ACME Client fails to renew since update

Started by hansdampf, June 20, 2024, 10:20:10 PM

Previous topic - Next topic
Print
Go Down Pages1
User actions
June 20, 2024, 10:20:10 PM
Hello again,
yesterday i noticed that my acme certs failed to renew:

/usr/local/opnsense/scripts/OPNsense/AcmeClient/lecert.php: AcmeClient: The shell command returned exit code '1': '/usr/local/sbin/acme.sh --renew --syslog 9 --debug 3 --server 'letsencrypt' --dns 'dns_ddnss' --home '/var/etc/acme-client/home' --cert-home '/var/etc/acme-client/cert-home/yyyy.21871376' --certpath '/var/etc/acme-client/certs/yyyy.21871376/cert.pem' --keypath '/var/etc/acme-client/keys/yyyy.21871376/private.key' --capath '/var/etc/acme-client/certs/yyyy.21871376/chain.pem' --fullchainpath '/var/etc/acme-client/certs/yyyy.21871376/fullchain.pem' --domain '*.domain.ddnss.de' --days '1' --keylength 'ec-384' --ecc --accountconf '/var/etc/acme-client/accounts/xxxx.93537913_prod/account.conf''

The cert was successfully created/renewed on April, the only change was the latest update of opnsense (and the prevoious updates), i didnt change any of the acme settings...

On earlier run i had an exit code 2, so i removed the OSCP staple setting:
/usr/local/opnsense/scripts/OPNsense/AcmeClient/lecert.php: AcmeClient: The shell command returned exit code '2': '/usr/local/sbin/acme.sh --renew --syslog 9 --debug 3 --server 'letsencrypt' --dns 'dns_ddnss' --home '/var/etc/acme-client/home' --cert-home '/var/etc/acme-client/cert-home/yyyy.21871376' --certpath '/var/etc/acme-client/certs/yyyy.21871376/cert.pem' --keypath '/var/etc/acme-client/keys/yyyy.21871376/private.key' --capath '/var/etc/acme-client/certs/yyyy.21871376/chain.pem' --fullchainpath '/var/etc/acme-client/certs/yyyy.21871376/fullchain.pem' --domain '*.igorius.ddnss.de' --days '1' --ocsp --keylength 'ec-384' --ecc --accountconf '/var/etc/acme-client/accounts/xxxx.93537913_prod/account.conf''

The txt-record gets written on ddnss.de, but the verification afterwards fails.
At the moment i have to wait a week, i think that 5 tries are reached.
Has anyone else seen that errors?

June 21, 2024, 07:31:41 AM #1
Use the Staging Environment of Let'sEncrypt to avoid any restrictions and test/fix your configuration
June 26, 2024, 08:45:26 PM #2 Last Edit: June 26, 2024, 08:47:14 PM by hansdampf
I think, i found the problem:
The last entry of the wireguard log shows "#define WITH_DEFAULT_IPV 4"; due to whatever reason my dyndns-provider ddnss.de only propagates IPv6-Address, even with the IPv4 availability.
The ddclient of opnsense shows both IPv4 and IPv6 addresses.
A DNS-test revealed that only the IPv6 is available at different DNS-servers.

So my question is: Exists the option to remove that DEFAULT_IPV 4? Or set it to IPv6? I have seen that there is an option on acme.sh "--listen-v6"...
Or will you add the relevant option to the settings?
Thank you very much!

By the way: Renewal of cert fails with both options, Test-CA and Default CA.
Print
Go Up Pages1
User actions