Unable to issue cert


#1

Hi Folks,

This is my first time using LetsEncrypt and I’m hitting what I assume is a dumb issue but I can’t resolve it.

I’m using the ACME module in pfSense to request a cert for my new domain. The domain is registered with Google Domains and delegated to Dyn Managed DNS nameservers. The domain resolves fine and I’m able to access it. Whois records are fine as well. I’ve generated my account key and registed it to letsencrypt-production-2. I’m now trying to issue the certificate. I’ve tried using multiple methods but the current one is “DNS-Dyn.com”. I’ve supplied my dyn customer ID as well as my API username and password. The API account is the account owner so there shouldn’t be any permissions issues. When I click “Issue” I get the following. (Note that I’ve scrubbed sensitive data and replaced it with ) I’m running pfSense 2.4.3.

Renewing certificate account: server: letsencrypt-production-2

/usr/local/pkg/acme/acme.sh --issue -d ‘’ --home ‘/tmp/acme//’ --accountconf ‘/tmp/acme//accountconf.conf’ --force --reloadCmd ‘/tmp/acme//reloadcmd.sh’ --dns ‘dns_dyn’ --log-level 3 --log ‘/tmp/acme//acme_issuecert.log’

Array
(
[path] => /etc:/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/bin/
[PATH] => /etc:/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/bin/
[DYN_Customer] => <dyn_customer>
[DYN_Username] => <dyn_username>
[DYN_Password] => <dyn_password>
)
[Sun Aug 12 14:00:36 PDT 2018] Single domain=’’
[Sun Aug 12 14:00:36 PDT 2018] Getting domain auth token for each domain
[Sun Aug 12 14:00:38 PDT 2018] Getting webroot for domain=’’
[Sun Aug 12 14:00:38 PDT 2018] Found domain api file: /usr/local/pkg/acme/dnsapi/dns_dyn.sh
[Sun Aug 12 14:00:38 PDT 2018] Start Dyn API Session
[Sun Aug 12 14:00:38 PDT 2018] get token failed
[Sun Aug 12 14:00:38 PDT 2018] Error add txt for domain:_acme-challenge.
[Sun Aug 12 14:00:38 PDT 2018] Please check log file for more details: /tmp/acme//acme_issuecert.log

Any ideas?

Thanks!
Brian


#2

Hi @briantheimpaler

what’s your domain name?

And what says the acme_issuecert.log?


#3

Sorry, I just got home where I have CLI access again. The domain is briantheimpaler.com.

Output from /tmp/acme/briantheimpaler.com/acme_issuecert.log for an attempt:

https://pastebin.com/nH5dxVLW


#4

Hi,

From Line 239 of your log files, there’s an error message coming from DYN stating that your account credentials are incorrect:

  1. [Sun Aug 12 16:27:48 PDT 2018] response=’{“status”: “failure”, “data”: {}, “job_id”: 523200735, “msgs”: [{“INFO”: “login: Credentials you entered are incorrect and/or you are logging in from an unauthorized network.”, “SOURCE”: “BLL”, “ERR_CD”: “INVALID_DATA”, “LVL”: “ERROR”}, {“INFO”: “login: Login failed”, “SOURCE”: “BLL”, “ERR_CD”: null, “LVL”: “INFO”}]}’

Please try to fix this error before proceeding. (Check Your `customer_name"“user_name”“password” to see if those have been setup correctly)

Thank you


#5

This post was flagged by the community and is temporarily hidden.


#6

Your challenge-url:

https://acme-v02.api.letsencrypt.org/acme/challenge/MCCgNuSP_euvE0G0KrbDF9HS2FrC42YpGBg_ovAWKBI/6421372321

But your dns-setting briantheimpaler.com:

briantheimpaler.com text =

    "_acme-challenge.briantheimpaler.com. IN KEY 0 3 157 //FEO3t6uErg1UVVTK5WWzdRPc82y3wnsLGkecaEP1U/dUknR7cpiU4v ZuPLRIIsFb0VIKW6+0InPkivxHp/pw=="

This is the string used in special configuration files. Not in a menu for customers.

You have to define the name as _acme-challenge. And the value is something like

FEO3t6uErg1UVVTK5WWzdRPc82y3wnsLGkecaEP1U/dUknR7cpiU4v ZuPLRIIsFb0VIKW6+0InPkivxHp/pw==

But this value is wrong, it contains “=”, which isn’t base64url.