Renewing certificate

pabloperez · November 8, 2020, 5:53pm

Hi
I have an ACME certificate on a pfsense firewall
When renewing it gives me an error and no matter how much I look in forums, I cannot find a solution
Friends, I appreciate the help

HOSTALCHAMU
Renewing certificate
account: HOSTALCHAMU-PROD-ACCKEYS
server: letsencrypt-production-2

/usr/local/pkg/acme/acme.sh --issue -d 'hostalchamu.es' --standalone --listen-v4 --httpport '4002' -d 'www.hostalchamu.es' --standalone --listen-v4 --httpport '4002' --home '/tmp/acme/HOSTALCHAMU/' --accountconf '/tmp/acme/HOSTALCHAMU/accountconf.conf' --force --reloadCmd '/tmp/acme/HOSTALCHAMU/reloadcmd.sh' --log-level 3 --log '/tmp/acme/HOSTALCHAMU/acme_issuecert.log'
Array
(
[path] => /etc:/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/bin/
[PATH] => /etc:/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/bin/
[port] => 4002
[ipv6] =>
)
[Sun Nov 8 18:50:42 CET 2020] Standalone mode.
[Sun Nov 8 18:50:42 CET 2020] Standalone mode.
[Sun Nov 8 18:50:42 CET 2020] Multi domain='DNS:hostalchamu.es,DNS:www.hostalchamu.es'
[Sun Nov 8 18:50:42 CET 2020] Getting domain auth token for each domain
[Sun Nov 8 18:50:48 CET 2020] Getting webroot for domain='hostalchamu.es'
[Sun Nov 8 18:50:48 CET 2020] Getting webroot for domain='www.hostalchamu.es'
[Sun Nov 8 18:50:48 CET 2020] Verifying: hostalchamu.es
[Sun Nov 8 18:50:48 CET 2020] Standalone mode server
[Sun Nov 8 18:50:53 CET 2020] Pending
[Sun Nov 8 18:50:57 CET 2020] hostalchamu.es:Verify error:Invalid response from https://hostalchamu.es/.well-known/acme-challenge/PX48t8lMLTzK9m3_yAmg75pMkZXmC6DVWgPIUSe3dfs [85.56.56.239]:
[Sun Nov 8 18:50:57 CET 2020] Please check log file for more details: /tmp/acme/HOSTALCHAMU/acme_issuecert.log

JuergenAuer · November 8, 2020, 6:03pm

Hi @pabloperez

first, I'm not so firm with acme.sh.

You use --standalone.

Normally, that starts an own webserver to validate your domain.

But:

There is a https answer validating your domain. So a http instance answers, redirects to https, then the "file not found" result (open the url in your browser) of your website is visible.

So it's not the webserver startet via --standalone, it's your website that answers.

Result: That can't work.

Rip · November 8, 2020, 8:18pm

Hello @pabloperez welcome to the community.

A few questions come to mind.

The latest version of "Acme Certificates" service on pfSense is 0.6.9_2 ... are you up to date?
Did you use acme.sh for your previous certificates?
If so how has your configuration changed since June?

Are you using the certificate for the pfSense "webConfigurator" itself?
(Assumptions are not a good thing) for public access on port 4002?

One should NEVER expose the web GUI to the internet.

The HTTP listening port for the stand-alone server configuration on pfSense must be 80 or have port 80 on WAN forwarded to this port (4002 in your case). AND your firewall rules must allow traffic to reach this port (port forwarding)

Logs are your friend.

system · December 8, 2020, 8:19pm

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Pfsense+ACME+route53 Help	8	2970	December 1, 2019
Inable to renew certificate on pfSense with ACME / NameSilo Help	4	2128	November 20, 2022
Problem on every activity Help	6	2431	October 25, 2019
Error: 'xxx' is not a issued domain,skip Help	6	5816	October 14, 2018
Certificate renewal Help	4	715	April 15, 2021

Renewing certificate

Related topics