Services: ACME Client: Certificates validation failed

[Blisk]

Today suddenly certificate doesn't work. I get unasigned certificate when visit website,
When I check logs I have this error in the link. What can be reason for certificate doesn't update, because other web site is updated and it works. And there was no change on server or opensense firewall or domain settings. After update it today nothing happens, still doesn't work.
https://privatebin.povej.net/?b269015f39990e05#4KCy88sxcFxAQ7aMDBe3RV1m7eixgV5q7YPw2dSrJ6GA

Name
OPNsense.localdomain
Versions
OPNsense 24.7.3_1-amd64
FreeBSD 14.1-RELEASE-p3
OpenSSL 3.0.14
Uptime
01:57:49
Load average
0.28, 0.30, 0.26
Current date/time
Fri Sep 6 10:18:15 CEST 2024
Last configuration change
Fri Sep 6 8:55:24 CEST 2024

[doktornotor]

We've had ACME + LE randomly failing for ~ past week for no reason, not even using OPNsense for that. It eventually renews if you keep trying.

There's something broken on their end, really.

Probably related: https://community.letsencrypt.org/t/unexpected-renewal-failures-since-april-2024-please-read-this/216830

[Blisk]

Thank you for notification.
So there is nothing to do to solve this but wait?
I can't wait and have my website not working.
I hope there is some solution for this
I already did this but didn't solve my problem
_acme-challenge.<YOUR_DOMAIN>

[doktornotor]

Well, normally you renew ACME certificates well in advance, not one day before they expire. As said, making repeated attempts worked here.

I already did this but didn't solve my problem
_acme-challenge.<YOUR_DOMAIN>

Not sure what you did where really. DNS-01 does not work the way you imagine. The client needs to create the TXT records from the token provided by ACME, dynamically via API with your DNS provider.

[Blisk]

I have added in my DNS provider that _acme-challenge.<YOUR_DOMAIN>
probably that is not all what I need to do.
I tried to renew certificate many times but still doesn't work.

[doktornotor]

But your are not using DNS-01 at all... why would you be adding that? Plus again, those CNAME records are used for delegation, not validation. https://www.eff.org/deeplinks/2018/02/technical-deep-dive-securing-automation-acme-dns-challenge-validation


2024-09-06T08:55:24   opnsense   AcmeClient: domain validation failed (http01)

[meyergru]

The logs show that the verification ist not attempted via DNS-01, but via HTTP-01.

For that to work, you must present the ACME verification token in "http://yourtop.news/.well-known/acme-challenge/<file>".

However, your web server obviously is configured to reply with a 301 redirect to all requests on port 80 to use HTTPS:

Code: [Select]

wget -O- --no-check-certificate http://yourtop.news/.well-known/acme-challenge/x
--2024-09-06 13:05:43--  http://yourtop.news/.well-known/acme-challenge/x
Resolving yourtop.news (yourtop.news)... 31.15.171.21
Connecting to yourtop.news (yourtop.news)|31.15.171.21|:80... connected.
HTTP request sent, awaiting response... 301 Moved Permanently
Location: https://yourtop.news/.well-known/acme-challenge/x [following]
--2024-09-06 13:05:43--  https://yourtop.news/.well-known/acme-challenge/x
Connecting to yourtop.news (yourtop.news)|31.15.171.21|:443... connected.
WARNING: cannot verify yourtop.news's certificate, issued by ‘CN=R11,O=Let's Encrypt,C=US’:
  Issued certificate has expired.
HTTP request sent, awaiting response... 404 Not Found
2024-09-06 13:05:43 ERROR 404: Not Found.

So maybe you forgot to handle ".well-known" differently? Of course that depends on how or where you do the verification. Sometimes, the port is only handled during the verification step such that the output above is not representative. However, the timinig in you log suggests that the web server does answer, but incorrectly.

[doktornotor]

However, your web server obviously is configured to reply with a 301 redirect to all requests on port 80 to use HTTPS:

Did not even check that, since the OP claims:

there was no change on server or opensense firewall or domain settings. After update it today nothing happens, still doesn't work.

If that was the case, it'd have never worked in the first place. Sigh.

[meyergru]

Even if you have instructed your provider to delegate something for DNS-01 challenge, this sure does not work either:

Code: [Select]

#nslookup -query=any _acme-challenge.yourtop.news
;; Got SERVFAIL reply from 127.0.0.53
Server:         127.0.0.53
Address:        127.0.0.53#53

** server can't find _acme-challenge.yourtop.news: SERVFAIL


[Blisk]

thank you for your answers.
I am now totally lost here. I didn't setup this firewall someone else did and I am trying now to solve this problem.
I really don't know what to setup and where to solve this.
Port 80 should redirect to port 443.

[Blisk]

Even if you have instructed your provider to delegate something for DNS-01 challenge, this sure does not work either:

Code: [Select]

#nslookup -query=any _acme-challenge.yourtop.news
;; Got SERVFAIL reply from 127.0.0.53
Server:         127.0.0.53
Address:        127.0.0.53#53

** server can't find _acme-challenge.yourtop.news: SERVFAIL


this is what I did

[doktornotor]

For that last time:

Your ACME is NOT set up to use DNS-01 so whatever you do in DNS with _acme-challenge.yourtop.news is irrelevant. (And - as also already noted, delegation is done via CNAME, not TXT. TXT is created dynamically via API, you CANNOT prepopulate it manually.)

For HTTP-01 to work, you MUST NOT be redirecting the well-known URL to HTTPS.

[Blisk]

I know that my ACME is not setup.
So what I need to do, change my ACME to use DNS-01 or there is another way to solve this.
If not than how I need to change my ACME to use DNS-01
I have 2 domains in and first one works OK, this second one doesn't and both are set the same.

[doktornotor]

You must disable the HTTPS redirect as already noted. Then it will work. You can re-enable after you have your certificate. Forget about DNS-01 at the moment, you clearly need to do some reading on how the thing works.

[Blisk]

You must disable the HTTPS redirect as already noted. Then it will work. You can re-enable after you have your certificate. Forget about DNS-01 at the moment, you clearly need to do some reading on how the thing works.

I know I need to read a lot more about how it works because I don't know.
thank you for advice I will do