Help with wildcard setup

tempa · December 7, 2018, 4:34am

thank you.

i been looking for something about acme.
but nothing much has shown

rg305 · December 7, 2018, 4:35am

tempa · December 7, 2018, 4:40am

the configuration is different from the config i provided.

Say “Hello World”
docker run --rm neilpang/acme.sh
Use as an executable:
docker run --rm -it
-v “$(pwd)/out”:/acme.sh
–net=host
neilpang/acme.sh --issue -d example.com --standalone
You can use any commands that acme.sh supports here, other examples:

#revoke a cert
docker run --rm -it
-v “(pwd)/out":/acme.sh \ --net=host \ neilpang/acme.sh --revoke -d example.com #use dns mode docker run --rm -it \ -v "(pwd)/out”:/acme.sh
neilpang/acme.sh --issue --dns -d example.com
#run cron job
docker run --rm -it
-v “$(pwd)/out”:/acme.sh
–net=host
neilpang/acme.sh --cron

rg305 · December 7, 2018, 4:57am

I would cerate a new dedicated docker container.
Then try installing it as one would normally (while inside that container):
curl https://get.acme.sh | sh

tempa · December 7, 2018, 5:16am

i setup the acme in pfsense.
but still getting the error

tempa · December 7, 2018, 5:19am

rg305 · December 7, 2018, 5:27am

I’m not familiar with pfSense+LetsEncrypt.
I do see that
nslookup -q=txt _acme-challenge.marcuse.net.au
returns two records.
You might need to increase the DNS Sleep time.

tempa · December 7, 2018, 5:29am

is the information correct though ?
the sleep is default at 120 seconds.
what should i put it as ?

rg305 · December 7, 2018, 5:30am

Two TXT records were created:
_acme-challenge.marcuse.net.au text =

    "Gzre2aQLTX4CidlRFvWsilb1jK6G9splF26foY-Vq2Q"

_acme-challenge.marcuse.net.au text =

    "0_1xlLBWYTGweLjpfOYUbu9EWv7UJ8dp3vBY9CFViu4"

stevenzhu · December 7, 2018, 5:30am

Hi,

Could you please double check if you've binded to a correct IP / server?

Since the hostname is not available from public, we are not sure what's going on in your server....

And do you mind to share us output of the following command?
openssl s_client -connect pfsense.ad.marcuse.net.au:443 -showcerts

Thank you

tempa · December 7, 2018, 5:31am

where do i check. sorry?

rg305 · December 7, 2018, 5:33am

Try DNS Sleep 300 (5 minutes)
Use nslookup (from any other computer) to confirm when it updates:
nslookup -q=txt _acme-challenge.marcuse.net.au hank.ns.cloudflare.com
or
nslookup -q=txt _acme-challenge.marcuse.net.au tia.ns.cloudflare.com

stevenzhu · December 7, 2018, 5:33am

Although it’s not working properly, a good news is that the error message is different (from mismatch to CA not valid)

@rg305 did he get the certificate issued? (He actually should check nslookup -q=txt _acme-challenge.ad.marcuse.net.au hank.ns.cloudflare.com right?)

tempa · December 7, 2018, 5:34am

where do i enter that command ?

rg305 · December 7, 2018, 5:35am

I don’t think he has been able to get a (good) cert yet.
He needs multiple wildcard entries on one cert.

stevenzhu · December 7, 2018, 5:36am

You need to enter that to your CMD (command line prompt) or shell in the device that you see the error.

rg305 · December 7, 2018, 5:38am

From a device that has access to pfsense.ad.marcuse.net.au:443
And that also has openssl (most Linux based system have it)

tempa · December 7, 2018, 5:39am

depth=1 CN = Fake LE Intermediate X1
verify error:num=20:unable to get local issuer certificate
CONNECTED(00000003)

Certificate chain
0 s:/CN=*.marcuse.net.au
i:/CN=Fake LE Intermediate X1
-----BEGIN CERTIFICATE-----

cert

-----END CERTIFICATE-----
1 s:/CN=Fake LE Intermediate X1
i:/CN=Fake LE Root X1
-----BEGIN CERTIFICATE-----

cert

-----END CERTIFICATE-----

Server certificate
subject=/CN=*.marcuse.net.au
issuer=/CN=Fake LE Intermediate X1

No client certificate CA names sent
Peer signing digest: SHA512
Server Temp Key: ECDH, P-256, 256 bits

SSL handshake has read 3092 bytes and written 433 bytes

New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES256-GCM-SHA384
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
Protocol : TLSv1.2
Cipher : ECDHE-RSA-AES256-GCM-SHA384
Session-ID: 0EC86BA0E6D24129A2B89C9F94491A56456CD6BB41E618FAC8573261DDE9BF8B
Session-ID-ctx:
Master-Key:
Key-Arg : None
PSK identity: None
PSK identity hint: None
SRP username: None
Start Time: 1544161061
Timeout : 300 (sec)
Verify return code: 20 (unable to get local issuer certificate)

DONE

tempa · December 7, 2018, 5:44am

Does this need to change into Production to work ?

stevenzhu · December 7, 2018, 5:46am

Hi,

Two things:

The certificate you binded to pfsense.ad.[the domain] is a "Staging" certificate.
You need to issue a real certificate....

Yes.

Please share us the certificate file that you omitted when executing the above commands... (Since a common name does not show much and since it's staging certificate, i don't know where to find the logs to see if that certificate includes the correct SAN)

P.S. Please do not expose your Lets Encrypt Account Key. IT'S EXTREMELY DANGEROUS!

Thank you

Help with wildcard setup

depth=1 CN = Fake LE Intermediate X1 verify error:num=20:unable to get local issuer certificate CONNECTED(00000003)

-----END CERTIFICATE-----

Server certificate subject=/CN=*.marcuse.net.au issuer=/CN=Fake LE Intermediate X1

No client certificate CA names sent Peer signing digest: SHA512 Server Temp Key: ECDH, P-256, 256 bits

SSL handshake has read 3092 bytes and written 433 bytes

depth=1 CN = Fake LE Intermediate X1
verify error:num=20:unable to get local issuer certificate
CONNECTED(00000003)

Server certificate
subject=/CN=*.marcuse.net.au
issuer=/CN=Fake LE Intermediate X1

No client certificate CA names sent
Peer signing digest: SHA512
Server Temp Key: ECDH, P-256, 256 bits