zvol
November 28, 2016, 11:10pm
1
I’m running pfsense and connecting to it using a dynamic IP. I’m trying to issue a certificate using acme.sh . I’ve tried everything and I just can’t get it to work. I’ve tried allowing HTTP, opening up traffic on port 80 and 443. I changed my firewall rules to be very un-restrictive and also tried anything I could find.
Because I’m using a dynamic IP I am just using cname records pointing to my dynamic IP domain, I’m not sure if that is related to the problem.
Running as root I ran:
~/.acme.sh/acme.sh --issue --standalone -d 'mydomain.com'
I keep getting the following errors:
[Mon Nov 28 14:17:06 PST 2016] _CURL='curl -L --silent --dump-header /root/.acme.sh/http.header '
[Mon Nov 28 14:17:06 PST 2016] ret='0'
[Mon Nov 28 14:17:06 PST 2016] ***redacted***:Verify error:Could not connect to ***redacted***
[Mon Nov 28 14:17:06 PST 2016] Debug: get token url.
[Mon Nov 28 14:17:06 PST 2016] GET
[Mon Nov 28 14:17:06 PST 2016] url='http://***redacted***/.well-known/acme-challenge/hN98lNlXcXAg_woWDSZFbu1TF9hXaEi33QoL30Ib-us'
[Mon Nov 28 14:17:06 PST 2016] timeout='1'
[Mon Nov 28 14:17:06 PST 2016] _CURL='curl -L --silent --dump-header /root/.acme.sh/http.header --connect-timeout 1'
[Mon Nov 28 14:17:08 PST 2016] Please refer to https://curl.haxx.se/libcurl/c/libcurl-errors.html for error code: 28
[Mon Nov 28 14:17:08 PST 2016] ret='28'
[Mon Nov 28 14:17:08 PST 2016] Skip for removelevel:
[Mon Nov 28 14:17:08 PST 2016] pid='84398'
[Mon Nov 28 14:17:08 PST 2016] _clearupdns
[Mon Nov 28 14:17:08 PST 2016] Dns not added, skip.
[Mon Nov 28 14:17:08 PST 2016] _on_issue_err
[Mon Nov 28 14:17:08 PST 2016] Please add '--debug' or '--log' to check more details.
[Mon Nov 28 14:17:08 PST 2016] See: https://github.com/Neilpang/acme.sh/wiki/How-to-debug-acme.sh
[Mon Nov 28 14:16:58 PST 2016] _NC='nc -N -l '
[Mon Nov 28 14:16:58 PST 2016] nc listen error.
[Mon Nov 28 14:16:58 PST 2016] usage: nc [-46DdEFhklNnrStUuvz] [-e policy] [-I length] [-i interval] [-O length]
[-P proxy_username] [-p source_port] [-s source] [-T ToS]
[-V rtable] [-w timeout] [-X proxy_protocol]
[-x proxy_address[:port]] [destination] [port]
nc: Address already in use
schoen
November 28, 2016, 11:21pm
2
Hi @zvol , do you have some other program listening on those ports on that machine? Maybe checking with netstat -tap
?
zvol
November 28, 2016, 11:32pm
3
I’m not sure. netstat is just giving me an netstat -tap netstat: illegal option -- t
$ netstat -tap
netstat: illegal option -- t
usage: netstat [-46AaLnRSTWx] [-f protocol_family | -p protocol]
[-M core] [-N system]
netstat -i | -I interface [-46abdhnW] [-f address_family]
[-M core] [-N system]
netstat -w wait [-I interface] [-46d] [-M core] [-N system] [-q howmany]
netstat -s [-s] [-46z] [-f protocol_family | -p protocol]
[-M core] [-N system]
netstat -i | -I interface [-46s] [-f protocol_family | -p protocol]
[-M core] [-N system]
netstat -m [-M core] [-N system]
netstat -B [-I interface]
netstat -r [-46AanW] [-f address_family] [-M core] [-N system]
netstat -rs [-s] [-M core] [-N system]
netstat -g [-46W] [-f address_family] [-M core] [-N system]
netstat -gs [-46s] [-f address_family] [-M core] [-N system]
netstat -Q
schoen
November 29, 2016, 12:57am
4
@zvol , you and I are on different operating systems there. Do you know a command to find out what programs are listening on what ports on your OS? Maybe lsof -i
?
zvol
November 29, 2016, 1:37am
5
I’ll find out what is listening.
zvol
November 29, 2016, 1:54am
6
This help?
$ netstat -an
Active Internet connections (including servers)
Proto Recv-Q Send-Q Local Address Foreign Address (state)
tcp4 0 0 192.168.0.1.1922 192.168.0.2.34942 ESTABLISHED
tcp6 0 0 *.1991 *.* LISTEN
tcp4 0 0 *.1991 *.* LISTEN
tcp4 0 0 127.0.0.1.953 *.* LISTEN
tcp4 0 0 *.53 *.* LISTEN
tcp6 0 0 *.53 *.* LISTEN
tcp4 0 0 *.1922 *.* LISTEN
tcp6 0 0 *.1922 *.* LISTEN
schoen
November 29, 2016, 1:56am
7
Huh, what happens if you run
nc -N -l 80
as root? Is it an error?
zvol
November 29, 2016, 2:06am
8
No response.
The *.1991 is for the web ui though, and *.1922 for ssh.
schoen
November 29, 2016, 4:13pm
9
Interesting! Thanks for trying that.
@Neilpang is the author of acme.sh ; Neil, could you speculate on what might be going wrong here or suggest what @zvol should run to get more debugging information?
@schoen Thank your for AT me.
@zvol Please open 80 port in the firewall settings.
I have CI testing servers that running pfsense, I know the default 80 port is not open. you must add firewall rule to allow 80 port.
If you have any problems please report issue here:
zvol
November 30, 2016, 6:27am
12
I went through that post already.
Port 80 was open, I added a rule. I’ll try again.
zvol
November 30, 2016, 6:58am
13
Same issue. I have port 80 open.
Here are my rules:
and my process:
$ ~/.acme.sh/acme.sh --issue --standalone --debug --staging -d <**redacted**>
[Tue Nov 29 22:50:46 PST 2016] Lets find script dir.
[Tue Nov 29 22:50:46 PST 2016] _SCRIPT_='/root/.acme.sh/acme.sh'
[Tue Nov 29 22:50:46 PST 2016] _script='/root/.acme.sh/acme.sh'
[Tue Nov 29 22:50:46 PST 2016] _script_home='/root/.acme.sh'
https://github.com/Neilpang/acme.sh
v2.6.5
[Tue Nov 29 22:50:46 PST 2016] Using api:
[Tue Nov 29 22:50:46 PST 2016] Using stage api:https://acme-staging.api.letsencrypt.org
[Tue Nov 29 22:50:46 PST 2016] DOMAIN_PATH='/root/.acme.sh/<**redacted**>'
[Tue Nov 29 22:50:46 PST 2016] Le_NextRenewTime
[Tue Nov 29 22:50:46 PST 2016] _on_before_issue
[Tue Nov 29 22:50:46 PST 2016] Le_LocalAddress
[Tue Nov 29 22:50:46 PST 2016] Check for domain='<**redacted**>'
[Tue Nov 29 22:50:46 PST 2016] _currentRoot='no'
[Tue Nov 29 22:50:46 PST 2016] Standalone mode.
[Tue Nov 29 22:50:46 PST 2016] _checkport='80'
[Tue Nov 29 22:50:46 PST 2016] _checkaddr
[Tue Nov 29 22:50:46 PST 2016] Using: netstat
[Tue Nov 29 22:50:46 PST 2016] _saved_account_key_hash is not changed, skip register account.
[Tue Nov 29 22:50:46 PST 2016] Read key length:
[Tue Nov 29 22:50:46 PST 2016] _createcsr
[Tue Nov 29 22:50:46 PST 2016] Single domain='<**redacted**>'
[Tue Nov 29 22:50:46 PST 2016] Getting domain auth token for each domain
[Tue Nov 29 22:50:46 PST 2016] Getting webroot for domain='<**redacted**>'
[Tue Nov 29 22:50:46 PST 2016] _w='no'
[Tue Nov 29 22:50:46 PST 2016] _currentRoot='no'
[Tue Nov 29 22:50:46 PST 2016] Getting new-authz for domain='<**redacted**>'
[Tue Nov 29 22:50:46 PST 2016] Try new-authz for the 0 time.
[Tue Nov 29 22:50:46 PST 2016] url='https://acme-staging.api.letsencrypt.org/acme/new-authz'
[Tue Nov 29 22:50:46 PST 2016] payload='{"resource": "new-authz", "identifier": {"type": "dns", "value": "<**redacted**>"}}'
[Tue Nov 29 22:50:46 PST 2016] RSA key
[Tue Nov 29 22:50:48 PST 2016] GET
[Tue Nov 29 22:50:48 PST 2016] url='https://acme-staging.api.letsencrypt.org/directory'
[Tue Nov 29 22:50:48 PST 2016] timeout
[Tue Nov 29 22:50:48 PST 2016] _CURL='curl -L --silent --dump-header /root/.acme.sh/http.header '
[Tue Nov 29 22:50:48 PST 2016] ret='0'
[Tue Nov 29 22:50:48 PST 2016] POST
[Tue Nov 29 22:50:48 PST 2016] url='https://acme-staging.api.letsencrypt.org/acme/new-authz'
[Tue Nov 29 22:50:48 PST 2016] _CURL='curl -L --silent --dump-header /root/.acme.sh/http.header '
[Tue Nov 29 22:50:49 PST 2016] _ret='0'
[Tue Nov 29 22:50:49 PST 2016] code='201'
[Tue Nov 29 22:50:49 PST 2016] The new-authz request is ok.
[Tue Nov 29 22:50:49 PST 2016] entry='"type":"http-01","status":"pending","uri":"https://acme-staging.api.letsencrypt.org/acme/challenge/dWicBuxPJIufZX3Gqlha1nL5Vs75n_xbfwmYRHBHUjI/17416921","token":"4Ww426fYo0oUg2pBcNVHeJTtBF6sIj1kr8IvZj17e4w"'
[Tue Nov 29 22:50:49 PST 2016] token='4Ww426fYo0oUg2pBcNVHeJTtBF6sIj1kr8IvZj17e4w'
[Tue Nov 29 22:50:49 PST 2016] uri='https://acme-staging.api.letsencrypt.org/acme/challenge/dWicBuxPJIufZX3Gqlha1nL5Vs75n_xbfwmYRHBHUjI/17416921'
[Tue Nov 29 22:50:49 PST 2016] keyauthorization='4Ww426fYo0oUg2pBcNVHeJTtBF6sIj1kr8IvZj17e4w.5YD0oAUthrGwjQi1WWjpkzBmsTnyEbHyOsyD4GcMLh0'
[Tue Nov 29 22:50:49 PST 2016] dvlist='<**redacted**>#4Ww426fYo0oUg2pBcNVHeJTtBF6sIj1kr8IvZj17e4w.5YD0oAUthrGwjQi1WWjpkzBmsTnyEbHyOsyD4GcMLh0#https://acme-staging.api.letsencrypt.org/acme/challenge/dWicBuxPJIufZX3Gqlha1nL5Vs75n_xbfwmYRHBHUjI/17416921#http-01#no'
[Tue Nov 29 22:50:49 PST 2016] ok, let's start to verify
[Tue Nov 29 22:50:49 PST 2016] Verifying:<**redacted**>
[Tue Nov 29 22:50:49 PST 2016] d='<**redacted**>'
[Tue Nov 29 22:50:49 PST 2016] keyauthorization='4Ww426fYo0oUg2pBcNVHeJTtBF6sIj1kr8IvZj17e4w.5YD0oAUthrGwjQi1WWjpkzBmsTnyEbHyOsyD4GcMLh0'
[Tue Nov 29 22:50:49 PST 2016] uri='https://acme-staging.api.letsencrypt.org/acme/challenge/dWicBuxPJIufZX3Gqlha1nL5Vs75n_xbfwmYRHBHUjI/17416921'
[Tue Nov 29 22:50:49 PST 2016] _currentRoot='no'
[Tue Nov 29 22:50:49 PST 2016] Standalone mode server
[Tue Nov 29 22:50:49 PST 2016] ncaddr
[Tue Nov 29 22:50:49 PST 2016] startserver: 19740
[Tue Nov 29 22:50:49 PST 2016] Le_HTTPPort='80'
[Tue Nov 29 22:50:49 PST 2016] Le_Listen_V4
[Tue Nov 29 22:50:49 PST 2016] Le_Listen_V6
[Tue Nov 29 22:50:49 PST 2016] _NC='nc -N -l '
[Tue Nov 29 22:50:50 PST 2016] serverproc='16387'
[Tue Nov 29 22:50:50 PST 2016] url='https://acme-staging.api.letsencrypt.org/acme/challenge/dWicBuxPJIufZX3Gqlha1nL5Vs75n_xbfwmYRHBHUjI/17416921'
[Tue Nov 29 22:50:50 PST 2016] payload='{"resource": "challenge", "keyAuthorization": "4Ww426fYo0oUg2pBcNVHeJTtBF6sIj1kr8IvZj17e4w.5YD0oAUthrGwjQi1WWjpkzBmsTnyEbHyOsyD4GcMLh0"}'
[Tue Nov 29 22:50:50 PST 2016] POST
[Tue Nov 29 22:50:50 PST 2016] url='https://acme-staging.api.letsencrypt.org/acme/challenge/dWicBuxPJIufZX3Gqlha1nL5Vs75n_xbfwmYRHBHUjI/17416921'
[Tue Nov 29 22:50:50 PST 2016] _CURL='curl -L --silent --dump-header /root/.acme.sh/http.header '
[Tue Nov 29 22:50:51 PST 2016] _ret='0'
[Tue Nov 29 22:50:51 PST 2016] code='202'
[Tue Nov 29 22:50:51 PST 2016] sleep 2 secs to verify
[Tue Nov 29 22:50:53 PST 2016] checking
[Tue Nov 29 22:50:53 PST 2016] GET
[Tue Nov 29 22:50:53 PST 2016] url='https://acme-staging.api.letsencrypt.org/acme/challenge/dWicBuxPJIufZX3Gqlha1nL5Vs75n_xbfwmYRHBHUjI/17416921'
[Tue Nov 29 22:50:53 PST 2016] timeout
[Tue Nov 29 22:50:53 PST 2016] _CURL='curl -L --silent --dump-header /root/.acme.sh/http.header '
[Tue Nov 29 22:50:53 PST 2016] ret='0'
[Tue Nov 29 22:50:53 PST 2016] Pending
[Tue Nov 29 22:50:53 PST 2016] sleep 2 secs to verify
[Tue Nov 29 22:50:55 PST 2016] checking
[Tue Nov 29 22:50:55 PST 2016] GET
[Tue Nov 29 22:50:55 PST 2016] url='https://acme-staging.api.letsencrypt.org/acme/challenge/dWicBuxPJIufZX3Gqlha1nL5Vs75n_xbfwmYRHBHUjI/17416921'
[Tue Nov 29 22:50:55 PST 2016] timeout
[Tue Nov 29 22:50:55 PST 2016] _CURL='curl -L --silent --dump-header /root/.acme.sh/http.header '
[Tue Nov 29 22:50:55 PST 2016] ret='0'
[Tue Nov 29 22:50:55 PST 2016] Pending
[Tue Nov 29 22:50:55 PST 2016] sleep 2 secs to verify
[Tue Nov 29 22:50:57 PST 2016] checking
[Tue Nov 29 22:50:57 PST 2016] GET
[Tue Nov 29 22:50:57 PST 2016] url='https://acme-staging.api.letsencrypt.org/acme/challenge/dWicBuxPJIufZX3Gqlha1nL5Vs75n_xbfwmYRHBHUjI/17416921'
[Tue Nov 29 22:50:57 PST 2016] timeout
[Tue Nov 29 22:50:57 PST 2016] _CURL='curl -L --silent --dump-header /root/.acme.sh/http.header '
[Tue Nov 29 22:50:58 PST 2016] ret='0'
[Tue Nov 29 22:50:58 PST 2016] <**redacted**>:Verify error:Could not connect to <**redacted**>
[Tue Nov 29 22:50:58 PST 2016] Debug: get token url.
[Tue Nov 29 22:50:58 PST 2016] GET
[Tue Nov 29 22:50:58 PST 2016] url='http://<**redacted**>/.well-known/acme-challenge/4Ww426fYo0oUg2pBcNVHeJTtBF6sIj1kr8IvZj17e4w'
[Tue Nov 29 22:50:58 PST 2016] timeout='1'
[Tue Nov 29 22:50:58 PST 2016] _CURL='curl -L --silent --dump-header /root/.acme.sh/http.header --connect-timeout 1'
GET /.well-known/acme-challenge/4Ww426fYo0oUg2pBcNVHeJTtBF6sIj1kr8IvZj17e4w HTTP/1.1
Host: <**redacted**>
User-Agent: acme.sh/2.6.5 (https://github.com/Neilpang/acme.sh)
Accept: */*
4Ww426fYo0oUg2pBcNVHeJTtBF6sIj1kr8IvZj17e4w.5YD0oAUthrGwjQi1WWjpkzBmsTnyEbHyOsyD4GcMLh0[Tue Nov 29 22:50:58 PST 2016] ret='0'
[Tue Nov 29 22:50:58 PST 2016] usage: nc [-46DdEFhklNnrStUuvz] [-e policy] [-I length] [-i interval] [-O length]
[-P proxy_username] [-p source_port] [-s source] [-T ToS]
[-V rtable] [-w timeout] [-X proxy_protocol]
[-x proxy_address[:port]] [destination] [port]
[Tue Nov 29 22:50:58 PST 2016] Skip for removelevel:
[Tue Nov 29 22:50:58 PST 2016] pid='16387'
[Tue Nov 29 22:50:59 PST 2016] _clearupdns
[Tue Nov 29 22:50:59 PST 2016] Dns not added, skip.
[Tue Nov 29 22:50:59 PST 2016] _on_issue_err
[Tue Nov 29 22:50:59 PST 2016] Please add '--debug' or '--log' to check more details.
[Tue Nov 29 22:50:59 PST 2016] See: https://github.com/Neilpang/acme.sh/wiki/How-to-debug-acme.sh
[Tue Nov 29 22:50:59 PST 2016] Diagnosis versions:
openssl:openssl
OpenSSL 1.0.1s-freebsd 1 Mar 2016
apache:
apache doesn't exists.
nc:
usage: nc [-46DdEFhklNnrStUuvz] [-e policy] [-I length] [-i interval] [-O length]
[-P proxy_username] [-p source_port] [-s source] [-T ToS]
[-V rtable] [-w timeout] [-X proxy_protocol]
[-x proxy_address[:port]] [destination] [port]
Command Summary:
-4 Use IPv4
-6 Use IPv6
-D Enable the debug socket option
-d Detach from stdin
-E Use IPsec ESP
-e policy Use specified IPsec policy
-F Pass socket fd
-h This help text
-I length TCP receive buffer length
-i secs Delay interval for lines sent, ports scanned
-k Keep inbound sockets open for multiple connects
-l Listen mode, for inbound connects
-N Shutdown the network socket after EOF on stdin
-n Suppress name/port resolutions
--no-tcpopt Disable TCP options
-O length TCP send buffer length
-P proxyuser Username for proxy authentication
-p port Specify local port for remote connects
-r Randomize remote ports
-S Enable the TCP MD5 signature option
-s addr Local source address
-T toskeyword Set IP Type of Service
-t Answer TELNET negotiation
-U Use UNIX domain socket
-u UDP mode
-V rtable Specify alternate routing table
-v Verbose
-w secs Timeout for connects and final net reads
-X proto Proxy protocol: "4", "5" (SOCKS) or "connect"
-x addr[:port] Specify proxy address and port
-z Zero-I/O mode [used for scanning]
Port numbers can be individual or ranges: lo-hi [inclusive]
See ipsec_set_policy(3) for -e argument format
@zvol
On your pfsense server run:
echo hello | nc -N -l 80
On another server run:
curl http://your-pfsense-domain.com
1 Like
zvol
November 30, 2016, 6:59pm
15
Doh! Mixed up the ports, I had the source port open. I fixed it by opening the destination.
Thanks for your help and work on the project.
schoen
December 1, 2016, 6:43pm
16
Thanks for figuring this out, @Neilpang !
system
Closed
December 31, 2016, 6:44pm
17
This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.