Move Letsencrypt to an new firewall opnsense

Help
1

Hi,

I’m using letsencrypt on a Opnsense firewall. This working perfect.
But now i have to move the letsencrypt to a new one.
I disabled on the old side all about lets an haproxy.
On the new one I filed all Data and say give me an new Certificate.
But i allways get. response=’{“type”:“urn:acme:error:malformed”,“detail”:“Registration key is already in use”,“status”: 409}’
I do not know what I have do to now?
Greetings Mario

2

Hi @MannIT

looks like you try to create a new account with the same public/private key pair. Every account has such a key pair, but two different accounts can't use the same key pair.

So you have two options

  • Don't create a new account, create only a new certificate
  • Remove your old account informations and start new, so you create a new account
1 Like
3

HI,

deutsch?
Für die Überprüfungsmethode muss ich ein Konto aber angeben.
Ich habe dort die gleiche E-Mail genommen wie am alten.
Habe auch schon einen andere Mailadresse benutzt.
Wie kann man den einen Account löschen?

Gruß mario

4

Bei einen anderen E-Mail Adresse kommt code 202

5

What were the required data fields?

6

Account:
Account name and E-Mail Adress
Checkmethode:
http-01
Certificte:
Commonname + Account + Checkmethode

7

Try without entering the Account info.
It may make a new account.
Or different Account info.

8

What's the tool you use?

There are two different "Accounts". Perhaps it's possible to use this tool with one own account (of this tool) and different Letsencrypt - accounts.

9

This is an acme client in opnsense. V1.17_1
We are taliking about move the Cert to an new opnsense installation.
I tried same account name as on the old opnsense installation.
Same Account acme.sh.log.txt (85.7 KB)

10

And this with an new account.
New Account acme.sh.log.txt (85.7 KB)

11

Any Ideas what i can do?

12

From Same Account:

[Sat Dec  8 13:55:56 CET 2018] original='{
  "type": "http-01",
  "status": "invalid",
  "error": {
    "type": "urn:acme:error:unknownHost",
    "detail": "No valid IP addresses found for mailex24.com",
    "status": 400
  },
[Sat Dec  8 13:55:56 CET 2018] error='"error":{"type":"urn:acme:error:unknownHost","detail":"No valid IP addresses found for mailex24.com","status": 400'
[Sat Dec  8 13:55:56 CET 2018] errordetail='No valid IP addresses found for mailex24.com'
[Sat Dec  8 13:55:56 CET 2018] mailex24.com:Verify error:No valid IP addresses found for mailex24.com
13

From New Account:

[Sat Dec  8 14:00:49 CET 2018] original='{
  "type": "http-01",
  "status": "invalid",
  "error": {
    "type": "urn:acme:error:unknownHost",
    "detail": "No valid IP addresses found for mailex24.com",
    "status": 400
  },
  "uri": "https://acme-v01.api.letsencrypt.org/acme/challenge/oYAfLdWA5JihIgomS5oR8MAEd_GpMZA0h3Zh_Ps807U/10088337320",
  "token": "qkQe35LOldUXATRbBLypdbAZA5Mvb_Q4FQfYBAVLvmw",
  "validationRecord": [
    {
      "url": "http://mailex24.com/.well-known/acme-challenge/qkQe35LOldUXATRbBLypdbAZA5Mvb_Q4FQfYBAVLvmw",
      "hostname": "mailex24.com",
      "port": "80"
    }
  ]
}
14

There is a DNS inconsistency:

sometimes:
Name: mailex24.com
Address: 185.243.10.177

sometimes:
Name: mailex24.com
<empty/nul reply>

15

Thanks a lot.
Yeah it is really strange i have the same setting like the old one.
Und there it always works.
I must see what is wrong, but now i can search.

Greetings Mario

16

Have a look at: https://dnsspy.io/scan/mailex24.com
“Resilience & Security” are low

17

OK Now i unterstand. Every Multi-Domain(san) that i will use need a really dns to verifiy.
I delete the san that i not need anymore and no it works perfekt.

1 Like
18

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.