Ongoing ACME/LE issues

Started by DenverTech, July 17, 2023, 07:32:36 PM

Previous topic - Next topic
Print
Go Down Pages1
User actions
July 17, 2023, 07:32:36 PM Last Edit: July 17, 2023, 07:41:18 PM by DenverTech
Hunted around the forums and saw plenty of ACME-related things, but didn't find this particular one. Let me know if there's already a solution I missed.

Basically, every 90 days, my certificate "expires"...but when I look at ACME, it renewed just fine. The cert is valid, but what OpnSense is presenting is the previous certificate. Fixing it is easy enough. I go into settings > administration, change back to the internal cert, then back to ACME, and it presents the right cert again. Rebooting OpnSense doesn't fix the issue.

Essentially what I'm seeing is that ACME isn't applying the new certificate when it renews. It gets the new cert, but doesn't switch OpnSense to it. I've reinstalled ACME, but the same thing happens. I think this began in late v21, but continues into 23.

Anyone know how to fix ACME so it actually applies the certs it gets, instead of idly sitting on them and never applying?
July 17, 2023, 08:14:35 PM #1
I would guess that you are not reloading whatever service that is using the certificate, hence you experience that kind of behaviour.

It's not really related to ACME itself since it's doing its job, renewing certificates.

You can solve the reload issue by using automations.
2x 23.7 VMs & CARP, 4x 2.1GHz, 8GB
Cisco L3 switch, ESXi, VDS, vmxnet3
DoT, Chrony, HAProxy + NAXSI, Suricata
VPN: IPSec, OpenVPN, Wireguard
MultiWAN: Fiber 500/500Mbit dual stack + 4G failover

--
Available for private support.
Did my answer help you? Feel free to click [applaud] to the left
July 17, 2023, 08:17:13 PM #2
Quote from: sorano on July 17, 2023, 08:14:35 PM
I would guess that you are not reloading whatever service that is using the certificate, hence you experience that kind of behaviour.

It's not really related to ACME itself since it's doing its job, renewing certificates.

You can solve the reload issue by using automations.

A reboot doesn't fix the issue...wouldn't that be a reload for purposes of this issue?
July 17, 2023, 08:25:57 PM #3
Yes it would.

However, without automations it will not behave the way you want anyway so try it. Who knows, maybe you'll get lucky.
2x 23.7 VMs & CARP, 4x 2.1GHz, 8GB
Cisco L3 switch, ESXi, VDS, vmxnet3
DoT, Chrony, HAProxy + NAXSI, Suricata
VPN: IPSec, OpenVPN, Wireguard
MultiWAN: Fiber 500/500Mbit dual stack + 4G failover

--
Available for private support.
Did my answer help you? Feel free to click [applaud] to the left
July 18, 2023, 01:12:50 PM #4
Quote from: DenverTech on July 17, 2023, 08:17:13 PM
A reboot doesn't fix the issue...wouldn't that be a reload for purposes of this issue?


Not necessarily as most systems use the certificate thumbprint to load the certificate and that will have changed for the renewed one.


Are you sure the automation is enabled? It's never failed for me.



July 18, 2023, 03:33:33 PM #5
Hadn't been using automations for that, given that a reboot didn't help (and I didn't know there would be different results from a UI restart vs a reboot). Will give that a try and see how it does...though it'll be a bit before I know for sure, since it just renewed.

Thanks!
July 18, 2023, 05:26:10 PM #6
You could try with a forced renewal and then check the dates on the cert in your browser.
2x 23.7 VMs & CARP, 4x 2.1GHz, 8GB
Cisco L3 switch, ESXi, VDS, vmxnet3
DoT, Chrony, HAProxy + NAXSI, Suricata
VPN: IPSec, OpenVPN, Wireguard
MultiWAN: Fiber 500/500Mbit dual stack + 4G failover

--
Available for private support.
Did my answer help you? Feel free to click [applaud] to the left
Print
Go Up Pages1
User actions