:00:00   opnsense-business[73486]   AcmeClient: certificate must be issued/renewed: REDACTED

This seems to be the reason it drops the connection every night (it tries to renew the cert). It happens both when trying to manually renew or via cron. 

[Fright]

@joeyboon Hi

Please refer to https://curl.haxx.se/libcurl/c/libcurl-errors.html for error code: 6

Code Select Expand

CURLE_COULDNT_RESOLVE_HOST (6)
dns settings issue?

[joeyboon]

Hi @fright

DNS is set correctly and propagated.

[Fright]

so if you try

Code Select Expand

curl https://acme-v02.api.letsencrypt.org/directory
in shell it works?
can you try "Forcefully issue or renew" in this case?

[joeyboon]

Hi @Fright,

so if you try

Code Select Expand

curl https://acme-v02.api.letsencrypt.org/directory
in shell it works?
can you try "Forcefully issue or renew" in this case?

In shell this returns:

{
  "DFkTnKbE2ms": "https://community.letsencrypt.org/t/adding-random-entries-to-the-directory/33417",
  "keyChange": "https://acme-v02.api.letsencrypt.org/acme/key-change",
  "meta": {
    "caaIdentities": [
      "letsencrypt.org"
    ],
    "termsOfService": "https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf",
    "website": "https://letsencrypt.org"
  },
  "newAccount": "https://acme-v02.api.letsencrypt.org/acme/new-acct",
  "newNonce": "https://acme-v02.api.letsencrypt.org/acme/new-nonce",
  "newOrder": "https://acme-v02.api.letsencrypt.org/acme/new-order",
  "revokeCert": "https://acme-v02.api.letsencrypt.org/acme/revoke-cert"

So that seems to be also working fine. I tried forcefully renewing already through the GUI, this resulted in the same problem.

[Fright]

Hi!
sorry, can't simulate a situation when name resolution works from shell but does not work from the acme script. can you share the dns settings on the opnsense host? using a local dns service on host or external servers (or both)?

[joeyboon]

Hi,

I've managed to solve the issue by reinstalling the plugin and adding everything in same way I did last time. So no idear why it broke in the first place. It instantly worked again. I used this guide: https://www.youtube.com/watch?v=IR41duTqN6Y

I changed nothing to the external DNS records, so it defitnly was a problem on the local system.