Services: ACME Client: Certificates validation failed

Started by Blisk, September 06, 2024, 10:19:12 AM

Previous topic - Next topic
Print
Go Down Pages1 2
User actions
September 06, 2024, 10:19:12 AM
Today suddenly certificate doesn't work. I get unasigned certificate when visit website,
When I check logs I have this error in the link. What can be reason for certificate doesn't update, because other web site is updated and it works. And there was no change on server or opensense firewall or domain settings. After update it today nothing happens, still doesn't work.
https://privatebin.povej.net/?b269015f39990e05#4KCy88sxcFxAQ7aMDBe3RV1m7eixgV5q7YPw2dSrJ6GA

Name
OPNsense.localdomain
Versions
OPNsense 24.7.3_1-amd64
FreeBSD 14.1-RELEASE-p3
OpenSSL 3.0.14
Uptime
01:57:49
Load average
0.28, 0.30, 0.26
Current date/time
Fri Sep 6 10:18:15 CEST 2024
Last configuration change
Fri Sep 6 8:55:24 CEST 2024
September 06, 2024, 11:41:46 AM #1 Last Edit: September 06, 2024, 11:54:45 AM by doktornotor
We've had ACME + LE randomly failing for ~ past week for no reason, not even using OPNsense for that. It eventually renews if you keep trying.

There's something broken on their end, really.

Probably related: https://community.letsencrypt.org/t/unexpected-renewal-failures-since-april-2024-please-read-this/216830
September 06, 2024, 12:22:50 PM #2 Last Edit: September 06, 2024, 12:25:36 PM by Blisk
Thank you for notification.
So there is nothing to do to solve this but wait?
I can't wait and have my website not working.
I hope there is some solution for this
I already did this but didn't solve my problem
_acme-challenge.<YOUR_DOMAIN>
September 06, 2024, 12:41:21 PM #3
Well, normally you renew ACME certificates well in advance, not one day before they expire. As said, making repeated attempts worked here.

Quote
I already did this but didn't solve my problem
_acme-challenge.<YOUR_DOMAIN>

Not sure what you did where really. DNS-01 does not work the way you imagine. The client needs to create the TXT records from the token provided by ACME, dynamically via API with your DNS provider.
September 06, 2024, 12:58:25 PM #4
I have added in my DNS provider that _acme-challenge.<YOUR_DOMAIN>
probably that is not all what I need to do.
I tried to renew certificate many times but still doesn't work.
September 06, 2024, 01:09:01 PM #5 Last Edit: September 06, 2024, 01:11:59 PM by doktornotor
But your are not using DNS-01 at all... why would you be adding that? Plus again, those CNAME records are used for delegation, not validation. https://www.eff.org/deeplinks/2018/02/technical-deep-dive-securing-automation-acme-dns-challenge-validation


2024-09-06T08:55:24   opnsense   AcmeClient: domain validation failed (http01)
September 06, 2024, 01:15:23 PM #6
The logs show that the verification ist not attempted via DNS-01, but via HTTP-01.

For that to work, you must present the ACME verification token in "http://yourtop.news/.well-known/acme-challenge/<file>".

However, your web server obviously is configured to reply with a 301 redirect to all requests on port 80 to use HTTPS:

Code Select
wget -O- --no-check-certificate http://yourtop.news/.well-known/acme-challenge/x
--2024-09-06 13:05:43--  http://yourtop.news/.well-known/acme-challenge/x
Resolving yourtop.news (yourtop.news)... 31.15.171.21
Connecting to yourtop.news (yourtop.news)|31.15.171.21|:80... connected.
HTTP request sent, awaiting response... 301 Moved Permanently
Location: https://yourtop.news/.well-known/acme-challenge/x [following]
--2024-09-06 13:05:43--  https://yourtop.news/.well-known/acme-challenge/x
Connecting to yourtop.news (yourtop.news)|31.15.171.21|:443... connected.
WARNING: cannot verify yourtop.news's certificate, issued by 'CN=R11,O=Let's Encrypt,C=US':
  Issued certificate has expired.
HTTP request sent, awaiting response... 404 Not Found
2024-09-06 13:05:43 ERROR 404: Not Found.


So maybe you forgot to handle ".well-known" differently? Of course that depends on how or where you do the verification. Sometimes, the port is only handled during the verification step such that the output above is not representative. However, the timinig in you log suggests that the web server does answer, but incorrectly.

Intel N100, 4 x I226-V, 16 GByte, 256 GByte NVME, ZTE F6005

1100 down / 770 up, Bufferbloat A
September 06, 2024, 01:20:37 PM #7
Quote from: meyergru on September 06, 2024, 01:15:23 PM
However, your web server obviously is configured to reply with a 301 redirect to all requests on port 80 to use HTTPS:

Did not even check that, since the OP claims:

Quote
there was no change on server or opensense firewall or domain settings. After update it today nothing happens, still doesn't work.

If that was the case, it'd have never worked in the first place. Sigh.
September 06, 2024, 01:27:59 PM #8
Even if you have instructed your provider to delegate something for DNS-01 challenge, this sure does not work either:

Code Select

#nslookup -query=any _acme-challenge.yourtop.news
;; Got SERVFAIL reply from 127.0.0.53
Server:         127.0.0.53
Address:        127.0.0.53#53

** server can't find _acme-challenge.yourtop.news: SERVFAIL

Intel N100, 4 x I226-V, 16 GByte, 256 GByte NVME, ZTE F6005

1100 down / 770 up, Bufferbloat A
September 06, 2024, 01:36:20 PM #9
thank you for your answers.
I am now totally lost here. I didn't setup this firewall someone else did and I am trying now to solve this problem.
I really don't know what to setup and where to solve this.
Port 80 should redirect to port 443.
September 06, 2024, 01:38:03 PM #10
Quote from: meyergru on September 06, 2024, 01:27:59 PM
Even if you have instructed your provider to delegate something for DNS-01 challenge, this sure does not work either:

Code Select

#nslookup -query=any _acme-challenge.yourtop.news
;; Got SERVFAIL reply from 127.0.0.53
Server:         127.0.0.53
Address:        127.0.0.53#53

** server can't find _acme-challenge.yourtop.news: SERVFAIL


this is what I did
September 06, 2024, 01:39:56 PM #11 Last Edit: September 06, 2024, 01:41:49 PM by doktornotor
For that last time:

Your ACME is NOT set up to use DNS-01 so whatever you do in DNS with _acme-challenge.yourtop.news is irrelevant. (And - as also already noted, delegation is done via CNAME, not TXT. TXT is created dynamically via API, you CANNOT prepopulate it manually.)

For HTTP-01 to work, you MUST NOT be redirecting the well-known URL to HTTPS.
September 06, 2024, 01:49:24 PM #12
I know that my ACME is not setup.
So what I need to do, change my ACME to use DNS-01 or there is another way to solve this.
If not than how I need to change my ACME to use DNS-01
I have 2 domains in and first one works OK, this second one doesn't and both are set the same.
September 06, 2024, 02:01:20 PM #13
You must disable the HTTPS redirect as already noted. Then it will work. You can re-enable after you have your certificate. Forget about DNS-01 at the moment, you clearly need to do some reading on how the thing works.
September 06, 2024, 02:03:07 PM #14
Quote from: doktornotor on September 06, 2024, 02:01:20 PM
You must disable the HTTPS redirect as already noted. Then it will work. You can re-enable after you have your certificate. Forget about DNS-01 at the moment, you clearly need to do some reading on how the thing works.
I know I need to read a lot more about how it works because I don't know.
thank you for advice I will do
Print
Go Up Pages1 2
User actions