Fake LE Intermedia on PFsense with acme DNS API certificate

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: eigenmann-mock.ch

I ran this command: Created certificate using my hosters API in ACME on pfsense

It produced this output: Common Name (CN)

Fake LE Intermediate X1

My web server is (include version):

The operating system my web server runs on is (include version):

My hosting provider, if applicable, is:

I can login to a root shell on my machine (yes or no, or I don't know):

I'm using a control panel to manage my site (no, or provide the name and version of the control panel):

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):

2 Likes

Hi @feigenmann

you have used the test system.

Use the productive system.

2 Likes

yes the staging one. because there was a limit of amount of certs thet could be created

1 Like

...and that's what results in the "Fake LE X1" intermediate certificate.

2 Likes

I changed to production
created a new cert
still no valid cert

1 Like

no its not
what i can proof I get the certificate form the DNS API
but it does not get applied eventhough I select it.

I dont get an acme-challenge which i should insert as a TXT record in my providers DNS Zone
I thik thats done by the API
I also tried the DNS-Manual method - same result
I am using pfsense

1 Like

Yes, it is. The staging system gives "fake" certificates; the production system gives live, trusted certificates. If you have a "fake" cert, it can only have been obtained through the staging system.

To use the production system with pfSense, you must first create a new account key on the production server, and then set your certificate to use that key. Once you've done that, you can re-issue the certificate. This has nothing to do with your validation method.

4 Likes

Why do you create certificates again and again instead of using one of these?

Certificate creation has worked. So that part isn't the problem.

You have to install one of these productive certificates instead of wasting resources.

3 Likes

I did not create again I just reissued them using the production account

1 Like

Now I get LEtsEncrypt ass Organization so far so good

Common Name (CN) nextcloud.eigenmann-mock.ch
Organization (O)
Organizational Unit (OU)
Common Name (CN) R3
Organization (O) Let's Encrypt
Organizational Unit (OU)
Issued On Friday, December 11, 2020 at 2:48:50 PM
Expires On Thursday, March 11, 2021 at 2:48:50 PM
1 Like

Thats what I have done, I Could also delete the acme plugin an start all over again

[Fri Dec 11 16:12:11 CET 2020] Adding txt value:
[Fri Dec 11 16:12:14 CET 2020] Record added
[Fri Dec 11 16:12:14 CET 2020] The txt record is added: Success.
But I dont see this record in the mgmt console of my hoster I tried to contacts the hoster but they are hard rto reach infomaniak

I do some thing wrong why are fileds not filled in Common Name (CN)

nextcloud.eigenmann-mock.ch

Organization (O)

Organizational Unit (OU)

Issued By

Common Name (CN)

R3

Organization (O)

Let's Encrypt

Organizational Unit (OU)

Because LE doesn't validate organization, etc. CN and SAN will be the only fields they'll fill with your (domain) name.

2 Likes

Sorry I dont quiet understand do I have to fill in these fields?
Thats the command acme.sh runs
/usr/local/pkg/acme/acme.sh --issue --domain 'nextcloud.eigenmann-mock.ch' --dns 'dns_infomaniak' --home '/tmp/acme/nextcloud/' --accountconf '/tmp/acme/nextcloud/accountconf.conf' --force --reloadCmd '/tmp/acme/nextcloud/reloadcmd.sh' --log-level 3 --log '/tmp/acme/nextcloud/acme_issuecert.log'

1 Like

No, you don't. And if you did (like in a CSR), they still wouldn't be included in your certificate.

3 Likes

Allright
So Is there somethin wrong with my hoster or with my pfsense.
where should we continue?

1 Like

Reissuing is creating new certificates.

Please read a lot of basics:

You have to install one of the certificates you have created.

3 Likes

Allright but where you see the problem on the pfsense the hoster or my certificates the dns records seem to be good

Be very careful anytime you have to use the force.
That parameter should NEVER be included in any script.

2 Likes