Hello,
I cannot get Acme to issue a new key for the key and cert created using cloudflare DNS. I have entered all the cloudflare ApI Keys, Token e-mal etc. I can post the a part or the full acme_issuecert.log here if needed. I admit i am a very new to this and in need of some direction.
Thank you,
My domain is: myvmlab.net
I ran this command: installed Acme Plugin for pfSense 2.7.2
It produced this output:
WEBGUI_CERT3
My web server is (include version):
The operating system my web server runs on is (include version): pfSense 2.7.2
My hosting provider, if applicable, is: Cloudflare
I can login to a root shell on my machine (yes or no, or I don't know): Yes
I'm using a control panel to manage my site (no, or provide the name and version of the control panel): pfSense 2.7.2
The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): pfsense 2.7.2
pfsense-01WEBGUI_CERT
/usr/local/pkg/acme/acme.sh --issue --domain 'pfsense-01.myvmlab.net ' --dns 'dns_cf' --home '/tmp/acme/pfsense-01WEBGUI_CERT/' --accountconf '/tmp/acme/pfsense-01WEBGUI_CERT/accountconf.conf' --force --always-force-new-domain-key --reloadCmd '/tmp/acme/pfsense-01WEBGUI_CERT/reloadcmd.sh' --log-level 3 --log '/tmp/acme/pfsense-01WEBGUI_CERT/acme_issuecert.log'https://acme-staging-v02.api.letsencrypt.org/directory pfsense-01.myvmlab.net 'pfsense-01.myvmlab.net '
1 Like
linkp
April 4, 2024, 10:58pm
2
If those are your real API credentials and email, you should edit them out of your post immediately and rotate your API key and any exposed API tokens at Cloudflare. I also recommend adding 2FA to your Cloudflare account if you have not already.
I have access to both pfSense and Cloudflare to help you test, but you really need to deal with your credential leak first. Let us know when that is done and we can revist helping you with your certificate.
7 Likes
Thanks for spotting that! I've administratively redacted the credentials. @mrvmlab , you should still rotate them immediately.
6 Likes
I have done as sugested and rotated the keys.
2 Likes
Thank you so much for that! I have taken the security steps to protect the account as suggested.
3 Likes
linkp
April 4, 2024, 11:43pm
6
I'll follow up in a little while when I am at location where I can sign in to a pfSense and review some settings with you.
3 Likes
Thank you I am looking foward to it.
3 Likes
I did a reconfig and checked all my settings and added new key & cert. This is the most upto date error / output from certbot on pfSense.
pfsense-01_cert
/usr/local/pkg/acme/acme.sh --issue --domain 'pfsense-01.myvmlab.com ' --dns 'dns_cf' --home '/tmp/acme/pfsense-01_cert/' --accountconf '/tmp/acme/pfsense-01_cert/accountconf.conf' --force --always-force-new-domain-key --reloadCmd '/tmp/acme/pfsense-01_cert/reloadcmd.sh' --log-level 3 --log '/tmp/acme/pfsense-01_cert/acme_issuecert.log'https://acme-staging-v02.api.letsencrypt.org/directory pfsense-01.myvmlab.com 'pfsense-01.myvmlab.com '
linkp
April 5, 2024, 2:06am
9
It looks like you are not creating the TXT record in Cloudflare.
Are you using your email and global API key or a token?
Good job doing your testing in the Let's Encrypt Staging environment!
4 Likes
rg305
April 5, 2024, 2:13am
10
mrvmlab:
--force
Be sure and remember to remove the excess force
2 Likes
I think I am using both API Key and API Token to values when authenticating to cloudflare within the ACME CERT ( itβs self). I thought all fields were required. if that is to the area you are referring to. If something else please let me know.
Thank you,
mrvmlab
1 Like
linkp
April 5, 2024, 2:19am
12
The pfSense ACME client is a web GUI to acme.sh. I don't see the force switch exposed anywhere in the web UI. I have been running it for years without issue. While I know (and appreciate) your reasons for mentioning it, I don't expect that to flag to cause any problems.
2 Likes
linkp
April 5, 2024, 2:24am
13
mrvmlab:
I am using both
You should only use one or the other.
For the sake of expedience, can you test with just the email and global key (without the token)?
If that works, we can try again, using only the token for authentication.
3 Likes
This is what i get when using e-mail and glabal ket w/o token.
pfsense-01_cert
/usr/local/pkg/acme/acme.sh --issue --domain 'pfsense-01.myvmlab.com ' --dns 'dns_cf' --home '/tmp/acme/pfsense-01_cert/' --accountconf '/tmp/acme/pfsense-01_cert/accountconf.conf' --force --always-force-new-domain-key --reloadCmd '/tmp/acme/pfsense-01_cert/reloadcmd.sh' --log-level 3 --log '/tmp/acme/pfsense-01_cert/acme_issuecert.log'https://acme-staging-v02.api.letsencrypt.org/directory pfsense-01.myvmlab.com 'pfsense-01.myvmlab.com '
linkp
April 5, 2024, 2:50am
15
You are not using the same domain name that you mentioned in your first post. I didn't catch it the first time you switched domains, but it could be the root of your problem.
myvmlab.net uses Cloudflare DNS while myvmlab.com does not.
3 Likes
Yes, i fixed that type in acme cert and re ran it
linkp
April 5, 2024, 2:59am
17
Did you have better results after fixing the domain name?
3 Likes
This is the output now
pfsense-01_cert
/usr/local/pkg/acme/acme.sh --issue --domain 'pfsense-01.myvmlab.net ' --dns 'dns_cf' --home '/tmp/acme/pfsense-01_cert/' --accountconf '/tmp/acme/pfsense-01_cert/accountconf.conf' --force --always-force-new-domain-key --reloadCmd '/tmp/acme/pfsense-01_cert/reloadcmd.sh' --log-level 3 --log '/tmp/acme/pfsense-01_cert/acme_issuecert.log'https://acme-staging-v02.api.letsencrypt.org/directory pfsense-01.myvmlab.net 'pfsense-01.myvmlab.net '
linkp
April 5, 2024, 3:05am
19
The TXT record is there.
dig txt _acme-challenge.pfsense-01.myvmlab.net. +short
"_POe5Gq-bT4khwhJ6UC8MBzTRsUao_JzAEuYN-mlTsk"
Try putting a delay into the DNS-Sleep field. Start with 30 and see if that is sufficient.
4 Likes
Very nice
[Thu Apr 4 22:15:48 CDT 2024] Cert success.
Now do i put it on a Production for use now that it's working or do we work with the API Keys / Token first?
1 Like
