Renewing certificate

Hi
I have an ACME certificate on a pfsense firewall
When renewing it gives me an error and no matter how much I look in forums, I cannot find a solution
Friends, I appreciate the help

HOSTALCHAMU
Renewing certificate
account: HOSTALCHAMU-PROD-ACCKEYS
server: letsencrypt-production-2

/usr/local/pkg/acme/acme.sh --issue -d 'hostalchamu.es' --standalone --listen-v4 --httpport '4002' -d 'www.hostalchamu.es' --standalone --listen-v4 --httpport '4002' --home '/tmp/acme/HOSTALCHAMU/' --accountconf '/tmp/acme/HOSTALCHAMU/accountconf.conf' --force --reloadCmd '/tmp/acme/HOSTALCHAMU/reloadcmd.sh' --log-level 3 --log '/tmp/acme/HOSTALCHAMU/acme_issuecert.log'
Array
(
[path] => /etc:/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/bin/
[PATH] => /etc:/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/bin/
[port] => 4002
[ipv6] =>
)
[Sun Nov 8 18:50:42 CET 2020] Standalone mode.
[Sun Nov 8 18:50:42 CET 2020] Standalone mode.
[Sun Nov 8 18:50:42 CET 2020] Multi domain='DNS:hostalchamu.es,DNS:www.hostalchamu.es'
[Sun Nov 8 18:50:42 CET 2020] Getting domain auth token for each domain
[Sun Nov 8 18:50:48 CET 2020] Getting webroot for domain='hostalchamu.es'
[Sun Nov 8 18:50:48 CET 2020] Getting webroot for domain='www.hostalchamu.es'
[Sun Nov 8 18:50:48 CET 2020] Verifying: hostalchamu.es
[Sun Nov 8 18:50:48 CET 2020] Standalone mode server
[Sun Nov 8 18:50:53 CET 2020] Pending
[Sun Nov 8 18:50:57 CET 2020] hostalchamu.es:Verify error:Invalid response from https://hostalchamu.es/.well-known/acme-challenge/PX48t8lMLTzK9m3_yAmg75pMkZXmC6DVWgPIUSe3dfs [85.56.56.239]:
[Sun Nov 8 18:50:57 CET 2020] Please check log file for more details: /tmp/acme/HOSTALCHAMU/acme_issuecert.log

2 Likes

Hi @pabloperez

first, I'm not so firm with acme.sh.

You use --standalone.

Normally, that starts an own webserver to validate your domain.

But:

There is a https answer validating your domain. So a http instance answers, redirects to https, then the "file not found" result (open the url in your browser) of your website is visible.

So it's not the webserver startet via --standalone, it's your website that answers.

Result: That can't work.

3 Likes

Hello @pabloperez welcome to the community.

A few questions come to mind.

The latest version of "Acme Certificates" service on pfSense is 0.6.9_2 ... are you up to date?
Did you use acme.sh for your previous certificates?
If so how has your configuration changed since June?

Are you using the certificate for the pfSense "webConfigurator" itself?
(Assumptions are not a good thing) for public access on port 4002?

One should NEVER expose the web GUI to the internet.

The HTTP listening port for the stand-alone server configuration on pfSense must be 80 or have port 80 on WAN forwarded to this port (4002 in your case). AND your firewall rules must allow traffic to reach this port (port forwarding)

Logs are your friend.

2 Likes