Pfsense+ACME+route53

downright770 · October 23, 2019, 7:40pm

Hi,
I’m running ACME on pfsense and when I try renewing the cert I get the below error. I searched through the log file but only find the same error posted below. Any idea what the issue maybe or what we can check.

fw1ACME
Renewing certificate
account: my-server-account
server: letsencrypt-production

/usr/local/pkg/acme/acme.sh --issue -d ‘my.server.com’ --dns ‘dns_aws’ --home ‘/tmp/acme/fw1ACME/’ --accountconf ‘/tmp/acme/fw1ACME/accountconf.conf’ --force --reloadCmd ‘/tmp/acme/fw1ACME/reloadcmd.sh’ --log-level 3 --log ‘/tmp/acme/fw1ACME/acme_issuecert.log’

Array
(
[path] => /etc:/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/bin/
[PATH] => /etc:/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/bin/
[AWS_ACCESS_KEY_ID] => xxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
[AWS_SECRET_ACCESS_KEY] => xxxxxxxxxxxxxxxxxxxxxxxxxxxx
)
[Wed Oct 23 19:23:21 UTC 2019] Single domain=‘my.server.com’
[Wed Oct 23 19:23:21 UTC 2019] Getting domain auth token for each domain
[Wed Oct 23 19:23:21 UTC 2019] Getting webroot for domain=‘my.server.com’
[Wed Oct 23 19:23:21 UTC 2019] Getting new-authz for domain=‘my.server.com’
[Wed Oct 23 19:23:21 UTC 2019] Could not get nonce, let’s try again.
[Wed Oct 23 19:23:24 UTC 2019] Could not get nonce, let’s try again.
[Wed Oct 23 19:23:26 UTC 2019] Could not get nonce, let’s try again.
[Wed Oct 23 19:23:28 UTC 2019] Could not get nonce, let’s try again.
[Wed Oct 23 19:23:30 UTC 2019] Could not get nonce, let’s try again.
[Wed Oct 23 19:23:33 UTC 2019] Could not get nonce, let’s try again.
[Wed Oct 23 19:23:35 UTC 2019] Could not get nonce, let’s try again.
[Wed Oct 23 19:23:37 UTC 2019] Could not get nonce, let’s try again.
[Wed Oct 23 19:23:40 UTC 2019] Could not get nonce, let’s try again.
[Wed Oct 23 19:23:42 UTC 2019] Could not get nonce, let’s try again.
[Wed Oct 23 19:23:44 UTC 2019] Could not get nonce, let’s try again.
[Wed Oct 23 19:23:47 UTC 2019] Could not get nonce, let’s try again.
[Wed Oct 23 19:23:49 UTC 2019] Could not get nonce, let’s try again.
[Wed Oct 23 19:23:51 UTC 2019] Could not get nonce, let’s try again.
[Wed Oct 23 19:23:54 UTC 2019] Could not get nonce, let’s try again.
[Wed Oct 23 19:23:56 UTC 2019] Could not get nonce, let’s try again.
[Wed Oct 23 19:23:58 UTC 2019] Could not get nonce, let’s try again.
[Wed Oct 23 19:24:00 UTC 2019] Could not get nonce, let’s try again.
[Wed Oct 23 19:24:03 UTC 2019] Could not get nonce, let’s try again.
[Wed Oct 23 19:24:05 UTC 2019] Could not get nonce, let’s try again.
[Wed Oct 23 19:24:07 UTC 2019] The new-authz request is ok.
[Wed Oct 23 19:24:07 UTC 2019] Error, can not get domain token entry my.server.com
[Wed Oct 23 19:24:07 UTC 2019] Please check log file for more details: /tmp/acme/fw1ACME/acme_issuecert.log

JuergenAuer · October 23, 2019, 7:47pm

Hi @downright770

what's the version you use?

Update it.

downright770 · October 23, 2019, 8:16pm

VER=2.8.1

PROJECT_NAME="acme.sh"

PROJECT_ENTRY="acme.sh"

PROJECT="https://github.com/Neilpang/$PROJECT_NAME"

DEFAULT_INSTALL_HOME="$HOME/.$PROJECT_NAME"
_SCRIPT_="$0"

_SUB_FOLDERS="dnsapi deploy"

LETSENCRYPT_CA_V1="https://acme-v01.api.letsencrypt.org/directory"
LETSENCRYPT_STAGING_CA_V1="https://acme-staging.api.letsencrypt.org/directory"

LETSENCRYPT_CA_V2="https://acme-v02.api.letsencrypt.org/directory"
LETSENCRYPT_STAGING_CA_V2="https://acme-staging-v02.api.letsencrypt.org/directory"

DEFAULT_CA=$LETSENCRYPT_CA_V1
DEFAULT_STAGING_CA=$LETSENCRYPT_STAGING_CA_V1

DEFAULT_AGREEMENT="https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf"

DEFAULT_USER_AGENT="$PROJECT_NAME/$VER ($PROJECT)"
DEFAULT_ACCOUNT_EMAIL=""

DEFAULT_ACCOUNT_KEY_LENGTH=2048
DEFAULT_DOMAIN_KEY_LENGTH=2048

DEFAULT_OPENSSL_BIN="openssl"

_OLD_CA_HOST="https://acme-v01.api.letsencrypt.org"
_OLD_STAGE_CA_HOST="https://acme-staging.api.letsencrypt.org"

VTYPE_HTTP="http-01"
VTYPE_DNS="dns-01"
VTYPE_ALPN="tls-alpn-01"

LOCAL_ANY_ADDRESS="0.0.0.0"

DEFAULT_RENEW=60

DEFAULT_DNS_SLEEP=120

NO_VALUE="no"

downright770 · October 23, 2019, 8:22pm

updated to the latest version seemed to fix the issue. Thank you

Phil · October 23, 2019, 8:37pm

Just as a note to other pfSense users, a pfSense dev maintains a version of acme.sh at https://github.com/jim-p/acme.sh that is occasionally updated and merged back into the pfSense tree per https://forum.netgate.com/topic/146599/process-by-which-the-pfsense-acme-plugin-is-updated.

leifnel · November 1, 2019, 12:23am

Is there an easy cookbook for adding this?

My system is running the package 0.3.1_1.
2.3.5-RELEASE-p2 (i386)
built on Thu May 10 15:03:18 CDT 2018
Vendor: Phoenix Technologies, LTD
Version: 6.00 PG
Release Date: 08/22/2008
VIA C7 Processor 1000MHz

Is this system totally outdated and EOL?

Phil · November 1, 2019, 1:48am

@leifnel,
I’m unsure if there is a Chef cookbook. I am sure that you should update your pfsense to the latest stable version. If it’s any consolation, I have been running it without issue after performing the upgrade.

leifnel · November 1, 2019, 2:58pm

I can’t upgrade to a 64 bit 2.4 version

Well, at least I got the machine for free.

system · December 1, 2019, 2:58pm

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Problem on every activity Help	6	2431	October 25, 2019
Renewing certificate Help	3	662	December 8, 2020
Inable to renew certificate on pfSense with ACME / NameSilo Help	4	2188	November 20, 2022
Pfsense Let's Encrypt error issuing Certificate in Pfsense Help	13	5361	July 10, 2021
Pfsense / Acme Error Help	38	1205	May 6, 2024

Pfsense+ACME+route53

Related topics