Pfsense Let's Encrypt error issuing Certificate in Pfsense

Hi, I am getting problem while issuing lets encrypt certificate.
name.mydomain:Verify error:Invalid response from[xxx.xx.xx.xx]: 503

If i go to/tmp/acme/acme_issuecert.log:
“type”: “urn:ietf:params:acme:error:malformed”,
“detail”: “Unable to update challenge :: authorization must be pending”,
“status”: 400

If i hit lets encrypt url from the log
503 Service Unavailable
No server is available to handle this request.

Is pfsense maybe trying to use the v1 Let's Encrypt API? That's now shutdown and you need to update pfsense to use ACME V2. I'm guessing that's this: Packages — ACME package — Wildcard Certificates | pfSense Documentation

acme version: 0.6.9_3
its latest version already! While creating account key i selected ACME V2 - ACME server.

Great, So is of pfsense also the latest version? I think it would be worth you checking with pfsense support.

The reason I say that is because the error 503 is from your server, not Let's Encrypt, so the fault is with your server or configuration.

@webprofusion Thanks for your input!

The Latest Base System for pfSense is : 21.05
Screenshot_2021-06-08_13-06-59

Version- 2.5.1-RELEASE** (amd64)

The error does suggest that the ACME process in pfsense is trying to complete a challenge response that's already either invalid or valid, i.e. it has already passed or failed and it's trying to do it again. Is there a way to clear cached state?

Otherwise, you may need to raise this with pfsense.

@webprofusion - I am struggling with this i posted on forum.netgate.com they said you don't have web serevr.
Pfsesne Let’s Encrypt error issuing Certificate | Netgate Forum

But the problem is i don't have web server i just have DNS entry and first of all i need to create certificate.
Thanks for pointing i will check how to clear cache also checking on firewall log.

Sorry I was assuming you already had this working and it suddenly stopped. So you are lookin to use DNS validation but it appears your ACME settings think you are using http validation.

https://docs.netgate.com/pfsense/en/latest/packages/acme/settings-validation.html#acme-validation-methods

I believe from the documentation there is an option next to your domain in the certificate UI to set the "Method", you ideally want DNS -AWS Route 53 if something like that exists, otherwise Manual DNS would get you started.

Hi @webprofusion : Thanks !
No its fresh setup completely new. Using Standalone HTTP server as a Method
Domain SAN list - Method - Standalone HTTP server

I checked with *DNS -AWS Route 53 API and its working as expected. certificate issued.
But in my scenario i have to use method Standalone HTTP server because problem with AWS route 53 DNS entries manage by other.

I found something on firewall multiple times 'Find an existing session'
d=20085 trace_id=273 func=resolve_ip_tuple_fast line=5540 msg="Find an existing session, id-daa1a230, original direction"
id=20085 trace_id=273 func=ipv4_fast_cb line=53 msg="enter fast path"

Ok, I'm glad you can get a certificate using DNS validation.

Regarding http validation, assuming you are directing all tcp port 80 (http) traffic to this server and it's still not working I think your best bet is to seek help from the pfsense community. Personally I would use DNS validation if it works.

1 Like