Trouble Issuing cert on pfsense with dynamic ip


#1

I’m running pfsense and connecting to it using a dynamic IP. I’m trying to issue a certificate using acme.sh. I’ve tried everything and I just can’t get it to work. I’ve tried allowing HTTP, opening up traffic on port 80 and 443. I changed my firewall rules to be very un-restrictive and also tried anything I could find.

Because I’m using a dynamic IP I am just using cname records pointing to my dynamic IP domain, I’m not sure if that is related to the problem.

Running as root I ran:

~/.acme.sh/acme.sh --issue --standalone -d 'mydomain.com' 

I keep getting the following errors:

[Mon Nov 28 14:17:06 PST 2016] _CURL='curl -L --silent --dump-header /root/.acme.sh/http.header '
[Mon Nov 28 14:17:06 PST 2016] ret='0'
[Mon Nov 28 14:17:06 PST 2016] ***redacted***:Verify error:Could not connect to ***redacted***
[Mon Nov 28 14:17:06 PST 2016] Debug: get token url.
[Mon Nov 28 14:17:06 PST 2016] GET
[Mon Nov 28 14:17:06 PST 2016] url='http://***redacted***/.well-known/acme-challenge/hN98lNlXcXAg_woWDSZFbu1TF9hXaEi33QoL30Ib-us'
[Mon Nov 28 14:17:06 PST 2016] timeout='1'
[Mon Nov 28 14:17:06 PST 2016] _CURL='curl -L --silent --dump-header /root/.acme.sh/http.header  --connect-timeout 1'
[Mon Nov 28 14:17:08 PST 2016] Please refer to https://curl.haxx.se/libcurl/c/libcurl-errors.html for error code: 28
[Mon Nov 28 14:17:08 PST 2016] ret='28'
[Mon Nov 28 14:17:08 PST 2016] Skip for removelevel:
[Mon Nov 28 14:17:08 PST 2016] pid='84398'
[Mon Nov 28 14:17:08 PST 2016] _clearupdns
[Mon Nov 28 14:17:08 PST 2016] Dns not added, skip.
[Mon Nov 28 14:17:08 PST 2016] _on_issue_err
[Mon Nov 28 14:17:08 PST 2016] Please add '--debug' or '--log' to check more details.
[Mon Nov 28 14:17:08 PST 2016] See: https://github.com/Neilpang/acme.sh/wiki/How-to-debug-acme.sh
[Mon Nov 28 14:16:58 PST 2016] _NC='nc -N -l '
[Mon Nov 28 14:16:58 PST 2016] nc listen error.
[Mon Nov 28 14:16:58 PST 2016] usage: nc [-46DdEFhklNnrStUuvz] [-e policy] [-I length] [-i interval] [-O length]
	  [-P proxy_username] [-p source_port] [-s source] [-T ToS]
	  [-V rtable] [-w timeout] [-X proxy_protocol]
	  [-x proxy_address[:port]] [destination] [port]
nc: Address already in use

#2

Hi @zvol, do you have some other program listening on those ports on that machine? Maybe checking with netstat -tap?


#3

I’m not sure. netstat is just giving me an netstat -tap netstat: illegal option -- t

$ netstat -tap
netstat: illegal option -- t
usage: netstat [-46AaLnRSTWx] [-f protocol_family | -p protocol]
               [-M core] [-N system]
       netstat -i | -I interface [-46abdhnW] [-f address_family]
               [-M core] [-N system]
       netstat -w wait [-I interface] [-46d] [-M core] [-N system] [-q howmany]
       netstat -s [-s] [-46z] [-f protocol_family | -p protocol]
               [-M core] [-N system]
       netstat -i | -I interface [-46s] [-f protocol_family | -p protocol]
               [-M core] [-N system]
       netstat -m [-M core] [-N system]
       netstat -B [-I interface]
       netstat -r [-46AanW] [-f address_family] [-M core] [-N system]
       netstat -rs [-s] [-M core] [-N system]
       netstat -g [-46W] [-f address_family] [-M core] [-N system]
       netstat -gs [-46s] [-f address_family] [-M core] [-N system]
       netstat -Q

#4

@zvol, you and I are on different operating systems there. :slight_smile: Do you know a command to find out what programs are listening on what ports on your OS? Maybe lsof -i?


#5

I’ll find out what is listening.


#6

This help?

$  netstat -an
Active Internet connections (including servers)
Proto Recv-Q Send-Q Local Address          Foreign Address        (state)
tcp4       0      0 192.168.0.1.1922       192.168.0.2.34942      ESTABLISHED
tcp6       0      0 *.1991                 *.*                    LISTEN
tcp4       0      0 *.1991                 *.*                    LISTEN
tcp4       0      0 127.0.0.1.953          *.*                    LISTEN
tcp4       0      0 *.53                   *.*                    LISTEN
tcp6       0      0 *.53                   *.*                    LISTEN
tcp4       0      0 *.1922                 *.*                    LISTEN
tcp6       0      0 *.1922                 *.*                    LISTEN

#7

Huh, what happens if you run

nc -N -l 80

as root? Is it an error?


#8

No response.

The *.1991 is for the web ui though, and *.1922 for ssh.


#9

Interesting! Thanks for trying that.

@Neilpang is the author of acme.sh; Neil, could you speculate on what might be going wrong here or suggest what @zvol should run to get more debugging information?


#10

@schoen Thank your for AT me.

@zvol Please open 80 port in the firewall settings.

I have CI testing servers that running pfsense, I know the default 80 port is not open. you must add firewall rule to allow 80 port.

If you have any problems please report issue here:


#11

Here is a guide for you.

https://thedevops.party/lets-encrypt-ssl-certificate-on-pfsense-2-3/


#12

I went through that post already.

Port 80 was open, I added a rule. I’ll try again.


#13

Same issue. I have port 80 open.

Here are my rules:

and my process:

$ ~/.acme.sh/acme.sh --issue --standalone --debug --staging -d <**redacted**>
[Tue Nov 29 22:50:46 PST 2016] Lets find script dir.
[Tue Nov 29 22:50:46 PST 2016] _SCRIPT_='/root/.acme.sh/acme.sh'
[Tue Nov 29 22:50:46 PST 2016] _script='/root/.acme.sh/acme.sh'
[Tue Nov 29 22:50:46 PST 2016] _script_home='/root/.acme.sh'
https://github.com/Neilpang/acme.sh
v2.6.5
[Tue Nov 29 22:50:46 PST 2016] Using api: 
[Tue Nov 29 22:50:46 PST 2016] Using stage api:https://acme-staging.api.letsencrypt.org
[Tue Nov 29 22:50:46 PST 2016] DOMAIN_PATH='/root/.acme.sh/<**redacted**>'
[Tue Nov 29 22:50:46 PST 2016] Le_NextRenewTime
[Tue Nov 29 22:50:46 PST 2016] _on_before_issue
[Tue Nov 29 22:50:46 PST 2016] Le_LocalAddress
[Tue Nov 29 22:50:46 PST 2016] Check for domain='<**redacted**>'
[Tue Nov 29 22:50:46 PST 2016] _currentRoot='no'
[Tue Nov 29 22:50:46 PST 2016] Standalone mode.
[Tue Nov 29 22:50:46 PST 2016] _checkport='80'
[Tue Nov 29 22:50:46 PST 2016] _checkaddr
[Tue Nov 29 22:50:46 PST 2016] Using: netstat
[Tue Nov 29 22:50:46 PST 2016] _saved_account_key_hash is not changed, skip register account.
[Tue Nov 29 22:50:46 PST 2016] Read key length:
[Tue Nov 29 22:50:46 PST 2016] _createcsr
[Tue Nov 29 22:50:46 PST 2016] Single domain='<**redacted**>'
[Tue Nov 29 22:50:46 PST 2016] Getting domain auth token for each domain
[Tue Nov 29 22:50:46 PST 2016] Getting webroot for domain='<**redacted**>'
[Tue Nov 29 22:50:46 PST 2016] _w='no'
[Tue Nov 29 22:50:46 PST 2016] _currentRoot='no'
[Tue Nov 29 22:50:46 PST 2016] Getting new-authz for domain='<**redacted**>'
[Tue Nov 29 22:50:46 PST 2016] Try new-authz for the 0 time.
[Tue Nov 29 22:50:46 PST 2016] url='https://acme-staging.api.letsencrypt.org/acme/new-authz'
[Tue Nov 29 22:50:46 PST 2016] payload='{"resource": "new-authz", "identifier": {"type": "dns", "value": "<**redacted**>"}}'
[Tue Nov 29 22:50:46 PST 2016] RSA key
[Tue Nov 29 22:50:48 PST 2016] GET
[Tue Nov 29 22:50:48 PST 2016] url='https://acme-staging.api.letsencrypt.org/directory'
[Tue Nov 29 22:50:48 PST 2016] timeout
[Tue Nov 29 22:50:48 PST 2016] _CURL='curl -L --silent --dump-header /root/.acme.sh/http.header '
[Tue Nov 29 22:50:48 PST 2016] ret='0'
[Tue Nov 29 22:50:48 PST 2016] POST
[Tue Nov 29 22:50:48 PST 2016] url='https://acme-staging.api.letsencrypt.org/acme/new-authz'
[Tue Nov 29 22:50:48 PST 2016] _CURL='curl -L --silent --dump-header /root/.acme.sh/http.header '
[Tue Nov 29 22:50:49 PST 2016] _ret='0'
[Tue Nov 29 22:50:49 PST 2016] code='201'
[Tue Nov 29 22:50:49 PST 2016] The new-authz request is ok.
[Tue Nov 29 22:50:49 PST 2016] entry='"type":"http-01","status":"pending","uri":"https://acme-staging.api.letsencrypt.org/acme/challenge/dWicBuxPJIufZX3Gqlha1nL5Vs75n_xbfwmYRHBHUjI/17416921","token":"4Ww426fYo0oUg2pBcNVHeJTtBF6sIj1kr8IvZj17e4w"'
[Tue Nov 29 22:50:49 PST 2016] token='4Ww426fYo0oUg2pBcNVHeJTtBF6sIj1kr8IvZj17e4w'
[Tue Nov 29 22:50:49 PST 2016] uri='https://acme-staging.api.letsencrypt.org/acme/challenge/dWicBuxPJIufZX3Gqlha1nL5Vs75n_xbfwmYRHBHUjI/17416921'
[Tue Nov 29 22:50:49 PST 2016] keyauthorization='4Ww426fYo0oUg2pBcNVHeJTtBF6sIj1kr8IvZj17e4w.5YD0oAUthrGwjQi1WWjpkzBmsTnyEbHyOsyD4GcMLh0'
[Tue Nov 29 22:50:49 PST 2016] dvlist='<**redacted**>#4Ww426fYo0oUg2pBcNVHeJTtBF6sIj1kr8IvZj17e4w.5YD0oAUthrGwjQi1WWjpkzBmsTnyEbHyOsyD4GcMLh0#https://acme-staging.api.letsencrypt.org/acme/challenge/dWicBuxPJIufZX3Gqlha1nL5Vs75n_xbfwmYRHBHUjI/17416921#http-01#no'
[Tue Nov 29 22:50:49 PST 2016] ok, let's start to verify
[Tue Nov 29 22:50:49 PST 2016] Verifying:<**redacted**>
[Tue Nov 29 22:50:49 PST 2016] d='<**redacted**>'
[Tue Nov 29 22:50:49 PST 2016] keyauthorization='4Ww426fYo0oUg2pBcNVHeJTtBF6sIj1kr8IvZj17e4w.5YD0oAUthrGwjQi1WWjpkzBmsTnyEbHyOsyD4GcMLh0'
[Tue Nov 29 22:50:49 PST 2016] uri='https://acme-staging.api.letsencrypt.org/acme/challenge/dWicBuxPJIufZX3Gqlha1nL5Vs75n_xbfwmYRHBHUjI/17416921'
[Tue Nov 29 22:50:49 PST 2016] _currentRoot='no'
[Tue Nov 29 22:50:49 PST 2016] Standalone mode server
[Tue Nov 29 22:50:49 PST 2016] ncaddr
[Tue Nov 29 22:50:49 PST 2016] startserver: 19740
[Tue Nov 29 22:50:49 PST 2016] Le_HTTPPort='80'
[Tue Nov 29 22:50:49 PST 2016] Le_Listen_V4
[Tue Nov 29 22:50:49 PST 2016] Le_Listen_V6
[Tue Nov 29 22:50:49 PST 2016] _NC='nc -N -l '
[Tue Nov 29 22:50:50 PST 2016] serverproc='16387'
[Tue Nov 29 22:50:50 PST 2016] url='https://acme-staging.api.letsencrypt.org/acme/challenge/dWicBuxPJIufZX3Gqlha1nL5Vs75n_xbfwmYRHBHUjI/17416921'
[Tue Nov 29 22:50:50 PST 2016] payload='{"resource": "challenge", "keyAuthorization": "4Ww426fYo0oUg2pBcNVHeJTtBF6sIj1kr8IvZj17e4w.5YD0oAUthrGwjQi1WWjpkzBmsTnyEbHyOsyD4GcMLh0"}'
[Tue Nov 29 22:50:50 PST 2016] POST
[Tue Nov 29 22:50:50 PST 2016] url='https://acme-staging.api.letsencrypt.org/acme/challenge/dWicBuxPJIufZX3Gqlha1nL5Vs75n_xbfwmYRHBHUjI/17416921'
[Tue Nov 29 22:50:50 PST 2016] _CURL='curl -L --silent --dump-header /root/.acme.sh/http.header '
[Tue Nov 29 22:50:51 PST 2016] _ret='0'
[Tue Nov 29 22:50:51 PST 2016] code='202'
[Tue Nov 29 22:50:51 PST 2016] sleep 2 secs to verify
[Tue Nov 29 22:50:53 PST 2016] checking
[Tue Nov 29 22:50:53 PST 2016] GET
[Tue Nov 29 22:50:53 PST 2016] url='https://acme-staging.api.letsencrypt.org/acme/challenge/dWicBuxPJIufZX3Gqlha1nL5Vs75n_xbfwmYRHBHUjI/17416921'
[Tue Nov 29 22:50:53 PST 2016] timeout
[Tue Nov 29 22:50:53 PST 2016] _CURL='curl -L --silent --dump-header /root/.acme.sh/http.header '
[Tue Nov 29 22:50:53 PST 2016] ret='0'
[Tue Nov 29 22:50:53 PST 2016] Pending
[Tue Nov 29 22:50:53 PST 2016] sleep 2 secs to verify
[Tue Nov 29 22:50:55 PST 2016] checking
[Tue Nov 29 22:50:55 PST 2016] GET
[Tue Nov 29 22:50:55 PST 2016] url='https://acme-staging.api.letsencrypt.org/acme/challenge/dWicBuxPJIufZX3Gqlha1nL5Vs75n_xbfwmYRHBHUjI/17416921'
[Tue Nov 29 22:50:55 PST 2016] timeout
[Tue Nov 29 22:50:55 PST 2016] _CURL='curl -L --silent --dump-header /root/.acme.sh/http.header '
[Tue Nov 29 22:50:55 PST 2016] ret='0'
[Tue Nov 29 22:50:55 PST 2016] Pending
[Tue Nov 29 22:50:55 PST 2016] sleep 2 secs to verify
[Tue Nov 29 22:50:57 PST 2016] checking
[Tue Nov 29 22:50:57 PST 2016] GET
[Tue Nov 29 22:50:57 PST 2016] url='https://acme-staging.api.letsencrypt.org/acme/challenge/dWicBuxPJIufZX3Gqlha1nL5Vs75n_xbfwmYRHBHUjI/17416921'
[Tue Nov 29 22:50:57 PST 2016] timeout
[Tue Nov 29 22:50:57 PST 2016] _CURL='curl -L --silent --dump-header /root/.acme.sh/http.header '
[Tue Nov 29 22:50:58 PST 2016] ret='0'
[Tue Nov 29 22:50:58 PST 2016] <**redacted**>:Verify error:Could not connect to <**redacted**>
[Tue Nov 29 22:50:58 PST 2016] Debug: get token url.
[Tue Nov 29 22:50:58 PST 2016] GET
[Tue Nov 29 22:50:58 PST 2016] url='http://<**redacted**>/.well-known/acme-challenge/4Ww426fYo0oUg2pBcNVHeJTtBF6sIj1kr8IvZj17e4w'
[Tue Nov 29 22:50:58 PST 2016] timeout='1'
[Tue Nov 29 22:50:58 PST 2016] _CURL='curl -L --silent --dump-header /root/.acme.sh/http.header  --connect-timeout 1'
GET /.well-known/acme-challenge/4Ww426fYo0oUg2pBcNVHeJTtBF6sIj1kr8IvZj17e4w HTTP/1.1
Host: <**redacted**>
User-Agent: acme.sh/2.6.5 (https://github.com/Neilpang/acme.sh)
Accept: */*

4Ww426fYo0oUg2pBcNVHeJTtBF6sIj1kr8IvZj17e4w.5YD0oAUthrGwjQi1WWjpkzBmsTnyEbHyOsyD4GcMLh0[Tue Nov 29 22:50:58 PST 2016] ret='0'
[Tue Nov 29 22:50:58 PST 2016] usage: nc [-46DdEFhklNnrStUuvz] [-e policy] [-I length] [-i interval] [-O length]
	  [-P proxy_username] [-p source_port] [-s source] [-T ToS]
	  [-V rtable] [-w timeout] [-X proxy_protocol]
	  [-x proxy_address[:port]] [destination] [port]
[Tue Nov 29 22:50:58 PST 2016] Skip for removelevel:
[Tue Nov 29 22:50:58 PST 2016] pid='16387'
[Tue Nov 29 22:50:59 PST 2016] _clearupdns
[Tue Nov 29 22:50:59 PST 2016] Dns not added, skip.
[Tue Nov 29 22:50:59 PST 2016] _on_issue_err
[Tue Nov 29 22:50:59 PST 2016] Please add '--debug' or '--log' to check more details.
[Tue Nov 29 22:50:59 PST 2016] See: https://github.com/Neilpang/acme.sh/wiki/How-to-debug-acme.sh
[Tue Nov 29 22:50:59 PST 2016] Diagnosis versions: 
openssl:openssl
OpenSSL 1.0.1s-freebsd  1 Mar 2016
apache:
apache doesn't exists.
nc:
usage: nc [-46DdEFhklNnrStUuvz] [-e policy] [-I length] [-i interval] [-O length]
	  [-P proxy_username] [-p source_port] [-s source] [-T ToS]
	  [-V rtable] [-w timeout] [-X proxy_protocol]
	  [-x proxy_address[:port]] [destination] [port]
	Command Summary:
		-4		Use IPv4
		-6		Use IPv6
		-D		Enable the debug socket option
		-d		Detach from stdin
		-E		Use IPsec ESP
		-e policy	Use specified IPsec policy
		-F		Pass socket fd
		-h		This help text
		-I length	TCP receive buffer length
		-i secs		Delay interval for lines sent, ports scanned
		-k		Keep inbound sockets open for multiple connects
		-l		Listen mode, for inbound connects
		-N		Shutdown the network socket after EOF on stdin
		-n		Suppress name/port resolutions
		--no-tcpopt	Disable TCP options
		-O length	TCP send buffer length
		-P proxyuser	Username for proxy authentication
		-p port		Specify local port for remote connects
		-r		Randomize remote ports
		-S		Enable the TCP MD5 signature option
		-s addr		Local source address
		-T toskeyword	Set IP Type of Service
		-t		Answer TELNET negotiation
		-U		Use UNIX domain socket
		-u		UDP mode
		-V rtable	Specify alternate routing table
		-v		Verbose
		-w secs		Timeout for connects and final net reads
		-X proto	Proxy protocol: "4", "5" (SOCKS) or "connect"
		-x addr[:port]	Specify proxy address and port
		-z		Zero-I/O mode [used for scanning]
	Port numbers can be individual or ranges: lo-hi [inclusive]
See ipsec_set_policy(3) for -e argument format

#14

@zvol

On your pfsense server run:

echo hello  | nc -N -l 80

On another server run:

curl  http://your-pfsense-domain.com

#15

Doh! Mixed up the ports, I had the source port open. I fixed it by opening the destination.

Thanks for your help and work on the project.


#16

Thanks for figuring this out, @Neilpang!


#17

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.