Services: ACME Client: Certificates validation failed

[meyergru]

For that last time:

Your ACME is NOT set up to use DNS-01 so whatever you do in DNS with _acme-challenge.yourtop.news is irrelevant. (And - as also already noted, delegation is done via CNAME, not TXT. TXT is created dynamically via API, you CANNOT prepopulate it manually.)

And for this to work, the _acme-challenge.yourtop.news zone is usually delegated because for it to work, you must be able to change it dynamically. But as already noted, you do not use DNS-01 anyway.

For HTTP-01 to work, you MUST NOT be redirecting the well-known URL to HTTPS.

Exactly. It will only be queried via HTTP, not HTTPS (obviously, otherwise the first verification would never work, since you do not have a certificate then).

[netnut]

Not helping the OP issue, which is another story, but:

For HTTP-01 to work, you MUST NOT be redirecting the well-known URL to HTTPS.

Instead of a "MUST NOT" LE itself talks about "SHOULD"

Code Select Expand

Our recommendation is that all servers meant for general web use should offer both HTTP on port 80 and HTTPS on port 443. They should also send redirects for all port 80 requests, and possibly an HSTS header (on port 443 requests).

* https://letsencrypt.org/docs/allow-port-80/

Exactly. It will only be queried via HTTP, not HTTPS (obviously, otherwise the first verification would never work, since you do not have a certificate then).

The nice thing with LE is that they don't care what you provide as certificate (invalid, self-signed, etc) when doing the challenge. So even if you refreshing your cert 1 day too late, your expired certificate will be used for the refresh (ie, not checks or validation on the cert, only on a valid ACME challenge.

Code Select Expand


Our implementation of the HTTP-01 challenge follows redirects, up to 10 redirects deep. It only accepts redirects to "http:" or "https:", and only to ports 80 or 443. It does not accept redirects to IP addresses. When redirected to an HTTPS URL, it does not validate certificates (since this challenge is intended to bootstrap valid certificates, it may encounter self-signed or expired certificates along the way).

* https://letsencrypt.org/docs/challenge-types/

[doktornotor]

Yeah, it is not helping since that clearly does not work. There are other ACME mechanisms that work. HTTP-01 is not one of them.

[netnut]

Yeah, it is not helping since that clearly does not work. There are other ACME mechanisms that work. HTTP-01 is not one of them.

DNS-01 is prefered indeed for a lot of reasons, HTTP-01 at scale is a disaster, but it does work perfectly fine over https tcp/443. In 99.9% of failures the redirection configuration is not done right (mostly NGINX), but that's Layer 8, not ACME or LetsEncrypt.

[Blisk]

You must disable the HTTPS redirect as already noted. Then it will work. You can re-enable after you have your certificate. Forget about DNS-01 at the moment, you clearly need to do some reading on how the thing works.

I know I need to read a lot more about how it works because I don't know.
thank you for advice I will do

Is there a simple way to disable redirection to https?
If not I need to delete half of haproxy for 2 domains.


I also tried DNS-01 challenge but there is a list of DNS service, which one to use? Some require API or username and password.

[dinguz]

I had the ACME + LE also fail on me last weekend, on a setup that has been working for years. What worked for me was to switch to the LE test CA, force issue new certificates, switch back to the production environment, force issue new certificates again, and then it worked.
It may be a coincidence though.

[doktornotor]

As I noted originally, there definitely were upstream issues with certificate renewal recently. Encountered on multiple sites and many of them with zero OPNsense involvement.

As for the rest, I have a strong feeling that this "certificate for everyone" progress seems to be rather harmful. Apparently people having no clue whatsoever about what they are doing can now have their own trusted certs with 2 clicks or so. Until it breaks.