Move Letsencrypt to an new firewall opnsense

#1

Hi,

I’m using letsencrypt on a Opnsense firewall. This working perfect.
But now i have to move the letsencrypt to a new one.
I disabled on the old side all about lets an haproxy.
On the new one I filed all Data and say give me an new Certificate.
But i allways get. response=’{“type”:“urn:acme:error:malformed”,“detail”:“Registration key is already in use”,“status”: 409}’
I do not know what I have do to now?
Greetings Mario

#2

Hi @MannIT

looks like you try to create a new account with the same public/private key pair. Every account has such a key pair, but two different accounts can’t use the same key pair.

So you have two options

  • Don’t create a new account, create only a new certificate
  • Remove your old account informations and start new, so you create a new account
#3

HI,

deutsch?
Für die Überprüfungsmethode muss ich ein Konto aber angeben.
Ich habe dort die gleiche E-Mail genommen wie am alten.
Habe auch schon einen andere Mailadresse benutzt.
Wie kann man den einen Account löschen?

Gruß mario

#4

Bei einen anderen E-Mail Adresse kommt code 202

#5

What were the required data fields?

#6

Account:
Account name and E-Mail Adress
Checkmethode:
http-01
Certificte:
Commonname + Account + Checkmethode

#7

Try without entering the Account info.
It may make a new account.
Or different Account info.

#8

What’s the tool you use?

There are two different “Accounts”. Perhaps it’s possible to use this tool with one own account (of this tool) and different Letsencrypt - accounts.

#9

This is an acme client in opnsense. V1.17_1
We are taliking about move the Cert to an new opnsense installation.
I tried same account name as on the old opnsense installation.
Same Account acme.sh.log.txt (85.7 KB)

#10

And this with an new account.
New Account acme.sh.log.txt (85.7 KB)

#11

Any Ideas what i can do?

#12

From Same Account:

[Sat Dec  8 13:55:56 CET 2018] original='{
  "type": "http-01",
  "status": "invalid",
  "error": {
    "type": "urn:acme:error:unknownHost",
    "detail": "No valid IP addresses found for mailex24.com",
    "status": 400
  },
[Sat Dec  8 13:55:56 CET 2018] error='"error":{"type":"urn:acme:error:unknownHost","detail":"No valid IP addresses found for mailex24.com","status": 400'
[Sat Dec  8 13:55:56 CET 2018] errordetail='No valid IP addresses found for mailex24.com'
[Sat Dec  8 13:55:56 CET 2018] mailex24.com:Verify error:No valid IP addresses found for mailex24.com
#13

From New Account:

[Sat Dec  8 14:00:49 CET 2018] original='{
  "type": "http-01",
  "status": "invalid",
  "error": {
    "type": "urn:acme:error:unknownHost",
    "detail": "No valid IP addresses found for mailex24.com",
    "status": 400
  },
  "uri": "https://acme-v01.api.letsencrypt.org/acme/challenge/oYAfLdWA5JihIgomS5oR8MAEd_GpMZA0h3Zh_Ps807U/10088337320",
  "token": "qkQe35LOldUXATRbBLypdbAZA5Mvb_Q4FQfYBAVLvmw",
  "validationRecord": [
    {
      "url": "http://mailex24.com/.well-known/acme-challenge/qkQe35LOldUXATRbBLypdbAZA5Mvb_Q4FQfYBAVLvmw",
      "hostname": "mailex24.com",
      "port": "80"
    }
  ]
}
#14

There is a DNS inconsistency:

sometimes:
Name: mailex24.com
Address: 185.243.10.177

sometimes:
Name: mailex24.com
<empty/nul reply>

#15

Thanks a lot.
Yeah it is really strange i have the same setting like the old one.
Und there it always works.
I must see what is wrong, but now i can search.

Greetings Mario

#16

Have a look at: https://dnsspy.io/scan/mailex24.com
“Resilience & Security” are low

#17

OK Now i unterstand. Every Multi-Domain(san) that i will use need a really dns to verifiy.
I delete the san that i not need anymore and no it works perfekt.