Can get certificates using OPNsense, HAProxy and Let's Encrypt


#1

Hi Experts,

After trying to get the combo OPNsense, HAProxy and Let’s Encrypt working for a few days it still isn’t working and you all are my last straw…

Before i had ports forwarded to my Synology NAS and on the NAS i did the renewal of my certificate.
Now i changed to a diy build router with OPNsense as the routerOS and want to start managing my certificates through the plugins Let’s Encrypt and HAProxy.

For my shiny new domain example.com (name changed) i tried to get a first certificate which did not work and then i tried to forcefully renew my jekare.nl certificate. Neither one succeeded.

Now i get the feeling i must have messed up something really bad because on jekare.nl i get the warning NET::ERR_CERT_DATE_INVALID although crt.sh reports 4 certificates all valid from 2019-01-19 to 2019-04-19.

I get the feeling there is something wrong with my account key, but don’t know how to fix it. Please help…

Kind regards,
Jack Reitsema.

My domain is:

multiple domains, but this post is about jekare.nl and a brandnew domain example.com (name changed)

I ran this command:

I ran the commands using the OPNsense GUI.

It produced this output:

First the attempt with example.com on production environment:

    [Tue Jan 22 18:06:17 CET 2019] ACME_DIRECTORY='https://acme-v01.api.letsencrypt.org/directory'
    [Tue Jan 22 18:06:17 CET 2019] DOMAIN_PATH='/var/etc/acme-client/home/example.com'
    [Tue Jan 22 18:06:17 CET 2019] Using ACME_DIRECTORY: https://acme-v01.api.letsencrypt.org/directory
    [Tue Jan 22 18:06:17 CET 2019] _init api for server: https://acme-v01.api.letsencrypt.org/directory
    [Tue Jan 22 18:06:17 CET 2019] GET
    [Tue Jan 22 18:06:17 CET 2019] url='https://acme-v01.api.letsencrypt.org/directory'
    [Tue Jan 22 18:06:17 CET 2019] timeout=
    [Tue Jan 22 18:06:18 CET 2019] _CURL='curl -L --silent --dump-header /var/etc/acme-client/home/http.header  -g '
    [Tue Jan 22 18:06:18 CET 2019] ret='0'
    [Tue Jan 22 18:06:18 CET 2019] ACME_KEY_CHANGE='https://acme-v01.api.letsencrypt.org/acme/key-change'
    [Tue Jan 22 18:06:18 CET 2019] ACME_NEW_AUTHZ='https://acme-v01.api.letsencrypt.org/acme/new-authz'
    [Tue Jan 22 18:06:18 CET 2019] ACME_NEW_ORDER='https://acme-v01.api.letsencrypt.org/acme/new-cert'
    [Tue Jan 22 18:06:18 CET 2019] ACME_NEW_ACCOUNT='https://acme-v01.api.letsencrypt.org/acme/new-reg'
    [Tue Jan 22 18:06:18 CET 2019] ACME_REVOKE_CERT='https://acme-v01.api.letsencrypt.org/acme/revoke-cert'
    [Tue Jan 22 18:06:18 CET 2019] ACME_AGREEMENT='https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf'
    [Tue Jan 22 18:06:18 CET 2019] ACME_NEW_NONCE
    [Tue Jan 22 18:06:18 CET 2019] ACME_VERSION
    [Tue Jan 22 18:06:18 CET 2019] Le_NextRenewTime
    [Tue Jan 22 18:06:19 CET 2019] _on_before_issue
    [Tue Jan 22 18:06:19 CET 2019] _chk_main_domain='example.com'
    [Tue Jan 22 18:06:19 CET 2019] _chk_alt_domains='www.example.com'
    [Tue Jan 22 18:06:19 CET 2019] Le_LocalAddress
    [Tue Jan 22 18:06:19 CET 2019] d='example.com'
    [Tue Jan 22 18:06:19 CET 2019] Check for domain='example.com'
    [Tue Jan 22 18:06:19 CET 2019] _currentRoot='/var/etc/acme-client/challenges'
    [Tue Jan 22 18:06:19 CET 2019] d='www.example.com'
    [Tue Jan 22 18:06:19 CET 2019] Check for domain='www.example.com'
    [Tue Jan 22 18:06:19 CET 2019] _currentRoot='/var/etc/acme-client/challenges'
    [Tue Jan 22 18:06:19 CET 2019] d
    [Tue Jan 22 18:06:19 CET 2019] Using config home:/var/etc/acme-client/home
    [Tue Jan 22 18:06:19 CET 2019] ACME_DIRECTORY='https://acme-v01.api.letsencrypt.org/directory'
    [Tue Jan 22 18:06:19 CET 2019] _init api for server: https://acme-v01.api.letsencrypt.org/directory
    [Tue Jan 22 18:06:19 CET 2019] RSA key
    [Tue Jan 22 18:06:22 CET 2019] Registering account
    [Tue Jan 22 18:06:22 CET 2019] url='https://acme-v01.api.letsencrypt.org/acme/new-reg'
    [Tue Jan 22 18:06:22 CET 2019] payload='{"resource": "new-reg", "contact": ["mailto: jkr@example.com"], "terms-of-service-agreed": true, "agreement": "https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf"}'
    [Tue Jan 22 18:06:22 CET 2019] GET
    [Tue Jan 22 18:06:22 CET 2019] url='https://acme-v01.api.letsencrypt.org/directory'
    [Tue Jan 22 18:06:22 CET 2019] timeout=
    [Tue Jan 22 18:06:22 CET 2019] _CURL='curl -L --silent --dump-header /var/etc/acme-client/home/http.header  -g '
    [Tue Jan 22 18:06:22 CET 2019] ret='0'
    [Tue Jan 22 18:06:23 CET 2019] POST
    [Tue Jan 22 18:06:23 CET 2019] _post_url='https://acme-v01.api.letsencrypt.org/acme/new-reg'
    [Tue Jan 22 18:06:23 CET 2019] _CURL='curl -L --silent --dump-header /var/etc/acme-client/home/http.header  -g '
    [Tue Jan 22 18:06:24 CET 2019] _ret='0'
    [Tue Jan 22 18:06:24 CET 2019] code='201'
    [Tue Jan 22 18:06:24 CET 2019] Registered
    [Tue Jan 22 18:06:24 CET 2019] _accUri='https://acme-v01.api.letsencrypt.org/acme/reg/50005563'
    [Tue Jan 22 18:06:24 CET 2019] Calc CA_KEY_HASH='vO9uMt5xKBLM2pFzTHL4nTXX1zVV+c9F/2BWhsiekxU='
    [Tue Jan 22 18:06:24 CET 2019] ACCOUNT_THUMBPRINT='rAx6LvYaXQTkGQepmZeT3U93kTVJO0Abw7IsrB_4D18'
    [Tue Jan 22 18:06:24 CET 2019] _on_issue_err
    [Tue Jan 22 18:06:24 CET 2019] Please check log file for more details: /var/log/acme.sh.log


This clearly did not work, so i tried renewing my certificate on jekare.nl, the staging environment first:

    [Tue Jan 22 17:33:59 CET 2019] Using stage ACME_DIRECTORY: https://acme-staging.api.letsencrypt.org/directory
    [Tue Jan 22 17:33:59 CET 2019] ACME_DIRECTORY='https://acme-staging.api.letsencrypt.org/directory'
    [Tue Jan 22 17:33:59 CET 2019] DOMAIN_PATH='/var/etc/acme-client/home/jekare.nl'
    [Tue Jan 22 17:33:59 CET 2019] Using ACME_DIRECTORY: https://acme-staging.api.letsencrypt.org/directory
    [Tue Jan 22 17:33:59 CET 2019] _init api for server: https://acme-staging.api.letsencrypt.org/directory
    [Tue Jan 22 17:33:59 CET 2019] GET
    [Tue Jan 22 17:33:59 CET 2019] url='https://acme-staging.api.letsencrypt.org/directory'
    [Tue Jan 22 17:33:59 CET 2019] timeout=
    [Tue Jan 22 17:33:59 CET 2019] _CURL='curl -L --silent --dump-header /var/etc/acme-client/home/http.header  -g '
    [Tue Jan 22 17:33:59 CET 2019] ret='0'
    [Tue Jan 22 17:34:00 CET 2019] ACME_KEY_CHANGE='https://acme-staging.api.letsencrypt.org/acme/key-change'
    [Tue Jan 22 17:34:00 CET 2019] ACME_NEW_AUTHZ='https://acme-staging.api.letsencrypt.org/acme/new-authz'
    [Tue Jan 22 17:34:00 CET 2019] ACME_NEW_ORDER='https://acme-staging.api.letsencrypt.org/acme/new-cert'
    [Tue Jan 22 17:34:00 CET 2019] ACME_NEW_ACCOUNT='https://acme-staging.api.letsencrypt.org/acme/new-reg'
    [Tue Jan 22 17:34:00 CET 2019] ACME_REVOKE_CERT='https://acme-staging.api.letsencrypt.org/acme/revoke-cert'
    [Tue Jan 22 17:34:00 CET 2019] ACME_AGREEMENT='https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf'
    [Tue Jan 22 17:34:00 CET 2019] ACME_NEW_NONCE
    [Tue Jan 22 17:34:00 CET 2019] ACME_VERSION
    [Tue Jan 22 17:34:00 CET 2019] Le_NextRenewTime='1553258191'
    [Tue Jan 22 17:34:00 CET 2019] _on_before_issue
    [Tue Jan 22 17:34:00 CET 2019] _chk_main_domain='jekare.nl'
    [Tue Jan 22 17:34:00 CET 2019] _chk_alt_domains='www.jekare.nl'
    [Tue Jan 22 17:34:00 CET 2019] Le_LocalAddress
    [Tue Jan 22 17:34:00 CET 2019] d='jekare.nl'
    [Tue Jan 22 17:34:00 CET 2019] Check for domain='jekare.nl'
    [Tue Jan 22 17:34:00 CET 2019] _currentRoot='/var/etc/acme-client/challenges'
    [Tue Jan 22 17:34:00 CET 2019] d='www.jekare.nl'
    [Tue Jan 22 17:34:00 CET 2019] Check for domain='www.jekare.nl'
    [Tue Jan 22 17:34:00 CET 2019] _currentRoot='/var/etc/acme-client/challenges'
    [Tue Jan 22 17:34:00 CET 2019] d
    [Tue Jan 22 17:34:00 CET 2019] _saved_account_key_hash is not changed, skip register account.
    [Tue Jan 22 17:34:00 CET 2019] Read key length:4096
    [Tue Jan 22 17:34:00 CET 2019] _createcsr
    [Tue Jan 22 17:34:00 CET 2019] Multi domain='DNS:jekare.nl,DNS:www.jekare.nl'
    [Tue Jan 22 17:34:01 CET 2019] Getting domain auth token for each domain
    [Tue Jan 22 17:34:01 CET 2019] d='jekare.nl'
    [Tue Jan 22 17:34:01 CET 2019] Getting webroot for domain='jekare.nl'
    [Tue Jan 22 17:34:01 CET 2019] _w='/var/etc/acme-client/challenges'
    [Tue Jan 22 17:34:01 CET 2019] _currentRoot='/var/etc/acme-client/challenges'
    [Tue Jan 22 17:34:01 CET 2019] Getting new-authz for domain='jekare.nl'
    [Tue Jan 22 17:34:01 CET 2019] _init api for server: https://acme-staging.api.letsencrypt.org/directory
    [Tue Jan 22 17:34:01 CET 2019] Try new-authz for the 0 time.
    [Tue Jan 22 17:34:01 CET 2019] url='https://acme-staging.api.letsencrypt.org/acme/new-authz'
    [Tue Jan 22 17:34:01 CET 2019] payload='{"resource": "new-authz", "identifier": {"type": "dns", "value": "jekare.nl"}}'
    [Tue Jan 22 17:34:01 CET 2019] RSA key
    [Tue Jan 22 17:34:04 CET 2019] GET
    [Tue Jan 22 17:34:04 CET 2019] url='https://acme-staging.api.letsencrypt.org/directory'
    [Tue Jan 22 17:34:04 CET 2019] timeout=
    [Tue Jan 22 17:34:04 CET 2019] _CURL='curl -L --silent --dump-header /var/etc/acme-client/home/http.header  -g '
    [Tue Jan 22 17:34:04 CET 2019] ret='0'
    [Tue Jan 22 17:34:04 CET 2019] POST
    [Tue Jan 22 17:34:04 CET 2019] _post_url='https://acme-staging.api.letsencrypt.org/acme/new-authz'
    [Tue Jan 22 17:34:05 CET 2019] _CURL='curl -L --silent --dump-header /var/etc/acme-client/home/http.header  -g '
    [Tue Jan 22 17:34:06 CET 2019] _ret='0'
    [Tue Jan 22 17:34:06 CET 2019] code='201'
    [Tue Jan 22 17:34:06 CET 2019] The new-authz request is ok.
    [Tue Jan 22 17:34:06 CET 2019] entry='"type":"http-01","status":"valid","uri":"https://acme-staging.api.letsencrypt.org/acme/challenge/KQQDbGSAajPtfqHJP8q-YhtEryquN9HsWB6HWKkiJOM/224982980","token":"qt7IUNGVpmTKlffYVfKsMHI9d6fVqlw4qm0XRxhkgYU","validationRecord":[{"url":"http://jekare.nl/.well-known/acme-challenge/qt7IUNGVpmTKlffYVfKsMHI9d6fVqlw4qm0XRxhkgYU","hostname":"jekare.nl","port":"80","addressesResolved":["82.72.7.247"],"addressUsed":"82.72.7.247"'
    [Tue Jan 22 17:34:06 CET 2019] token='qt7IUNGVpmTKlffYVfKsMHI9d6fVqlw4qm0XRxhkgYU'
    [Tue Jan 22 17:34:06 CET 2019] uri='https://acme-staging.api.letsencrypt.org/acme/challenge/KQQDbGSAajPtfqHJP8q-YhtEryquN9HsWB6HWKkiJOM/224982980'
    [Tue Jan 22 17:34:06 CET 2019] keyauthorization='qt7IUNGVpmTKlffYVfKsMHI9d6fVqlw4qm0XRxhkgYU.CTBap2Qw6QOI3KP9jalD1eIM8wUcHXOp7bTwSmUKaew'
    [Tue Jan 22 17:34:06 CET 2019] jekare.nl is already verified.
    [Tue Jan 22 17:34:06 CET 2019] keyauthorization='verified_ok'
    [Tue Jan 22 17:34:06 CET 2019] dvlist='jekare.nl#verified_ok#https://acme-staging.api.letsencrypt.org/acme/challenge/KQQDbGSAajPtfqHJP8q-YhtEryquN9HsWB6HWKkiJOM/224982980#http-01#/var/etc/acme-client/challenges'
    [Tue Jan 22 17:34:06 CET 2019] d='www.jekare.nl'
    [Tue Jan 22 17:34:06 CET 2019] Getting webroot for domain='www.jekare.nl'
    [Tue Jan 22 17:34:06 CET 2019] _w='/var/etc/acme-client/challenges'
    [Tue Jan 22 17:34:06 CET 2019] _currentRoot='/var/etc/acme-client/challenges'
    [Tue Jan 22 17:34:06 CET 2019] Getting new-authz for domain='www.jekare.nl'
    [Tue Jan 22 17:34:06 CET 2019] _init api for server: https://acme-staging.api.letsencrypt.org/directory
    [Tue Jan 22 17:34:06 CET 2019] Try new-authz for the 0 time.
    [Tue Jan 22 17:34:06 CET 2019] url='https://acme-staging.api.letsencrypt.org/acme/new-authz'
    [Tue Jan 22 17:34:06 CET 2019] payload='{"resource": "new-authz", "identifier": {"type": "dns", "value": "www.jekare.nl"}}'
    [Tue Jan 22 17:34:06 CET 2019] POST
    [Tue Jan 22 17:34:06 CET 2019] _post_url='https://acme-staging.api.letsencrypt.org/acme/new-authz'
    [Tue Jan 22 17:34:06 CET 2019] _CURL='curl -L --silent --dump-header /var/etc/acme-client/home/http.header  -g '
    [Tue Jan 22 17:34:08 CET 2019] _ret='0'
    [Tue Jan 22 17:34:08 CET 2019] code='201'
    [Tue Jan 22 17:34:08 CET 2019] The new-authz request is ok.
    [Tue Jan 22 17:34:08 CET 2019] entry='"type":"http-01","status":"valid","uri":"https://acme-staging.api.letsencrypt.org/acme/challenge/BeAmaYTvueay_QapeWnvRXlvYuIK4TIu3TN4Qio49UE/224982995","token":"l1vZJtsRZNpqHPUaPl-vlgzYpOdX3IDkfSBpb0RU7Vs","validationRecord":[{"url":"http://www.jekare.nl/.well-known/acme-challenge/l1vZJtsRZNpqHPUaPl-vlgzYpOdX3IDkfSBpb0RU7Vs","hostname":"www.jekare.nl","port":"80","addressesResolved":["82.72.7.247"],"addressUsed":"82.72.7.247"'
    [Tue Jan 22 17:34:08 CET 2019] token='l1vZJtsRZNpqHPUaPl-vlgzYpOdX3IDkfSBpb0RU7Vs'
    [Tue Jan 22 17:34:08 CET 2019] uri='https://acme-staging.api.letsencrypt.org/acme/challenge/BeAmaYTvueay_QapeWnvRXlvYuIK4TIu3TN4Qio49UE/224982995'
    [Tue Jan 22 17:34:08 CET 2019] keyauthorization='l1vZJtsRZNpqHPUaPl-vlgzYpOdX3IDkfSBpb0RU7Vs.CTBap2Qw6QOI3KP9jalD1eIM8wUcHXOp7bTwSmUKaew'
    [Tue Jan 22 17:34:08 CET 2019] www.jekare.nl is already verified.
    [Tue Jan 22 17:34:08 CET 2019] keyauthorization='verified_ok'
    [Tue Jan 22 17:34:08 CET 2019] dvlist='www.jekare.nl#verified_ok#https://acme-staging.api.letsencrypt.org/acme/challenge/BeAmaYTvueay_QapeWnvRXlvYuIK4TIu3TN4Qio49UE/224982995#http-01#/var/etc/acme-client/challenges'
    [Tue Jan 22 17:34:08 CET 2019] d
    [Tue Jan 22 17:34:08 CET 2019] vlist='jekare.nl#verified_ok#https://acme-staging.api.letsencrypt.org/acme/challenge/KQQDbGSAajPtfqHJP8q-YhtEryquN9HsWB6HWKkiJOM/224982980#http-01#/var/etc/acme-client/challenges,www.jekare.nl#verified_ok#https://acme-staging.api.letsencrypt.org/acme/challenge/BeAmaYTvueay_QapeWnvRXlvYuIK4TIu3TN4Qio49UE/224982995#http-01#/var/etc/acme-client/challenges,'
    [Tue Jan 22 17:34:08 CET 2019] d='jekare.nl'
    [Tue Jan 22 17:34:08 CET 2019] jekare.nl is already verified, skip http-01.
    [Tue Jan 22 17:34:08 CET 2019] d='www.jekare.nl'
    [Tue Jan 22 17:34:08 CET 2019] www.jekare.nl is already verified, skip http-01.
    [Tue Jan 22 17:34:08 CET 2019] ok, let's start to verify
    [Tue Jan 22 17:34:08 CET 2019] jekare.nl is already verified, skip http-01.
    [Tue Jan 22 17:34:08 CET 2019] www.jekare.nl is already verified, skip http-01.
    [Tue Jan 22 17:34:08 CET 2019] pid
    [Tue Jan 22 17:34:08 CET 2019] No need to restore nginx, skip.
    [Tue Jan 22 17:34:08 CET 2019] _clearupdns
    [Tue Jan 22 17:34:08 CET 2019] skip dns.
    [Tue Jan 22 17:34:08 CET 2019] Verify finished, start to sign.
    [Tue Jan 22 17:34:09 CET 2019] i='2'
    [Tue Jan 22 17:34:09 CET 2019] j='26'
    [Tue Jan 22 17:34:09 CET 2019] url='https://acme-staging.api.letsencrypt.org/acme/new-cert'
    [Tue Jan 22 17:34:09 CET 2019] payload='{"resource": "new-cert", "csr": "MIIEnDCCAoQCAQAwFDESMBAGA1UEAwwJamVrYXJlLm5sMIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAlqx7WDeBZo0fyXds1b-9psc9uAWzciTbLnR7WzU2Z_Ahi4lqcxPHjtKOoZFF2a634NS3gBXMII7jdER7LQhnNwEWJOjg4nrSCUII4Fi63P5_H8_0VFS-93PNJ7qyEMVvmpJW3Ax8EjJ2f8ncLR0I4P2paf0S66tmsu_vzNhcrLL9rBOw-O7w5eH7UfYbaz6WrDfxJO6h0r-YyE83vcA82lOvCPdpP96DSYs-6ZCXeIu4OdVharU6Z90WV7yPsJ3ermvKijmbVCk9YYFMnMqh3ARG9U79PYGzd-K_SpAgt07TdfwWJPJ2-rxY7AdvkGFOwGPZ1zj-Ajiy1lSTQCGfU_H7d9IcTy7diJUTh46dSZIg3CGiaOpdgx7k40IUVj_s2UDRV4YMcxCc8XkTvPosp5ArcP9-WmlFxJ_yyiM4BGHmExNaYDKMPfq3bbYEw0JZrsJWiojD8ukolCtYKpO_pGvNxZwTBpXF7SSzFWQftK3PHzKLdh6xBNSi6f6X_Yk6HwyAtmiksuQ1W5NHEk5uIE8Tijp1p43UtMYpO79SGSxqul1lkv7JaQz5N3BcZlREHK0eI2_cfC7j2zSxq2E1xE8mpL6RexD9FOX0vKwrXXgSZdzAs53NUWV-RY08WvPHhEXpVfSOp9en9fmO47RmIqnkrw3DJq-BcjV7hyFIldUCAwEAAaBDMEEGCSqGSIb3DQEJDjE0MDIwCwYDVR0PBAQDAgXgMCMGA1UdEQQcMBqCCWpla2FyZS5ubIINd3d3Lmpla2FyZS5ubDANBgkqhkiG9w0BAQsFAAOCAgEAa6ZHOZu7OSwR-iJ5AcyV28QPqouCBh0u8vUtn6zoEYz8KSNDmI2NqM7L-boJGEGA599XRm-vpaD7KsnGQv1XArxn9GDb6zK4Ch2SCDyVM2-C81_rBddfdJfxBZyEpKkXNLQpg2GKlXDZZlGmCWrCwvk9PlZ3h8t02-Ri4CdrvwrwoTIh53c0q_kC0m-QxessZRAxTb5BZgSGExDEf6AqSda7xPfZLoKny-FCZAW8kYB9LvvR8831BEUXTfZJNwlzzzgM6oN4K2VtZL4e4-8WWOLhgEpTOHXRteqxK0MlhoGKMl1_DZP6n9yH2_H7YNJhUZwsDWh2cvOJdZnJKtcBJj5i-sOJLyIC_-JV772aSNelcphU2dQqV0bgrwFNZV0tUcJyWIAHsivkNIDWWwIgRr14c7LV2z4mQNgMDTuM675hQV5jEP5xKM8mS-fIKY3JPV06PAV0Kc1Yi3QAuL7gbjJ8wbNnxgqNEn9FJPbG77DhHBwgu57TKjYh_VdXEALAh_DJIK2P2c4qkzj6asVNDja0xg5RxWRZo0u6rra8SLnoUYFHWpWh6hDKZEnbVtbExvb1u9HydGp5d8IYwIeWNUnoi18nA7BA333uaAb4y-cFlOLciepXMENQ07hZFAohI-bvjYxXf6ucb75uAOYKPRK5gB0dVa3FU1JuPE4luNs"}'
    [Tue Jan 22 17:34:09 CET 2019] POST
    [Tue Jan 22 17:34:09 CET 2019] _post_url='https://acme-staging.api.letsencrypt.org/acme/new-cert'
    [Tue Jan 22 17:34:09 CET 2019] _CURL='curl -L --silent --dump-header /var/etc/acme-client/home/http.header  -g '
    [Tue Jan 22 17:34:12 CET 2019] _ret='0'
    [Tue Jan 22 17:34:12 CET 2019] code='201'
    [Tue Jan 22 17:34:12 CET 2019] Le_LinkCert='https://acme-staging.api.letsencrypt.org/acme/cert/fa046915dcb6c7972a8e58deb25a7a532945'
    [Tue Jan 22 17:34:12 CET 2019] Cert success.
    [Tue Jan 22 17:34:12 CET 2019] Your cert is in  /var/etc/acme-client/home/jekare.nl/jekare.nl.cer 
    [Tue Jan 22 17:34:12 CET 2019] Your cert key is in  /var/etc/acme-client/home/jekare.nl/jekare.nl.key 
    [Tue Jan 22 17:34:12 CET 2019] Le_LinkIssuer='https://acme-staging.api.letsencrypt.org/acme/issuer-cert'
    [Tue Jan 22 17:34:12 CET 2019] _link_issuer_retry='0'
    [Tue Jan 22 17:34:12 CET 2019] GET
    [Tue Jan 22 17:34:12 CET 2019] url='https://acme-staging.api.letsencrypt.org/acme/issuer-cert'
    [Tue Jan 22 17:34:12 CET 2019] timeout=
    [Tue Jan 22 17:34:12 CET 2019] _CURL='curl -L --silent --dump-header /var/etc/acme-client/home/http.header  -g '
    [Tue Jan 22 17:34:13 CET 2019] ret='0'
    [Tue Jan 22 17:34:13 CET 2019] The intermediate CA cert is in  /var/etc/acme-client/home/jekare.nl/ca.cer 
    [Tue Jan 22 17:34:13 CET 2019] And the full chain certs is there:  /var/etc/acme-client/home/jekare.nl/fullchain.cer 
    [Tue Jan 22 17:34:13 CET 2019] Installing cert to:/var/etc/acme-client/certs/5c439d3f40b355.63681904/cert.pem
    [Tue Jan 22 17:34:13 CET 2019] Installing CA to:/var/etc/acme-client/certs/5c439d3f40b355.63681904/chain.pem
    [Tue Jan 22 17:34:14 CET 2019] Installing key to:/var/etc/acme-client/keys/5c439d3f40b355.63681904/private.key
    [Tue Jan 22 17:34:14 CET 2019] Installing full chain to:/var/etc/acme-client/certs/5c439d3f40b355.63681904/fullchain.pem
    [Tue Jan 22 17:34:14 CET 2019] _on_issue_success

this all looked good, so i tried the renewal via the production environment:

    [Tue Jan 22 15:38:44 CET 2019] GET
    [Tue Jan 22 15:38:44 CET 2019] url='https://acme-v01.api.letsencrypt.org/acme/challenge/WpddvMu-xX0vbQoMiRSKG1DSmNQ06GTv64dStXfESXM/11747361546'
    [Tue Jan 22 15:38:44 CET 2019] timeout=
    [Tue Jan 22 15:38:44 CET 2019] _CURL='curl -L --silent --dump-header /var/etc/acme-client/home/http.header  -g '
    [Tue Jan 22 15:38:45 CET 2019] ret='0'
    [Tue Jan 22 15:38:45 CET 2019] Pending
    [Tue Jan 22 15:38:45 CET 2019] sleep 2 secs to verify
    [Tue Jan 22 15:38:47 CET 2019] checking
    [Tue Jan 22 15:38:47 CET 2019] GET
    [Tue Jan 22 15:38:47 CET 2019] url='https://acme-v01.api.letsencrypt.org/acme/challenge/WpddvMu-xX0vbQoMiRSKG1DSmNQ06GTv64dStXfESXM/11747361546'
    [Tue Jan 22 15:38:47 CET 2019] timeout=
    [Tue Jan 22 15:38:47 CET 2019] _CURL='curl -L --silent --dump-header /var/etc/acme-client/home/http.header  -g '
    [Tue Jan 22 15:38:47 CET 2019] ret='0'
    [Tue Jan 22 15:38:47 CET 2019] Pending
    [Tue Jan 22 15:38:47 CET 2019] sleep 2 secs to verify
    [Tue Jan 22 15:38:50 CET 2019] checking
    [Tue Jan 22 15:38:50 CET 2019] GET
    [Tue Jan 22 15:38:50 CET 2019] url='https://acme-v01.api.letsencrypt.org/acme/challenge/WpddvMu-xX0vbQoMiRSKG1DSmNQ06GTv64dStXfESXM/11747361546'
    [Tue Jan 22 15:38:50 CET 2019] timeout=
    [Tue Jan 22 15:38:50 CET 2019] _CURL='curl -L --silent --dump-header /var/etc/acme-client/home/http.header  -g '
    [Tue Jan 22 15:38:50 CET 2019] ret='0'
    [Tue Jan 22 15:38:50 CET 2019] Pending
    [Tue Jan 22 15:38:50 CET 2019] sleep 2 secs to verify
    [Tue Jan 22 15:38:52 CET 2019] checking
    [Tue Jan 22 15:38:52 CET 2019] GET
    [Tue Jan 22 15:38:52 CET 2019] url='https://acme-v01.api.letsencrypt.org/acme/challenge/WpddvMu-xX0vbQoMiRSKG1DSmNQ06GTv64dStXfESXM/11747361546'
    [Tue Jan 22 15:38:52 CET 2019] timeout=
    [Tue Jan 22 15:38:52 CET 2019] _CURL='curl -L --silent --dump-header /var/etc/acme-client/home/http.header  -g '
    [Tue Jan 22 15:38:53 CET 2019] ret='0'
    [Tue Jan 22 15:38:53 CET 2019] jekare.nl:Verify error:Fetching http://jekare.nl/.well-known/acme-challenge/4frjuk-A8aGExROSjbxR79ztuNx-bx_bj8Oc-bYHED0: Timeout during connect (likely firewall problem)
    [Tue Jan 22 15:38:53 CET 2019] pid
    [Tue Jan 22 15:38:53 CET 2019] No need to restore nginx, skip.
    [Tue Jan 22 15:38:53 CET 2019] _clearupdns
    [Tue Jan 22 15:38:53 CET 2019] skip dns.
    [Tue Jan 22 15:38:53 CET 2019] _on_issue_err
    [Tue Jan 22 15:38:53 CET 2019] Please check log file for more details: /var/log/acme.sh.log
    [Tue Jan 22 15:38:53 CET 2019] url='https://acme-v01.api.letsencrypt.org/acme/challenge/WpddvMu-xX0vbQoMiRSKG1DSmNQ06GTv64dStXfESXM/11747361546'
    [Tue Jan 22 15:38:53 CET 2019] payload='{"resource": "challenge", "keyAuthorization": "4frjuk-A8aGExROSjbxR79ztuNx-bx_bj8Oc-bYHED0.CTBap2Qw6QOI3KP9jalD1eIM8wUcHXOp7bTwSmUKaew"}'
    [Tue Jan 22 15:38:53 CET 2019] POST
    [Tue Jan 22 15:38:53 CET 2019] _post_url='https://acme-v01.api.letsencrypt.org/acme/challenge/WpddvMu-xX0vbQoMiRSKG1DSmNQ06GTv64dStXfESXM/11747361546'
    [Tue Jan 22 15:38:53 CET 2019] _CURL='curl -L --silent --dump-header /var/etc/acme-client/home/http.header  -g '
    [Tue Jan 22 15:38:54 CET 2019] _ret='0'
    [Tue Jan 22 15:38:54 CET 2019] code='400'
    [Tue Jan 22 15:38:54 CET 2019] url='https://acme-v01.api.letsencrypt.org/acme/challenge/RvPWoA-Gz3N1kCmbDI3hZhaojtkvDoJF6MYdIFzDAUs/11747362027'
    [Tue Jan 22 15:38:54 CET 2019] payload='{"resource": "challenge", "keyAuthorization": "ABssaR7E4ctGgZs8zo81Bc8Skb3PBIuZz84qLftFd24.CTBap2Qw6QOI3KP9jalD1eIM8wUcHXOp7bTwSmUKaew"}'
    [Tue Jan 22 15:38:54 CET 2019] POST
    [Tue Jan 22 15:38:54 CET 2019] _post_url='https://acme-v01.api.letsencrypt.org/acme/challenge/RvPWoA-Gz3N1kCmbDI3hZhaojtkvDoJF6MYdIFzDAUs/11747362027'
    [Tue Jan 22 15:38:54 CET 2019] _CURL='curl -L --silent --dump-header /var/etc/acme-client/home/http.header  -g '
    [Tue Jan 22 15:38:55 CET 2019] _ret='0'
    [Tue Jan 22 15:38:55 CET 2019] code='202'

Now it suddenly says Timeout during connect (likely firewall problem), but nothing changed in the router/firewall. I don't understand this.

My web server is (include version):

HAProxy HTTP frontend (part of HAProxy plugin)

The operating system my web server runs on is (include version):

OPNsense v18.7.10 
 - Let's Encrypt plugin v1.18
 - HAProxy plugin v2.13

I can login to a root shell on my machine (yes or no, or I don’t know):

yes, to get to the config files and logs, but can't install certbot and don't know how to run the acme.sh script manually nor if it is even possible.

I’m using a control panel to manage my site (no, or provide the name and version of the control panel):

OPNsense GUI.

#2

It’s might not be the direct cause of your failure, but you might want to revisit the AAAA address for your domain: https://letsdebug.net/jekare.nl/18318

Right at this very moment, I can’t access your server on port 80 either, so the firewall message is accurate.


#3

This line confuses me:
Now it suddenly says Timeout during connect (likely firewall problem), but nothing changed in the router/firewall. I don’t understand this.

When compared to:
I changed to a diy build router with OPNsense as the routerOS

Something has changed (on your end)
Something has also changed on the LE end (now all renewals are expected over port 80)
“What broke this?”
Hard to say… without more detail.


#4

can you please upgrade acme.sh to the latest version ?

acme.sh  --upgrade

#5

_az Good point. My AAAA record had an invalid ipv6 address in it. Fixed it and did a new try. See latest log below:

rg305: i have been using OPNsense for about a year now. During that year (and before) i used a manual process on my NAS behind the OPNsense router to handle the certificate renewals. Therefore i had ports 80 and 443 forwarded to my NAS. Now i would like to do the renewals with the OPNsense routerbox.
My guess at this time is that i did not transfer my account key from the NAS box to the OPNsense router. The NAS box has been emptied and reformatted and i don’t have that key anymore.

@Neilpang: I am using the latest supported acme plugin version on OPNsense already. I don know how to update the acme script itself.

Thanks for helping me, kind regards,
Jack.

Here is the last log trying to renew my jekare.nl certificate:

[Wed Jan 23 22:15:58 CET 2019] The new-authz request is ok.
[Wed Jan 23 22:15:58 CET 2019] entry=’“type”:“http-01”,“status”:“pending”,“uri”:“https://acme-v01.api.letsencrypt.org/acme/challenge/C0M78xUKejzT53EGF2RbeHYHE3C37ras1w-oeELxJbo/11790605239",“token”:"M-llqMFCcCIruB8yRYv2XTyCNv2UzzT9PSJ17O55SEw”’
[Wed Jan 23 22:15:58 CET 2019] token=‘M-llqMFCcCIruB8yRYv2XTyCNv2UzzT9PSJ17O55SEw’
[Wed Jan 23 22:15:58 CET 2019] uri=‘https://acme-v01.api.letsencrypt.org/acme/challenge/C0M78xUKejzT53EGF2RbeHYHE3C37ras1w-oeELxJbo/11790605239
[Wed Jan 23 22:15:58 CET 2019] keyauthorization=‘M-llqMFCcCIruB8yRYv2XTyCNv2UzzT9PSJ17O55SEw.CTBap2Qw6QOI3KP9jalD1eIM8wUcHXOp7bTwSmUKaew’
[Wed Jan 23 22:15:58 CET 2019] dvlist=‘www.jekare.nl#M-llqMFCcCIruB8yRYv2XTyCNv2UzzT9PSJ17O55SEw.CTBap2Qw6QOI3KP9jalD1eIM8wUcHXOp7bTwSmUKaew#https://acme-v01.api.letsencrypt.org/acme/challenge/C0M78xUKejzT53EGF2RbeHYHE3C37ras1w-oeELxJbo/11790605239#http-01#/var/etc/acme-client/challenges
[Wed Jan 23 22:15:58 CET 2019] d
[Wed Jan 23 22:15:58 CET 2019] vlist=‘jekare.nl#DBPsOW6X27drUMdhFpLineBjslXMvcxmHWN1__WwPes.CTBap2Qw6QOI3KP9jalD1eIM8wUcHXOp7bTwSmUKaew#https://acme-v01.api.letsencrypt.org/acme/challenge/_q2DWPAYIzfH9CYECVGPvjjRa6_uvL5moGptDBqWLyE/11790604868#http-01#/var/etc/acme-client/challenges,www.jekare.nl#M-llqMFCcCIruB8yRYv2XTyCNv2UzzT9PSJ17O55SEw.CTBap2Qw6QOI3KP9jalD1eIM8wUcHXOp7bTwSmUKaew#https://acme-v01.api.letsencrypt.org/acme/challenge/C0M78xUKejzT53EGF2RbeHYHE3C37ras1w-oeELxJbo/11790605239#http-01#/var/etc/acme-client/challenges,’
[Wed Jan 23 22:15:58 CET 2019] d=‘jekare.nl’
[Wed Jan 23 22:15:58 CET 2019] d=‘www.jekare.nl’
[Wed Jan 23 22:15:58 CET 2019] ok, let’s start to verify
[Wed Jan 23 22:15:58 CET 2019] Verifying:jekare.nl
[Wed Jan 23 22:15:59 CET 2019] d=‘jekare.nl’
[Wed Jan 23 22:15:59 CET 2019] keyauthorization=‘DBPsOW6X27drUMdhFpLineBjslXMvcxmHWN1__WwPes.CTBap2Qw6QOI3KP9jalD1eIM8wUcHXOp7bTwSmUKaew’
[Wed Jan 23 22:15:59 CET 2019] uri=‘https://acme-v01.api.letsencrypt.org/acme/challenge/_q2DWPAYIzfH9CYECVGPvjjRa6_uvL5moGptDBqWLyE/11790604868
[Wed Jan 23 22:15:59 CET 2019] _currentRoot=’/var/etc/acme-client/challenges’
[Wed Jan 23 22:15:59 CET 2019] wellknown_path=’/var/etc/acme-client/challenges/.well-known/acme-challenge’
[Wed Jan 23 22:15:59 CET 2019] writing token:DBPsOW6X27drUMdhFpLineBjslXMvcxmHWN1__WwPes to /var/etc/acme-client/challenges/.well-known/acme-challenge/DBPsOW6X27drUMdhFpLineBjslXMvcxmHWN1__WwPes
[Wed Jan 23 22:15:59 CET 2019] Changing owner/group of .well-known to root:wheel
[Wed Jan 23 22:15:59 CET 2019] url=‘https://acme-v01.api.letsencrypt.org/acme/challenge/_q2DWPAYIzfH9CYECVGPvjjRa6_uvL5moGptDBqWLyE/11790604868
[Wed Jan 23 22:15:59 CET 2019] payload=’{“resource”: “challenge”, “keyAuthorization”: “DBPsOW6X27drUMdhFpLineBjslXMvcxmHWN1__WwPes.CTBap2Qw6QOI3KP9jalD1eIM8wUcHXOp7bTwSmUKaew”}’
[Wed Jan 23 22:15:59 CET 2019] POST
[Wed Jan 23 22:15:59 CET 2019] _post_url=‘https://acme-v01.api.letsencrypt.org/acme/challenge/_q2DWPAYIzfH9CYECVGPvjjRa6_uvL5moGptDBqWLyE/11790604868
[Wed Jan 23 22:15:59 CET 2019] _CURL=‘curl -L --silent --dump-header /var/etc/acme-client/home/http.header -g ’
[Wed Jan 23 22:16:00 CET 2019] _ret=‘0’
[Wed Jan 23 22:16:00 CET 2019] code=‘202’
[Wed Jan 23 22:16:00 CET 2019] sleep 2 secs to verify
[Wed Jan 23 22:16:02 CET 2019] checking
[Wed Jan 23 22:16:02 CET 2019] GET
[Wed Jan 23 22:16:02 CET 2019] url=‘https://acme-v01.api.letsencrypt.org/acme/challenge/_q2DWPAYIzfH9CYECVGPvjjRa6_uvL5moGptDBqWLyE/11790604868
[Wed Jan 23 22:16:02 CET 2019] timeout=
[Wed Jan 23 22:16:02 CET 2019] _CURL=‘curl -L --silent --dump-header /var/etc/acme-client/home/http.header -g ’
[Wed Jan 23 22:16:03 CET 2019] ret=‘0’
[Wed Jan 23 22:16:03 CET 2019] jekare.nl:Verify error:Invalid response from http://jekare.nl/.well-known/acme-challenge/DBPsOW6X27drUMdhFpLineBjslXMvcxmHWN1__WwPes:
[Wed Jan 23 22:16:03 CET 2019] pid
[Wed Jan 23 22:16:03 CET 2019] No need to restore nginx, skip.
[Wed Jan 23 22:16:03 CET 2019] _clearupdns
[Wed Jan 23 22:16:03 CET 2019] skip dns.
[Wed Jan 23 22:16:03 CET 2019] _on_issue_err
[Wed Jan 23 22:16:03 CET 2019] Please check log file for more details: /var/log/acme.sh.log
[Wed Jan 23 22:16:03 CET 2019] url=‘https://acme-v01.api.letsencrypt.org/acme/challenge/_q2DWPAYIzfH9CYECVGPvjjRa6_uvL5moGptDBqWLyE/11790604868
[Wed Jan 23 22:16:03 CET 2019] payload=’{“resource”: “challenge”, “keyAuthorization”: “DBPsOW6X27drUMdhFpLineBjslXMvcxmHWN1__WwPes.CTBap2Qw6QOI3KP9jalD1eIM8wUcHXOp7bTwSmUKaew”}’
[Wed Jan 23 22:16:03 CET 2019] POST
[Wed Jan 23 22:16:03 CET 2019] _post_url=‘https://acme-v01.api.letsencrypt.org/acme/challenge/_q2DWPAYIzfH9CYECVGPvjjRa6_uvL5moGptDBqWLyE/11790604868
[Wed Jan 23 22:16:03 CET 2019] _CURL=‘curl -L --silent --dump-header /var/etc/acme-client/home/http.header -g ’
[Wed Jan 23 22:16:04 CET 2019] _ret=‘0’
[Wed Jan 23 22:16:04 CET 2019] code=‘400’
[Wed Jan 23 22:16:04 CET 2019] url=‘https://acme-v01.api.letsencrypt.org/acme/challenge/C0M78xUKejzT53EGF2RbeHYHE3C37ras1w-oeELxJbo/11790605239
[Wed Jan 23 22:16:04 CET 2019] payload=’{“resource”: “challenge”, “keyAuthorization”: “M-llqMFCcCIruB8yRYv2XTyCNv2UzzT9PSJ17O55SEw.CTBap2Qw6QOI3KP9jalD1eIM8wUcHXOp7bTwSmUKaew”}’
[Wed Jan 23 22:16:04 CET 2019] POST
[Wed Jan 23 22:16:04 CET 2019] _post_url=‘https://acme-v01.api.letsencrypt.org/acme/challenge/C0M78xUKejzT53EGF2RbeHYHE3C37ras1w-oeELxJbo/11790605239
[Wed Jan 23 22:16:04 CET 2019] _CURL='curl -L --silent --dump-header /var/etc/acme-client/home/http.header -g ’
[Wed Jan 23 22:16:05 CET 2019] _ret=‘0’
[Wed Jan 23 22:16:05 CET 2019] code=‘202’


#6

Not using the exact same key is not critical. It should just create a new one (no problem).

When you say:

This requires the ACME client and the HTTP termination to be on the same system (OPNsense routerbox)
To confirm that, where does http://jekare.nl/ terminate?
I get no response from my system…
Connecting to jekare.nl (jekare.nl)|82.72.7.247|:80… failed: Connection timed out.
You must allow port 80 in from the Internet or this request and subsequent renewals are at risk of inevitable failure.


#7

Hey rg305,

In the meantime i managed to open my port 80 (there was an active option in the configuration of opnsense to redirect http traffic), my http-endpoint points to 127.0.0.1 which is the opnsense machine where the acme script is also running.

Letsdebug.net shows all green:

and if i try to renew the certificate this is the log on staging environment:

[Tue Jan 29 16:58:44 CET 2019] Using stage ACME_DIRECTORY: https://acme-staging.api.letsencrypt.org/directory
[Tue Jan 29 16:58:44 CET 2019] ACME_DIRECTORY='https://acme-staging.api.letsencrypt.org/directory'
[Tue Jan 29 16:58:44 CET 2019] DOMAIN_PATH='/var/etc/acme-client/home/jekare.nl'
[Tue Jan 29 16:58:44 CET 2019] Using ACME_DIRECTORY: https://acme-staging.api.letsencrypt.org/directory
[Tue Jan 29 16:58:44 CET 2019] _init api for server: https://acme-staging.api.letsencrypt.org/directory
[Tue Jan 29 16:58:44 CET 2019] GET
[Tue Jan 29 16:58:44 CET 2019] url='https://acme-staging.api.letsencrypt.org/directory'
[Tue Jan 29 16:58:44 CET 2019] timeout=
[Tue Jan 29 16:58:44 CET 2019] _CURL='curl -L --silent --dump-header /var/etc/acme-client/home/http.header  -g '
[Tue Jan 29 16:58:45 CET 2019] ret='0'
[Tue Jan 29 16:58:45 CET 2019] ACME_KEY_CHANGE='https://acme-staging.api.letsencrypt.org/acme/key-change'
[Tue Jan 29 16:58:45 CET 2019] ACME_NEW_AUTHZ='https://acme-staging.api.letsencrypt.org/acme/new-authz'
[Tue Jan 29 16:58:45 CET 2019] ACME_NEW_ORDER='https://acme-staging.api.letsencrypt.org/acme/new-cert'
[Tue Jan 29 16:58:45 CET 2019] ACME_NEW_ACCOUNT='https://acme-staging.api.letsencrypt.org/acme/new-reg'
[Tue Jan 29 16:58:45 CET 2019] ACME_REVOKE_CERT='https://acme-staging.api.letsencrypt.org/acme/revoke-cert'
[Tue Jan 29 16:58:45 CET 2019] ACME_AGREEMENT='https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf'
[Tue Jan 29 16:58:45 CET 2019] ACME_NEW_NONCE
[Tue Jan 29 16:58:45 CET 2019] ACME_VERSION
[Tue Jan 29 16:58:45 CET 2019] Le_NextRenewTime='1553272453'
[Tue Jan 29 16:58:45 CET 2019] _on_before_issue
[Tue Jan 29 16:58:45 CET 2019] _chk_main_domain='jekare.nl'
[Tue Jan 29 16:58:45 CET 2019] _chk_alt_domains='www.jekare.nl'
[Tue Jan 29 16:58:45 CET 2019] Le_LocalAddress
[Tue Jan 29 16:58:45 CET 2019] d='jekare.nl'
[Tue Jan 29 16:58:45 CET 2019] Check for domain='jekare.nl'
[Tue Jan 29 16:58:45 CET 2019] _currentRoot='/var/etc/acme-client/challenges'
[Tue Jan 29 16:58:45 CET 2019] d='www.jekare.nl'
[Tue Jan 29 16:58:45 CET 2019] Check for domain='www.jekare.nl'
[Tue Jan 29 16:58:45 CET 2019] _currentRoot='/var/etc/acme-client/challenges'
[Tue Jan 29 16:58:45 CET 2019] d
[Tue Jan 29 16:58:46 CET 2019] _saved_account_key_hash is not changed, skip register account.
[Tue Jan 29 16:58:46 CET 2019] Read key length:4096
[Tue Jan 29 16:58:46 CET 2019] _createcsr
[Tue Jan 29 16:58:46 CET 2019] Multi domain='DNS:jekare.nl,DNS:www.jekare.nl'
[Tue Jan 29 16:58:46 CET 2019] Getting domain auth token for each domain
[Tue Jan 29 16:58:46 CET 2019] d='jekare.nl'
[Tue Jan 29 16:58:46 CET 2019] Getting webroot for domain='jekare.nl'
[Tue Jan 29 16:58:46 CET 2019] _w='/var/etc/acme-client/challenges'
[Tue Jan 29 16:58:46 CET 2019] _currentRoot='/var/etc/acme-client/challenges'
[Tue Jan 29 16:58:46 CET 2019] Getting new-authz for domain='jekare.nl'
[Tue Jan 29 16:58:46 CET 2019] _init api for server: https://acme-staging.api.letsencrypt.org/directory
[Tue Jan 29 16:58:46 CET 2019] Try new-authz for the 0 time.
[Tue Jan 29 16:58:46 CET 2019] url='https://acme-staging.api.letsencrypt.org/acme/new-authz'
[Tue Jan 29 16:58:46 CET 2019] payload='{"resource": "new-authz", "identifier": {"type": "dns", "value": "jekare.nl"}}'
[Tue Jan 29 16:58:46 CET 2019] RSA key
[Tue Jan 29 16:58:49 CET 2019] GET
[Tue Jan 29 16:58:49 CET 2019] url='https://acme-staging.api.letsencrypt.org/directory'
[Tue Jan 29 16:58:49 CET 2019] timeout=
[Tue Jan 29 16:58:49 CET 2019] _CURL='curl -L --silent --dump-header /var/etc/acme-client/home/http.header  -g '
[Tue Jan 29 16:58:49 CET 2019] ret='0'
[Tue Jan 29 16:58:49 CET 2019] POST
[Tue Jan 29 16:58:49 CET 2019] _post_url='https://acme-staging.api.letsencrypt.org/acme/new-authz'
[Tue Jan 29 16:58:49 CET 2019] _CURL='curl -L --silent --dump-header /var/etc/acme-client/home/http.header  -g '
[Tue Jan 29 16:58:50 CET 2019] _ret='0'
[Tue Jan 29 16:58:50 CET 2019] code='201'
[Tue Jan 29 16:58:50 CET 2019] The new-authz request is ok.
[Tue Jan 29 16:58:50 CET 2019] entry='"type":"http-01","status":"pending","uri":"https://acme-staging.api.letsencrypt.org/acme/challenge/sYYkS-3h6XgjcM3no44A6IaE2nUVwrCWOD_i1vIPyoQ/232988080","token":"K4jVquJMEq5qgBVZIYcUdGCJZAGeyDAMv6neth42V3g"'
[Tue Jan 29 16:58:50 CET 2019] token='K4jVquJMEq5qgBVZIYcUdGCJZAGeyDAMv6neth42V3g'
[Tue Jan 29 16:58:50 CET 2019] uri='https://acme-staging.api.letsencrypt.org/acme/challenge/sYYkS-3h6XgjcM3no44A6IaE2nUVwrCWOD_i1vIPyoQ/232988080'
[Tue Jan 29 16:58:50 CET 2019] keyauthorization='K4jVquJMEq5qgBVZIYcUdGCJZAGeyDAMv6neth42V3g.CTBap2Qw6QOI3KP9jalD1eIM8wUcHXOp7bTwSmUKaew'
[Tue Jan 29 16:58:50 CET 2019] dvlist='jekare.nl#K4jVquJMEq5qgBVZIYcUdGCJZAGeyDAMv6neth42V3g.CTBap2Qw6QOI3KP9jalD1eIM8wUcHXOp7bTwSmUKaew#https://acme-staging.api.letsencrypt.org/acme/challenge/sYYkS-3h6XgjcM3no44A6IaE2nUVwrCWOD_i1vIPyoQ/232988080#http-01#/var/etc/acme-client/challenges'
[Tue Jan 29 16:58:51 CET 2019] d='www.jekare.nl'
[Tue Jan 29 16:58:51 CET 2019] Getting webroot for domain='www.jekare.nl'
[Tue Jan 29 16:58:51 CET 2019] _w='/var/etc/acme-client/challenges'
[Tue Jan 29 16:58:51 CET 2019] _currentRoot='/var/etc/acme-client/challenges'
[Tue Jan 29 16:58:51 CET 2019] Getting new-authz for domain='www.jekare.nl'
[Tue Jan 29 16:58:51 CET 2019] _init api for server: https://acme-staging.api.letsencrypt.org/directory
[Tue Jan 29 16:58:51 CET 2019] Try new-authz for the 0 time.
[Tue Jan 29 16:58:51 CET 2019] url='https://acme-staging.api.letsencrypt.org/acme/new-authz'
[Tue Jan 29 16:58:51 CET 2019] payload='{"resource": "new-authz", "identifier": {"type": "dns", "value": "www.jekare.nl"}}'
[Tue Jan 29 16:58:51 CET 2019] POST
[Tue Jan 29 16:58:51 CET 2019] _post_url='https://acme-staging.api.letsencrypt.org/acme/new-authz'
[Tue Jan 29 16:58:51 CET 2019] _CURL='curl -L --silent --dump-header /var/etc/acme-client/home/http.header  -g '
[Tue Jan 29 16:58:52 CET 2019] _ret='0'
[Tue Jan 29 16:58:52 CET 2019] code='201'
[Tue Jan 29 16:58:52 CET 2019] The new-authz request is ok.
[Tue Jan 29 16:58:52 CET 2019] entry='"type":"http-01","status":"pending","uri":"https://acme-staging.api.letsencrypt.org/acme/challenge/7IULMR-XmPo8aX-wBTlR9Yp2iCldYjn4BcDJSO5C_zs/232988102","token":"cCXUd_uW6dqDPLYFpkqyzBISpx3n8BE--TrQG6rMzso"'
[Tue Jan 29 16:58:52 CET 2019] token='cCXUd_uW6dqDPLYFpkqyzBISpx3n8BE--TrQG6rMzso'
[Tue Jan 29 16:58:52 CET 2019] uri='https://acme-staging.api.letsencrypt.org/acme/challenge/7IULMR-XmPo8aX-wBTlR9Yp2iCldYjn4BcDJSO5C_zs/232988102'
[Tue Jan 29 16:58:52 CET 2019] keyauthorization='cCXUd_uW6dqDPLYFpkqyzBISpx3n8BE--TrQG6rMzso.CTBap2Qw6QOI3KP9jalD1eIM8wUcHXOp7bTwSmUKaew'
[Tue Jan 29 16:58:52 CET 2019] dvlist='www.jekare.nl#cCXUd_uW6dqDPLYFpkqyzBISpx3n8BE--TrQG6rMzso.CTBap2Qw6QOI3KP9jalD1eIM8wUcHXOp7bTwSmUKaew#https://acme-staging.api.letsencrypt.org/acme/challenge/7IULMR-XmPo8aX-wBTlR9Yp2iCldYjn4BcDJSO5C_zs/232988102#http-01#/var/etc/acme-client/challenges'
[Tue Jan 29 16:58:52 CET 2019] d
[Tue Jan 29 16:58:52 CET 2019] vlist='jekare.nl#K4jVquJMEq5qgBVZIYcUdGCJZAGeyDAMv6neth42V3g.CTBap2Qw6QOI3KP9jalD1eIM8wUcHXOp7bTwSmUKaew#https://acme-staging.api.letsencrypt.org/acme/challenge/sYYkS-3h6XgjcM3no44A6IaE2nUVwrCWOD_i1vIPyoQ/232988080#http-01#/var/etc/acme-client/challenges,www.jekare.nl#cCXUd_uW6dqDPLYFpkqyzBISpx3n8BE--TrQG6rMzso.CTBap2Qw6QOI3KP9jalD1eIM8wUcHXOp7bTwSmUKaew#https://acme-staging.api.letsencrypt.org/acme/challenge/7IULMR-XmPo8aX-wBTlR9Yp2iCldYjn4BcDJSO5C_zs/232988102#http-01#/var/etc/acme-client/challenges,'
[Tue Jan 29 16:58:52 CET 2019] d='jekare.nl'
[Tue Jan 29 16:58:52 CET 2019] d='www.jekare.nl'
[Tue Jan 29 16:58:52 CET 2019] ok, let's start to verify
[Tue Jan 29 16:58:52 CET 2019] Verifying:jekare.nl
[Tue Jan 29 16:58:52 CET 2019] d='jekare.nl'
[Tue Jan 29 16:58:52 CET 2019] keyauthorization='K4jVquJMEq5qgBVZIYcUdGCJZAGeyDAMv6neth42V3g.CTBap2Qw6QOI3KP9jalD1eIM8wUcHXOp7bTwSmUKaew'
[Tue Jan 29 16:58:52 CET 2019] uri='https://acme-staging.api.letsencrypt.org/acme/challenge/sYYkS-3h6XgjcM3no44A6IaE2nUVwrCWOD_i1vIPyoQ/232988080'
[Tue Jan 29 16:58:52 CET 2019] _currentRoot='/var/etc/acme-client/challenges'
[Tue Jan 29 16:58:52 CET 2019] wellknown_path='/var/etc/acme-client/challenges/.well-known/acme-challenge'
[Tue Jan 29 16:58:52 CET 2019] writing token:K4jVquJMEq5qgBVZIYcUdGCJZAGeyDAMv6neth42V3g to /var/etc/acme-client/challenges/.well-known/acme-challenge/K4jVquJMEq5qgBVZIYcUdGCJZAGeyDAMv6neth42V3g
[Tue Jan 29 16:58:52 CET 2019] Changing owner/group of .well-known to root:wheel
[Tue Jan 29 16:58:52 CET 2019] url='https://acme-staging.api.letsencrypt.org/acme/challenge/sYYkS-3h6XgjcM3no44A6IaE2nUVwrCWOD_i1vIPyoQ/232988080'
[Tue Jan 29 16:58:52 CET 2019] payload='{"resource": "challenge", "keyAuthorization": "K4jVquJMEq5qgBVZIYcUdGCJZAGeyDAMv6neth42V3g.CTBap2Qw6QOI3KP9jalD1eIM8wUcHXOp7bTwSmUKaew"}'
[Tue Jan 29 16:58:53 CET 2019] POST
[Tue Jan 29 16:58:53 CET 2019] _post_url='https://acme-staging.api.letsencrypt.org/acme/challenge/sYYkS-3h6XgjcM3no44A6IaE2nUVwrCWOD_i1vIPyoQ/232988080'
[Tue Jan 29 16:58:53 CET 2019] _CURL='curl -L --silent --dump-header /var/etc/acme-client/home/http.header  -g '
[Tue Jan 29 16:58:53 CET 2019] _ret='0'
[Tue Jan 29 16:58:53 CET 2019] code='202'
[Tue Jan 29 16:58:53 CET 2019] sleep 2 secs to verify
[Tue Jan 29 16:58:56 CET 2019] checking
[Tue Jan 29 16:58:56 CET 2019] GET
[Tue Jan 29 16:58:56 CET 2019] url='https://acme-staging.api.letsencrypt.org/acme/challenge/sYYkS-3h6XgjcM3no44A6IaE2nUVwrCWOD_i1vIPyoQ/232988080'
[Tue Jan 29 16:58:56 CET 2019] timeout=
[Tue Jan 29 16:58:56 CET 2019] _CURL='curl -L --silent --dump-header /var/etc/acme-client/home/http.header  -g '
[Tue Jan 29 16:58:56 CET 2019] ret='0'
[Tue Jan 29 16:58:56 CET 2019] jekare.nl:Verify error:Invalid response from http://jekare.nl/.well-known/acme-challenge/K4jVquJMEq5qgBVZIYcUdGCJZAGeyDAMv6neth42V3g: 
[Tue Jan 29 16:58:56 CET 2019] pid
[Tue Jan 29 16:58:56 CET 2019] No need to restore nginx, skip.
[Tue Jan 29 16:58:56 CET 2019] _clearupdns
[Tue Jan 29 16:58:56 CET 2019] skip dns.
[Tue Jan 29 16:58:56 CET 2019] _on_issue_err
[Tue Jan 29 16:58:56 CET 2019] Please check log file for more details: /var/log/acme.sh.log
[Tue Jan 29 16:58:56 CET 2019] url='https://acme-staging.api.letsencrypt.org/acme/challenge/sYYkS-3h6XgjcM3no44A6IaE2nUVwrCWOD_i1vIPyoQ/232988080'
[Tue Jan 29 16:58:56 CET 2019] payload='{"resource": "challenge", "keyAuthorization": "K4jVquJMEq5qgBVZIYcUdGCJZAGeyDAMv6neth42V3g.CTBap2Qw6QOI3KP9jalD1eIM8wUcHXOp7bTwSmUKaew"}'
[Tue Jan 29 16:58:57 CET 2019] POST
[Tue Jan 29 16:58:57 CET 2019] _post_url='https://acme-staging.api.letsencrypt.org/acme/challenge/sYYkS-3h6XgjcM3no44A6IaE2nUVwrCWOD_i1vIPyoQ/232988080'
[Tue Jan 29 16:58:57 CET 2019] _CURL='curl -L --silent --dump-header /var/etc/acme-client/home/http.header  -g '
[Tue Jan 29 16:58:57 CET 2019] _ret='0'
[Tue Jan 29 16:58:57 CET 2019] code='400'
[Tue Jan 29 16:58:58 CET 2019] url='https://acme-staging.api.letsencrypt.org/acme/challenge/7IULMR-XmPo8aX-wBTlR9Yp2iCldYjn4BcDJSO5C_zs/232988102'
[Tue Jan 29 16:58:58 CET 2019] payload='{"resource": "challenge", "keyAuthorization": "cCXUd_uW6dqDPLYFpkqyzBISpx3n8BE--TrQG6rMzso.CTBap2Qw6QOI3KP9jalD1eIM8wUcHXOp7bTwSmUKaew"}'
[Tue Jan 29 16:58:58 CET 2019] POST
[Tue Jan 29 16:58:58 CET 2019] _post_url='https://acme-staging.api.letsencrypt.org/acme/challenge/7IULMR-XmPo8aX-wBTlR9Yp2iCldYjn4BcDJSO5C_zs/232988102'
[Tue Jan 29 16:58:58 CET 2019] _CURL='curl -L --silent --dump-header /var/etc/acme-client/home/http.header  -g '
[Tue Jan 29 16:58:59 CET 2019] _ret='0'
[Tue Jan 29 16:58:59 CET 2019] code='202'

where the most important part is probably the line:
[Tue Jan 29 16:58:56 CET 2019] jekare.nl:Verify error:Invalid response from http://jekare.nl/.well-known/acme-challenge/K4jVquJMEq5qgBVZIYcUdGCJZAGeyDAMv6neth42V3g:

Does this give you any idea of what is going wrong?

With kind regards,
Jack Reitsema.


#8

And this is the output of a certificate search, perhaps this helps too…:


#9

This seems like a big step in the right direction.
But the path and field are still quite blurry for me.
Which web server does it use?
(Apache | NIGNX)
Which ACME client are you using?
(acme.sh | cerbot )


#10

Hi @jekare

checking the url

https://www.jekare.nl/.well-known/acme-challenge/cCXUd_uW6dqDPLYFpkqyzBISpx3n8BE--TrQG6rMzso

Synology answers.

So I don’t see that:


#11

PS: Now I see ( https://check-your-website.server-daten.de/?q=jekare.nl ):

Your http has Server: OPNsense as header. But then follows a redirect to https ( https://check-your-website.server-daten.de/?q=jekare.nl ):

Domainname Http-Status redirect Sec. G
http://jekare.nl/
82.72.7.247 301 https://jekare.nl/ 0.087 A
http://www.jekare.nl/
82.72.7.247 301 https://www.jekare.nl/ 0.080 A
https://jekare.nl/
82.72.7.247 200 1.744 N
Certificate error: RemoteCertificateChainErrors
https://www.jekare.nl/
82.72.7.247 200 1.466 N
Certificate error: RemoteCertificateChainErrors
http://jekare.nl/.well-known/acme-challenge/check-your-website-dot-server-daten-dot-de
82.72.7.247 301 https://jekare.nl/.well-known/acme-challenge/check-your-website-dot-server-daten-dot-de 0.080 A
http://www.jekare.nl/.well-known/acme-challenge/check-your-website-dot-server-daten-dot-de
82.72.7.247 301 https://www.jekare.nl/.well-known/acme-challenge/check-your-website-dot-server-daten-dot-de 0.080 A
https://jekare.nl/.well-known/acme-challenge/check-your-website-dot-server-daten-dot-de 404 1.420 N
Not Found
Certificate error: RemoteCertificateChainErrors
https://www.jekare.nl/.well-known/acme-challenge/check-your-website-dot-server-daten-dot-de 404 1.446 N
Not Found
Certificate error: RemoteCertificateChainErrors

And https has a different Server header without the “Server” - Variable.

So you have two options

  • Remove the redirect http -> https, so OPNsense can answer.
  • You must use the webroot of your https server, perhaps Synology.

#12

Good afternoon Juergen,

It is my understanding in OPNSense that the LetsEncrypt plugin works together with the HAProxy plugin to redirect all /.well-known/acme-challenge requests to the HAProxy builtin webserver to fullfill the http-01 challenge.

Therefore at this moment i forwarded port 80 and 443 to my NAS where my regular webservices reside. The redirect in HAProxy is intercepting the requests from Let’s Encrypt to handle the challenge, but in the log i still see the jekare.nl:Verify error:Invalid response from http://jekare.nl/.well-known/acme-challenge

So, this setup clearly is not working. But if i point both ports 80 and 443 to OPNSense itself it is also not working.

AFAIK the only redirect that takes place at this moment is by the LetsEncrypt plugin and that is supposed to happen. I can find any http->https redirection anymore, but it still does not work.

Do You have any other ideas? At least I am glad with your input, i am learning a lot these days…

With kind regards,
Jack Reitsema.


closed #13

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.