Problems/comments with "Let's Encrypt" module

Started by Taomyn, March 14, 2017, 08:05:33 PM

Previous topic - Next topic
Print
Go Down Pages1 2
User actions
March 14, 2017, 08:05:33 PM
I decided to give the "Let's Encrypt" module a go, but I've hit a few issues.

       
  • Whenever I request/renew a certificate I have to reboot the firewall to get my Internet connection back - no traffic going out. I don't see any residual rules left behind so I have no idea why this is happening. PPPoE with VLAN perhaps? I'm also not using the HAProxy option just generating certificates as I didn't want to run before I could walk - oh, and I was successful in getting both a test certificate and a real one, so that's all working.
  • Is there a way to export the full certificate and also include a password? I'm actually wanting to use the module to generate certificates for another device and for some inexplicable reason it won't let me enter a blank password when importing - I'm thinking that they assume no-one stores full certificates without a password.
  • The log file is being split at the wrong "column" and so displays something like:
    [Tue Mar 14                                        19:43:34 CET 2017] Blah blah blah
March 14, 2017, 11:45:37 PM #1
I actually want to get a cert for my OPNsense box so i was thinking of using this.  If my girls give me some time tonight I'll give this a spin and try to get this installed to see what happens.
March 15, 2017, 04:28:15 PM #2 Last Edit: March 15, 2017, 04:32:07 PM by fraenki
Hi Taomyn,

thanks for your report.

Quote from: Taomyn on March 14, 2017, 08:05:33 PM

       
  • Whenever I request/renew a certificate I have to reboot the firewall to get my Internet connection back - no traffic going out. I don't see any residual rules left behind so I have no idea why this is happening. PPPoE with VLAN perhaps? I'm also not using the HAProxy option just generating certificates as I didn't want to run before I could walk - oh, and I was successful in getting both a test certificate and a real one, so that's all working.

Please provide some additional details. Which validation method are you using for your certificate?
I can only think of one validation method that might cause an issue: HTTP-01 OPNsense port forward. Are you using it?
If so, maybe post a screenshot of your settings. It's the only one that builds some port forward rules depending on either your configuration or some assumptions ("IP Auto-Discovery").

Quote from: Taomyn on March 14, 2017, 08:05:33 PM
   
  • Is there a way to export the full certificate and also include a password? I'm actually wanting to use the module to generate certificates for another device and for some inexplicable reason it won't let me enter a blank password when importing - I'm thinking that they assume no-one stores full certificates without a password.

The LE plugin just uses the system Certificate Manager (System -> Trust -> Certificates). It seems to lack this functionality.
I've created a feature request: https://github.com/opnsense/core/issues/1475

Quote from: Taomyn on March 14, 2017, 08:05:33 PM
   
  • The log file is being split at the wrong "column" and so displays something like:
    [Tue Mar 14                                        19:43:34 CET 2017] Blah blah blah

This is a known bug: https://github.com/opnsense/plugins/issues/69


Regards
- Frank
March 15, 2017, 05:00:32 PM #3
Hi Taomyn,

this should have been my first question: Which version of OPNsense and the LE plugin are you using?


Regards
- Frank
March 15, 2017, 05:19:44 PM #4
OPNSense v17.1.2-amd64
os-acme-client v1.1

Yes, I'm using the HTTP-01 method only. I've attached a screenshot of the main settings.
March 15, 2017, 05:30:40 PM #5
Quote from: Taomyn on March 15, 2017, 05:19:44 PM
OPNSense v17.1.2-amd64
os-acme-client v1.1

Yes, I'm using the HTTP-01 method only. I've attached a screenshot of the main settings.

Since you've specified your official IP, maybe remove "IP Auto-Discovery" and try again.


Regards
- Frank
March 15, 2017, 05:41:39 PM #6
Still the same when I untick that option - specifying the IP was the only way I could get it to work which is why it's there.
March 15, 2017, 11:56:01 PM #7
Quote from: Taomyn on March 15, 2017, 05:41:39 PM
Still the same when I untick that option - specifying the IP was the only way I could get it to work which is why it's there.

Please have a look at the system log: System -> Log File.
Maybe these log messages can reveal the root cause of this issue.


Thanks
- Frank
March 16, 2017, 10:00:27 AM #8
I just updated to 17.1.3 which has a newer version of the LE plug-in, hopefully tonight I can give it another go to get logs and see what happens.
March 16, 2017, 05:32:50 PM #9
As promised, I tried again still kills my connection, this is the log from the actions:


QuoteMar 16 17:24:24   config[71271]: /usr/local/opnsense/scripts/OPNsense/AcmeClient/certhelper.php: AcmeClient: failed to retrieve restart action from certificate
Mar 16 17:24:24   opnsense: /usr/local/opnsense/scripts/OPNsense/AcmeClient/certhelper.php: AcmeClient: issued/renewed certificate: xxxxxne.co.uk
Mar 16 17:24:06   configd.py: [65b197e8-5ac6-4acd-b3a1-e8dedb650ef7] signing or renewing a certificate
Mar 16 17:24:06   configd.py: [42f73e2e-e5ac-4349-9fc5-0a9f667d8195] Tested for presence of plugin haproxy


And attached is a screenshot of the requested certificate. Hope it helps, so if you want me to test a patch/fix let me know.
March 16, 2017, 10:45:48 PM #10
QuoteMar 16 17:24:24   config[71271]: /usr/local/opnsense/scripts/OPNsense/AcmeClient/certhelper.php: AcmeClient: failed to retrieve restart action from certificate
Mar 16 17:24:24   opnsense: /usr/local/opnsense/scripts/OPNsense/AcmeClient/certhelper.php: AcmeClient: issued/renewed certificate: xxxxxne.co.uk
Mar 16 17:24:06   configd.py: [65b197e8-5ac6-4acd-b3a1-e8dedb650ef7] signing or renewing a certificate
Mar 16 17:24:06   configd.py: [42f73e2e-e5ac-4349-9fc5-0a9f667d8195] Tested for presence of plugin haproxy

These messages are normal. You haven't configured a restart action, so it's ok that it failed to retrieve it (but this message should be supressed by the LE plugin since it's useless).

And there is nothing else in the system log around the time when your internet connection died?
I'm sorry, I still have no idea what's wrong there :(


Regards
- Frank
March 17, 2017, 02:48:17 PM #11
No, those lines were all that was logged, then I rebooted the firewall to get my connection back - is there any way to get more info into the logs?


I still have a few more certificates I need to issue and I was saving them for further testing of this problem.
March 20, 2017, 12:15:44 PM #12
Quote from: Taomyn on March 17, 2017, 02:48:17 PM
No, those lines were all that was logged, then I rebooted the firewall to get my connection back - is there any way to get more info into the logs?

The temporary pf rules, that are added during certificate validation, are stored in filesystem in /var/etc/acme-client/configs. Each certificate has it's own subfolder (represented by the internal certificate ID) and the subfolder should contain a file named "acme_anchor_rules". Would you please paste the contents of this file here?


Thanks
- Frank
March 20, 2017, 12:28:30 PM #13
I'll PM you the content of the file shortly
March 20, 2017, 12:32:24 PM #14
Or I would:

User 'fraenki' has blocked your personal message.
Print
Go Up Pages1 2
User actions