Hi Experts,
After trying to get the combo OPNsense, HAProxy and Let’s Encrypt working for a few days it still isn’t working and you all are my last straw…
Before i had ports forwarded to my Synology NAS and on the NAS i did the renewal of my certificate.
Now i changed to a diy build router with OPNsense as the routerOS and want to start managing my certificates through the plugins Let’s Encrypt and HAProxy.
For my shiny new domain example.com (name changed) i tried to get a first certificate which did not work and then i tried to forcefully renew my jekare.nl certificate. Neither one succeeded.
Now i get the feeling i must have messed up something really bad because on jekare.nl i get the warning NET::ERR_CERT_DATE_INVALID although crt.sh reports 4 certificates all valid from 2019-01-19 to 2019-04-19.
I get the feeling there is something wrong with my account key, but don’t know how to fix it. Please help…
Kind regards,
Jack Reitsema.
My domain is:
multiple domains, but this post is about jekare.nl and a brandnew domain example.com (name changed)
I ran this command:
I ran the commands using the OPNsense GUI.
It produced this output:
First the attempt with example.com on production environment:
[Tue Jan 22 18:06:17 CET 2019] ACME_DIRECTORY='https://acme-v01.api.letsencrypt.org/directory'
[Tue Jan 22 18:06:17 CET 2019] DOMAIN_PATH='/var/etc/acme-client/home/example.com'
[Tue Jan 22 18:06:17 CET 2019] Using ACME_DIRECTORY: https://acme-v01.api.letsencrypt.org/directory
[Tue Jan 22 18:06:17 CET 2019] _init api for server: https://acme-v01.api.letsencrypt.org/directory
[Tue Jan 22 18:06:17 CET 2019] GET
[Tue Jan 22 18:06:17 CET 2019] url='https://acme-v01.api.letsencrypt.org/directory'
[Tue Jan 22 18:06:17 CET 2019] timeout=
[Tue Jan 22 18:06:18 CET 2019] _CURL='curl -L --silent --dump-header /var/etc/acme-client/home/http.header -g '
[Tue Jan 22 18:06:18 CET 2019] ret='0'
[Tue Jan 22 18:06:18 CET 2019] ACME_KEY_CHANGE='https://acme-v01.api.letsencrypt.org/acme/key-change'
[Tue Jan 22 18:06:18 CET 2019] ACME_NEW_AUTHZ='https://acme-v01.api.letsencrypt.org/acme/new-authz'
[Tue Jan 22 18:06:18 CET 2019] ACME_NEW_ORDER='https://acme-v01.api.letsencrypt.org/acme/new-cert'
[Tue Jan 22 18:06:18 CET 2019] ACME_NEW_ACCOUNT='https://acme-v01.api.letsencrypt.org/acme/new-reg'
[Tue Jan 22 18:06:18 CET 2019] ACME_REVOKE_CERT='https://acme-v01.api.letsencrypt.org/acme/revoke-cert'
[Tue Jan 22 18:06:18 CET 2019] ACME_AGREEMENT='https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf'
[Tue Jan 22 18:06:18 CET 2019] ACME_NEW_NONCE
[Tue Jan 22 18:06:18 CET 2019] ACME_VERSION
[Tue Jan 22 18:06:18 CET 2019] Le_NextRenewTime
[Tue Jan 22 18:06:19 CET 2019] _on_before_issue
[Tue Jan 22 18:06:19 CET 2019] _chk_main_domain='example.com'
[Tue Jan 22 18:06:19 CET 2019] _chk_alt_domains='www.example.com'
[Tue Jan 22 18:06:19 CET 2019] Le_LocalAddress
[Tue Jan 22 18:06:19 CET 2019] d='example.com'
[Tue Jan 22 18:06:19 CET 2019] Check for domain='example.com'
[Tue Jan 22 18:06:19 CET 2019] _currentRoot='/var/etc/acme-client/challenges'
[Tue Jan 22 18:06:19 CET 2019] d='www.example.com'
[Tue Jan 22 18:06:19 CET 2019] Check for domain='www.example.com'
[Tue Jan 22 18:06:19 CET 2019] _currentRoot='/var/etc/acme-client/challenges'
[Tue Jan 22 18:06:19 CET 2019] d
[Tue Jan 22 18:06:19 CET 2019] Using config home:/var/etc/acme-client/home
[Tue Jan 22 18:06:19 CET 2019] ACME_DIRECTORY='https://acme-v01.api.letsencrypt.org/directory'
[Tue Jan 22 18:06:19 CET 2019] _init api for server: https://acme-v01.api.letsencrypt.org/directory
[Tue Jan 22 18:06:19 CET 2019] RSA key
[Tue Jan 22 18:06:22 CET 2019] Registering account
[Tue Jan 22 18:06:22 CET 2019] url='https://acme-v01.api.letsencrypt.org/acme/new-reg'
[Tue Jan 22 18:06:22 CET 2019] payload='{"resource": "new-reg", "contact": ["mailto: jkr@example.com"], "terms-of-service-agreed": true, "agreement": "https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf"}'
[Tue Jan 22 18:06:22 CET 2019] GET
[Tue Jan 22 18:06:22 CET 2019] url='https://acme-v01.api.letsencrypt.org/directory'
[Tue Jan 22 18:06:22 CET 2019] timeout=
[Tue Jan 22 18:06:22 CET 2019] _CURL='curl -L --silent --dump-header /var/etc/acme-client/home/http.header -g '
[Tue Jan 22 18:06:22 CET 2019] ret='0'
[Tue Jan 22 18:06:23 CET 2019] POST
[Tue Jan 22 18:06:23 CET 2019] _post_url='https://acme-v01.api.letsencrypt.org/acme/new-reg'
[Tue Jan 22 18:06:23 CET 2019] _CURL='curl -L --silent --dump-header /var/etc/acme-client/home/http.header -g '
[Tue Jan 22 18:06:24 CET 2019] _ret='0'
[Tue Jan 22 18:06:24 CET 2019] code='201'
[Tue Jan 22 18:06:24 CET 2019] Registered
[Tue Jan 22 18:06:24 CET 2019] _accUri='https://acme-v01.api.letsencrypt.org/acme/reg/50005563'
[Tue Jan 22 18:06:24 CET 2019] Calc CA_KEY_HASH='vO9uMt5xKBLM2pFzTHL4nTXX1zVV+c9F/2BWhsiekxU='
[Tue Jan 22 18:06:24 CET 2019] ACCOUNT_THUMBPRINT='rAx6LvYaXQTkGQepmZeT3U93kTVJO0Abw7IsrB_4D18'
[Tue Jan 22 18:06:24 CET 2019] _on_issue_err
[Tue Jan 22 18:06:24 CET 2019] Please check log file for more details: /var/log/acme.sh.log
This clearly did not work, so i tried renewing my certificate on jekare.nl, the staging environment first:
[Tue Jan 22 17:33:59 CET 2019] Using stage ACME_DIRECTORY: https://acme-staging.api.letsencrypt.org/directory
[Tue Jan 22 17:33:59 CET 2019] ACME_DIRECTORY='https://acme-staging.api.letsencrypt.org/directory'
[Tue Jan 22 17:33:59 CET 2019] DOMAIN_PATH='/var/etc/acme-client/home/jekare.nl'
[Tue Jan 22 17:33:59 CET 2019] Using ACME_DIRECTORY: https://acme-staging.api.letsencrypt.org/directory
[Tue Jan 22 17:33:59 CET 2019] _init api for server: https://acme-staging.api.letsencrypt.org/directory
[Tue Jan 22 17:33:59 CET 2019] GET
[Tue Jan 22 17:33:59 CET 2019] url='https://acme-staging.api.letsencrypt.org/directory'
[Tue Jan 22 17:33:59 CET 2019] timeout=
[Tue Jan 22 17:33:59 CET 2019] _CURL='curl -L --silent --dump-header /var/etc/acme-client/home/http.header -g '
[Tue Jan 22 17:33:59 CET 2019] ret='0'
[Tue Jan 22 17:34:00 CET 2019] ACME_KEY_CHANGE='https://acme-staging.api.letsencrypt.org/acme/key-change'
[Tue Jan 22 17:34:00 CET 2019] ACME_NEW_AUTHZ='https://acme-staging.api.letsencrypt.org/acme/new-authz'
[Tue Jan 22 17:34:00 CET 2019] ACME_NEW_ORDER='https://acme-staging.api.letsencrypt.org/acme/new-cert'
[Tue Jan 22 17:34:00 CET 2019] ACME_NEW_ACCOUNT='https://acme-staging.api.letsencrypt.org/acme/new-reg'
[Tue Jan 22 17:34:00 CET 2019] ACME_REVOKE_CERT='https://acme-staging.api.letsencrypt.org/acme/revoke-cert'
[Tue Jan 22 17:34:00 CET 2019] ACME_AGREEMENT='https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf'
[Tue Jan 22 17:34:00 CET 2019] ACME_NEW_NONCE
[Tue Jan 22 17:34:00 CET 2019] ACME_VERSION
[Tue Jan 22 17:34:00 CET 2019] Le_NextRenewTime='1553258191'
[Tue Jan 22 17:34:00 CET 2019] _on_before_issue
[Tue Jan 22 17:34:00 CET 2019] _chk_main_domain='jekare.nl'
[Tue Jan 22 17:34:00 CET 2019] _chk_alt_domains='www.jekare.nl'
[Tue Jan 22 17:34:00 CET 2019] Le_LocalAddress
[Tue Jan 22 17:34:00 CET 2019] d='jekare.nl'
[Tue Jan 22 17:34:00 CET 2019] Check for domain='jekare.nl'
[Tue Jan 22 17:34:00 CET 2019] _currentRoot='/var/etc/acme-client/challenges'
[Tue Jan 22 17:34:00 CET 2019] d='www.jekare.nl'
[Tue Jan 22 17:34:00 CET 2019] Check for domain='www.jekare.nl'
[Tue Jan 22 17:34:00 CET 2019] _currentRoot='/var/etc/acme-client/challenges'
[Tue Jan 22 17:34:00 CET 2019] d
[Tue Jan 22 17:34:00 CET 2019] _saved_account_key_hash is not changed, skip register account.
[Tue Jan 22 17:34:00 CET 2019] Read key length:4096
[Tue Jan 22 17:34:00 CET 2019] _createcsr
[Tue Jan 22 17:34:00 CET 2019] Multi domain='DNS:jekare.nl,DNS:www.jekare.nl'
[Tue Jan 22 17:34:01 CET 2019] Getting domain auth token for each domain
[Tue Jan 22 17:34:01 CET 2019] d='jekare.nl'
[Tue Jan 22 17:34:01 CET 2019] Getting webroot for domain='jekare.nl'
[Tue Jan 22 17:34:01 CET 2019] _w='/var/etc/acme-client/challenges'
[Tue Jan 22 17:34:01 CET 2019] _currentRoot='/var/etc/acme-client/challenges'
[Tue Jan 22 17:34:01 CET 2019] Getting new-authz for domain='jekare.nl'
[Tue Jan 22 17:34:01 CET 2019] _init api for server: https://acme-staging.api.letsencrypt.org/directory
[Tue Jan 22 17:34:01 CET 2019] Try new-authz for the 0 time.
[Tue Jan 22 17:34:01 CET 2019] url='https://acme-staging.api.letsencrypt.org/acme/new-authz'
[Tue Jan 22 17:34:01 CET 2019] payload='{"resource": "new-authz", "identifier": {"type": "dns", "value": "jekare.nl"}}'
[Tue Jan 22 17:34:01 CET 2019] RSA key
[Tue Jan 22 17:34:04 CET 2019] GET
[Tue Jan 22 17:34:04 CET 2019] url='https://acme-staging.api.letsencrypt.org/directory'
[Tue Jan 22 17:34:04 CET 2019] timeout=
[Tue Jan 22 17:34:04 CET 2019] _CURL='curl -L --silent --dump-header /var/etc/acme-client/home/http.header -g '
[Tue Jan 22 17:34:04 CET 2019] ret='0'
[Tue Jan 22 17:34:04 CET 2019] POST
[Tue Jan 22 17:34:04 CET 2019] _post_url='https://acme-staging.api.letsencrypt.org/acme/new-authz'
[Tue Jan 22 17:34:05 CET 2019] _CURL='curl -L --silent --dump-header /var/etc/acme-client/home/http.header -g '
[Tue Jan 22 17:34:06 CET 2019] _ret='0'
[Tue Jan 22 17:34:06 CET 2019] code='201'
[Tue Jan 22 17:34:06 CET 2019] The new-authz request is ok.
[Tue Jan 22 17:34:06 CET 2019] entry='"type":"http-01","status":"valid","uri":"https://acme-staging.api.letsencrypt.org/acme/challenge/KQQDbGSAajPtfqHJP8q-YhtEryquN9HsWB6HWKkiJOM/224982980","token":"qt7IUNGVpmTKlffYVfKsMHI9d6fVqlw4qm0XRxhkgYU","validationRecord":[{"url":"http://jekare.nl/.well-known/acme-challenge/qt7IUNGVpmTKlffYVfKsMHI9d6fVqlw4qm0XRxhkgYU","hostname":"jekare.nl","port":"80","addressesResolved":["82.72.7.247"],"addressUsed":"82.72.7.247"'
[Tue Jan 22 17:34:06 CET 2019] token='qt7IUNGVpmTKlffYVfKsMHI9d6fVqlw4qm0XRxhkgYU'
[Tue Jan 22 17:34:06 CET 2019] uri='https://acme-staging.api.letsencrypt.org/acme/challenge/KQQDbGSAajPtfqHJP8q-YhtEryquN9HsWB6HWKkiJOM/224982980'
[Tue Jan 22 17:34:06 CET 2019] keyauthorization='qt7IUNGVpmTKlffYVfKsMHI9d6fVqlw4qm0XRxhkgYU.CTBap2Qw6QOI3KP9jalD1eIM8wUcHXOp7bTwSmUKaew'
[Tue Jan 22 17:34:06 CET 2019] jekare.nl is already verified.
[Tue Jan 22 17:34:06 CET 2019] keyauthorization='verified_ok'
[Tue Jan 22 17:34:06 CET 2019] dvlist='jekare.nl#verified_ok#https://acme-staging.api.letsencrypt.org/acme/challenge/KQQDbGSAajPtfqHJP8q-YhtEryquN9HsWB6HWKkiJOM/224982980#http-01#/var/etc/acme-client/challenges'
[Tue Jan 22 17:34:06 CET 2019] d='www.jekare.nl'
[Tue Jan 22 17:34:06 CET 2019] Getting webroot for domain='www.jekare.nl'
[Tue Jan 22 17:34:06 CET 2019] _w='/var/etc/acme-client/challenges'
[Tue Jan 22 17:34:06 CET 2019] _currentRoot='/var/etc/acme-client/challenges'
[Tue Jan 22 17:34:06 CET 2019] Getting new-authz for domain='www.jekare.nl'
[Tue Jan 22 17:34:06 CET 2019] _init api for server: https://acme-staging.api.letsencrypt.org/directory
[Tue Jan 22 17:34:06 CET 2019] Try new-authz for the 0 time.
[Tue Jan 22 17:34:06 CET 2019] url='https://acme-staging.api.letsencrypt.org/acme/new-authz'
[Tue Jan 22 17:34:06 CET 2019] payload='{"resource": "new-authz", "identifier": {"type": "dns", "value": "www.jekare.nl"}}'
[Tue Jan 22 17:34:06 CET 2019] POST
[Tue Jan 22 17:34:06 CET 2019] _post_url='https://acme-staging.api.letsencrypt.org/acme/new-authz'
[Tue Jan 22 17:34:06 CET 2019] _CURL='curl -L --silent --dump-header /var/etc/acme-client/home/http.header -g '
[Tue Jan 22 17:34:08 CET 2019] _ret='0'
[Tue Jan 22 17:34:08 CET 2019] code='201'
[Tue Jan 22 17:34:08 CET 2019] The new-authz request is ok.
[Tue Jan 22 17:34:08 CET 2019] entry='"type":"http-01","status":"valid","uri":"https://acme-staging.api.letsencrypt.org/acme/challenge/BeAmaYTvueay_QapeWnvRXlvYuIK4TIu3TN4Qio49UE/224982995","token":"l1vZJtsRZNpqHPUaPl-vlgzYpOdX3IDkfSBpb0RU7Vs","validationRecord":[{"url":"http://www.jekare.nl/.well-known/acme-challenge/l1vZJtsRZNpqHPUaPl-vlgzYpOdX3IDkfSBpb0RU7Vs","hostname":"www.jekare.nl","port":"80","addressesResolved":["82.72.7.247"],"addressUsed":"82.72.7.247"'
[Tue Jan 22 17:34:08 CET 2019] token='l1vZJtsRZNpqHPUaPl-vlgzYpOdX3IDkfSBpb0RU7Vs'
[Tue Jan 22 17:34:08 CET 2019] uri='https://acme-staging.api.letsencrypt.org/acme/challenge/BeAmaYTvueay_QapeWnvRXlvYuIK4TIu3TN4Qio49UE/224982995'
[Tue Jan 22 17:34:08 CET 2019] keyauthorization='l1vZJtsRZNpqHPUaPl-vlgzYpOdX3IDkfSBpb0RU7Vs.CTBap2Qw6QOI3KP9jalD1eIM8wUcHXOp7bTwSmUKaew'
[Tue Jan 22 17:34:08 CET 2019] www.jekare.nl is already verified.
[Tue Jan 22 17:34:08 CET 2019] keyauthorization='verified_ok'
[Tue Jan 22 17:34:08 CET 2019] dvlist='www.jekare.nl#verified_ok#https://acme-staging.api.letsencrypt.org/acme/challenge/BeAmaYTvueay_QapeWnvRXlvYuIK4TIu3TN4Qio49UE/224982995#http-01#/var/etc/acme-client/challenges'
[Tue Jan 22 17:34:08 CET 2019] d
[Tue Jan 22 17:34:08 CET 2019] vlist='jekare.nl#verified_ok#https://acme-staging.api.letsencrypt.org/acme/challenge/KQQDbGSAajPtfqHJP8q-YhtEryquN9HsWB6HWKkiJOM/224982980#http-01#/var/etc/acme-client/challenges,www.jekare.nl#verified_ok#https://acme-staging.api.letsencrypt.org/acme/challenge/BeAmaYTvueay_QapeWnvRXlvYuIK4TIu3TN4Qio49UE/224982995#http-01#/var/etc/acme-client/challenges,'
[Tue Jan 22 17:34:08 CET 2019] d='jekare.nl'
[Tue Jan 22 17:34:08 CET 2019] jekare.nl is already verified, skip http-01.
[Tue Jan 22 17:34:08 CET 2019] d='www.jekare.nl'
[Tue Jan 22 17:34:08 CET 2019] www.jekare.nl is already verified, skip http-01.
[Tue Jan 22 17:34:08 CET 2019] ok, let's start to verify
[Tue Jan 22 17:34:08 CET 2019] jekare.nl is already verified, skip http-01.
[Tue Jan 22 17:34:08 CET 2019] www.jekare.nl is already verified, skip http-01.
[Tue Jan 22 17:34:08 CET 2019] pid
[Tue Jan 22 17:34:08 CET 2019] No need to restore nginx, skip.
[Tue Jan 22 17:34:08 CET 2019] _clearupdns
[Tue Jan 22 17:34:08 CET 2019] skip dns.
[Tue Jan 22 17:34:08 CET 2019] Verify finished, start to sign.
[Tue Jan 22 17:34:09 CET 2019] i='2'
[Tue Jan 22 17:34:09 CET 2019] j='26'
[Tue Jan 22 17:34:09 CET 2019] url='https://acme-staging.api.letsencrypt.org/acme/new-cert'
[Tue Jan 22 17:34:09 CET 2019] payload='{"resource": "new-cert", "csr": "MIIEnDCCAoQCAQAwFDESMBAGA1UEAwwJamVrYXJlLm5sMIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAlqx7WDeBZo0fyXds1b-9psc9uAWzciTbLnR7WzU2Z_Ahi4lqcxPHjtKOoZFF2a634NS3gBXMII7jdER7LQhnNwEWJOjg4nrSCUII4Fi63P5_H8_0VFS-93PNJ7qyEMVvmpJW3Ax8EjJ2f8ncLR0I4P2paf0S66tmsu_vzNhcrLL9rBOw-O7w5eH7UfYbaz6WrDfxJO6h0r-YyE83vcA82lOvCPdpP96DSYs-6ZCXeIu4OdVharU6Z90WV7yPsJ3ermvKijmbVCk9YYFMnMqh3ARG9U79PYGzd-K_SpAgt07TdfwWJPJ2-rxY7AdvkGFOwGPZ1zj-Ajiy1lSTQCGfU_H7d9IcTy7diJUTh46dSZIg3CGiaOpdgx7k40IUVj_s2UDRV4YMcxCc8XkTvPosp5ArcP9-WmlFxJ_yyiM4BGHmExNaYDKMPfq3bbYEw0JZrsJWiojD8ukolCtYKpO_pGvNxZwTBpXF7SSzFWQftK3PHzKLdh6xBNSi6f6X_Yk6HwyAtmiksuQ1W5NHEk5uIE8Tijp1p43UtMYpO79SGSxqul1lkv7JaQz5N3BcZlREHK0eI2_cfC7j2zSxq2E1xE8mpL6RexD9FOX0vKwrXXgSZdzAs53NUWV-RY08WvPHhEXpVfSOp9en9fmO47RmIqnkrw3DJq-BcjV7hyFIldUCAwEAAaBDMEEGCSqGSIb3DQEJDjE0MDIwCwYDVR0PBAQDAgXgMCMGA1UdEQQcMBqCCWpla2FyZS5ubIINd3d3Lmpla2FyZS5ubDANBgkqhkiG9w0BAQsFAAOCAgEAa6ZHOZu7OSwR-iJ5AcyV28QPqouCBh0u8vUtn6zoEYz8KSNDmI2NqM7L-boJGEGA599XRm-vpaD7KsnGQv1XArxn9GDb6zK4Ch2SCDyVM2-C81_rBddfdJfxBZyEpKkXNLQpg2GKlXDZZlGmCWrCwvk9PlZ3h8t02-Ri4CdrvwrwoTIh53c0q_kC0m-QxessZRAxTb5BZgSGExDEf6AqSda7xPfZLoKny-FCZAW8kYB9LvvR8831BEUXTfZJNwlzzzgM6oN4K2VtZL4e4-8WWOLhgEpTOHXRteqxK0MlhoGKMl1_DZP6n9yH2_H7YNJhUZwsDWh2cvOJdZnJKtcBJj5i-sOJLyIC_-JV772aSNelcphU2dQqV0bgrwFNZV0tUcJyWIAHsivkNIDWWwIgRr14c7LV2z4mQNgMDTuM675hQV5jEP5xKM8mS-fIKY3JPV06PAV0Kc1Yi3QAuL7gbjJ8wbNnxgqNEn9FJPbG77DhHBwgu57TKjYh_VdXEALAh_DJIK2P2c4qkzj6asVNDja0xg5RxWRZo0u6rra8SLnoUYFHWpWh6hDKZEnbVtbExvb1u9HydGp5d8IYwIeWNUnoi18nA7BA333uaAb4y-cFlOLciepXMENQ07hZFAohI-bvjYxXf6ucb75uAOYKPRK5gB0dVa3FU1JuPE4luNs"}'
[Tue Jan 22 17:34:09 CET 2019] POST
[Tue Jan 22 17:34:09 CET 2019] _post_url='https://acme-staging.api.letsencrypt.org/acme/new-cert'
[Tue Jan 22 17:34:09 CET 2019] _CURL='curl -L --silent --dump-header /var/etc/acme-client/home/http.header -g '
[Tue Jan 22 17:34:12 CET 2019] _ret='0'
[Tue Jan 22 17:34:12 CET 2019] code='201'
[Tue Jan 22 17:34:12 CET 2019] Le_LinkCert='https://acme-staging.api.letsencrypt.org/acme/cert/fa046915dcb6c7972a8e58deb25a7a532945'
[Tue Jan 22 17:34:12 CET 2019] Cert success.
[Tue Jan 22 17:34:12 CET 2019] Your cert is in /var/etc/acme-client/home/jekare.nl/jekare.nl.cer
[Tue Jan 22 17:34:12 CET 2019] Your cert key is in /var/etc/acme-client/home/jekare.nl/jekare.nl.key
[Tue Jan 22 17:34:12 CET 2019] Le_LinkIssuer='https://acme-staging.api.letsencrypt.org/acme/issuer-cert'
[Tue Jan 22 17:34:12 CET 2019] _link_issuer_retry='0'
[Tue Jan 22 17:34:12 CET 2019] GET
[Tue Jan 22 17:34:12 CET 2019] url='https://acme-staging.api.letsencrypt.org/acme/issuer-cert'
[Tue Jan 22 17:34:12 CET 2019] timeout=
[Tue Jan 22 17:34:12 CET 2019] _CURL='curl -L --silent --dump-header /var/etc/acme-client/home/http.header -g '
[Tue Jan 22 17:34:13 CET 2019] ret='0'
[Tue Jan 22 17:34:13 CET 2019] The intermediate CA cert is in /var/etc/acme-client/home/jekare.nl/ca.cer
[Tue Jan 22 17:34:13 CET 2019] And the full chain certs is there: /var/etc/acme-client/home/jekare.nl/fullchain.cer
[Tue Jan 22 17:34:13 CET 2019] Installing cert to:/var/etc/acme-client/certs/5c439d3f40b355.63681904/cert.pem
[Tue Jan 22 17:34:13 CET 2019] Installing CA to:/var/etc/acme-client/certs/5c439d3f40b355.63681904/chain.pem
[Tue Jan 22 17:34:14 CET 2019] Installing key to:/var/etc/acme-client/keys/5c439d3f40b355.63681904/private.key
[Tue Jan 22 17:34:14 CET 2019] Installing full chain to:/var/etc/acme-client/certs/5c439d3f40b355.63681904/fullchain.pem
[Tue Jan 22 17:34:14 CET 2019] _on_issue_success
this all looked good, so i tried the renewal via the production environment:
[Tue Jan 22 15:38:44 CET 2019] GET
[Tue Jan 22 15:38:44 CET 2019] url='https://acme-v01.api.letsencrypt.org/acme/challenge/WpddvMu-xX0vbQoMiRSKG1DSmNQ06GTv64dStXfESXM/11747361546'
[Tue Jan 22 15:38:44 CET 2019] timeout=
[Tue Jan 22 15:38:44 CET 2019] _CURL='curl -L --silent --dump-header /var/etc/acme-client/home/http.header -g '
[Tue Jan 22 15:38:45 CET 2019] ret='0'
[Tue Jan 22 15:38:45 CET 2019] Pending
[Tue Jan 22 15:38:45 CET 2019] sleep 2 secs to verify
[Tue Jan 22 15:38:47 CET 2019] checking
[Tue Jan 22 15:38:47 CET 2019] GET
[Tue Jan 22 15:38:47 CET 2019] url='https://acme-v01.api.letsencrypt.org/acme/challenge/WpddvMu-xX0vbQoMiRSKG1DSmNQ06GTv64dStXfESXM/11747361546'
[Tue Jan 22 15:38:47 CET 2019] timeout=
[Tue Jan 22 15:38:47 CET 2019] _CURL='curl -L --silent --dump-header /var/etc/acme-client/home/http.header -g '
[Tue Jan 22 15:38:47 CET 2019] ret='0'
[Tue Jan 22 15:38:47 CET 2019] Pending
[Tue Jan 22 15:38:47 CET 2019] sleep 2 secs to verify
[Tue Jan 22 15:38:50 CET 2019] checking
[Tue Jan 22 15:38:50 CET 2019] GET
[Tue Jan 22 15:38:50 CET 2019] url='https://acme-v01.api.letsencrypt.org/acme/challenge/WpddvMu-xX0vbQoMiRSKG1DSmNQ06GTv64dStXfESXM/11747361546'
[Tue Jan 22 15:38:50 CET 2019] timeout=
[Tue Jan 22 15:38:50 CET 2019] _CURL='curl -L --silent --dump-header /var/etc/acme-client/home/http.header -g '
[Tue Jan 22 15:38:50 CET 2019] ret='0'
[Tue Jan 22 15:38:50 CET 2019] Pending
[Tue Jan 22 15:38:50 CET 2019] sleep 2 secs to verify
[Tue Jan 22 15:38:52 CET 2019] checking
[Tue Jan 22 15:38:52 CET 2019] GET
[Tue Jan 22 15:38:52 CET 2019] url='https://acme-v01.api.letsencrypt.org/acme/challenge/WpddvMu-xX0vbQoMiRSKG1DSmNQ06GTv64dStXfESXM/11747361546'
[Tue Jan 22 15:38:52 CET 2019] timeout=
[Tue Jan 22 15:38:52 CET 2019] _CURL='curl -L --silent --dump-header /var/etc/acme-client/home/http.header -g '
[Tue Jan 22 15:38:53 CET 2019] ret='0'
[Tue Jan 22 15:38:53 CET 2019] jekare.nl:Verify error:Fetching http://jekare.nl/.well-known/acme-challenge/4frjuk-A8aGExROSjbxR79ztuNx-bx_bj8Oc-bYHED0: Timeout during connect (likely firewall problem)
[Tue Jan 22 15:38:53 CET 2019] pid
[Tue Jan 22 15:38:53 CET 2019] No need to restore nginx, skip.
[Tue Jan 22 15:38:53 CET 2019] _clearupdns
[Tue Jan 22 15:38:53 CET 2019] skip dns.
[Tue Jan 22 15:38:53 CET 2019] _on_issue_err
[Tue Jan 22 15:38:53 CET 2019] Please check log file for more details: /var/log/acme.sh.log
[Tue Jan 22 15:38:53 CET 2019] url='https://acme-v01.api.letsencrypt.org/acme/challenge/WpddvMu-xX0vbQoMiRSKG1DSmNQ06GTv64dStXfESXM/11747361546'
[Tue Jan 22 15:38:53 CET 2019] payload='{"resource": "challenge", "keyAuthorization": "4frjuk-A8aGExROSjbxR79ztuNx-bx_bj8Oc-bYHED0.CTBap2Qw6QOI3KP9jalD1eIM8wUcHXOp7bTwSmUKaew"}'
[Tue Jan 22 15:38:53 CET 2019] POST
[Tue Jan 22 15:38:53 CET 2019] _post_url='https://acme-v01.api.letsencrypt.org/acme/challenge/WpddvMu-xX0vbQoMiRSKG1DSmNQ06GTv64dStXfESXM/11747361546'
[Tue Jan 22 15:38:53 CET 2019] _CURL='curl -L --silent --dump-header /var/etc/acme-client/home/http.header -g '
[Tue Jan 22 15:38:54 CET 2019] _ret='0'
[Tue Jan 22 15:38:54 CET 2019] code='400'
[Tue Jan 22 15:38:54 CET 2019] url='https://acme-v01.api.letsencrypt.org/acme/challenge/RvPWoA-Gz3N1kCmbDI3hZhaojtkvDoJF6MYdIFzDAUs/11747362027'
[Tue Jan 22 15:38:54 CET 2019] payload='{"resource": "challenge", "keyAuthorization": "ABssaR7E4ctGgZs8zo81Bc8Skb3PBIuZz84qLftFd24.CTBap2Qw6QOI3KP9jalD1eIM8wUcHXOp7bTwSmUKaew"}'
[Tue Jan 22 15:38:54 CET 2019] POST
[Tue Jan 22 15:38:54 CET 2019] _post_url='https://acme-v01.api.letsencrypt.org/acme/challenge/RvPWoA-Gz3N1kCmbDI3hZhaojtkvDoJF6MYdIFzDAUs/11747362027'
[Tue Jan 22 15:38:54 CET 2019] _CURL='curl -L --silent --dump-header /var/etc/acme-client/home/http.header -g '
[Tue Jan 22 15:38:55 CET 2019] _ret='0'
[Tue Jan 22 15:38:55 CET 2019] code='202'
Now it suddenly says Timeout during connect (likely firewall problem), but nothing changed in the router/firewall. I don't understand this.
My web server is (include version):
HAProxy HTTP frontend (part of HAProxy plugin)
The operating system my web server runs on is (include version):
OPNsense v18.7.10
- Let's Encrypt plugin v1.18
- HAProxy plugin v2.13
I can login to a root shell on my machine (yes or no, or I don’t know):
yes, to get to the config files and logs, but can't install certbot and don't know how to run the acme.sh script manually nor if it is even possible.
I’m using a control panel to manage my site (no, or provide the name and version of the control panel):
OPNsense GUI.