Unsuccessful DNS-01 Challenge in OPNsense Using ClouDNS

Help
1

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: bulkley.systems

I ran this command: executed through OPNsense web gui

It produced this output:

[Sun Sep 20 00:07:36 UTC 2020] ACME_DIRECTORY=‘https://acme-v02.api.letsencrypt.org/directory
[Sun Sep 20 00:07:36 UTC 2020] DOMAIN_PATH=’/var/etc/acme-client/home/OPNsenseTLSCert’
[Sun Sep 20 00:07:36 UTC 2020] Using ACME_DIRECTORY: https://acme-v02.api.letsencrypt.org/directory
[Sun Sep 20 00:07:36 UTC 2020] _init api for server: https://acme-v02.api.letsencrypt.org/directory
[Sun Sep 20 00:07:36 UTC 2020] GET
[Sun Sep 20 00:07:36 UTC 2020] url=‘https://acme-v02.api.letsencrypt.org/directory
[Sun Sep 20 00:07:36 UTC 2020] timeout=
[Sun Sep 20 00:07:36 UTC 2020] _CURL=‘curl -L --silent --dump-header /var/etc/acme-client/home/http.header --trace-ascii /tmp/tmp.IFtDAFzx -g ’
[Sun Sep 20 00:07:36 UTC 2020] ret=‘0’
[Sun Sep 20 00:07:36 UTC 2020] ACME_KEY_CHANGE=‘https://acme-v02.api.letsencrypt.org/acme/key-change
[Sun Sep 20 00:07:37 UTC 2020] ACME_NEW_AUTHZ
[Sun Sep 20 00:07:37 UTC 2020] ACME_NEW_ORDER=‘https://acme-v02.api.letsencrypt.org/acme/new-order
[Sun Sep 20 00:07:37 UTC 2020] ACME_NEW_ACCOUNT=‘https://acme-v02.api.letsencrypt.org/acme/new-acct
[Sun Sep 20 00:07:37 UTC 2020] ACME_REVOKE_CERT=‘https://acme-v02.api.letsencrypt.org/acme/revoke-cert
[Sun Sep 20 00:07:37 UTC 2020] ACME_AGREEMENT=‘https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf
[Sun Sep 20 00:07:37 UTC 2020] ACME_NEW_NONCE=‘https://acme-v02.api.letsencrypt.org/acme/new-nonce
[Sun Sep 20 00:07:37 UTC 2020] ACME_VERSION=‘2’
[Sun Sep 20 00:07:37 UTC 2020] Le_NextRenewTime
[Sun Sep 20 00:07:37 UTC 2020] _on_before_issue
[Sun Sep 20 00:07:37 UTC 2020] _chk_main_domain=‘OPNsenseTLSCert’
[Sun Sep 20 00:07:37 UTC 2020] _chk_alt_domains=‘bulkley.systems,.bulkley.systems’
[Sun Sep 20 00:07:37 UTC 2020] Le_LocalAddress
[Sun Sep 20 00:07:37 UTC 2020] d=‘OPNsenseTLSCert’
[Sun Sep 20 00:07:37 UTC 2020] Check for domain=‘OPNsenseTLSCert’
[Sun Sep 20 00:07:37 UTC 2020] _currentRoot=‘dns_cloudns’
[Sun Sep 20 00:07:37 UTC 2020] d=‘bulkley.systems’
[Sun Sep 20 00:07:37 UTC 2020] Check for domain=‘bulkley.systems’
[Sun Sep 20 00:07:37 UTC 2020] _currentRoot=‘dns_cloudns’
[Sun Sep 20 00:07:37 UTC 2020] d=’.bulkley.systems’
[Sun Sep 20 00:07:37 UTC 2020] Check for domain=’.bulkley.systems’
[Sun Sep 20 00:07:37 UTC 2020] _currentRoot=‘dns_cloudns’
[Sun Sep 20 00:07:37 UTC 2020] d
[Sun Sep 20 00:07:37 UTC 2020] _saved_account_key_hash is not changed, skip register account.
[Sun Sep 20 00:07:37 UTC 2020] Read key length:2048
[Sun Sep 20 00:07:37 UTC 2020] _createcsr
[Sun Sep 20 00:07:37 UTC 2020] Multi domain='DNS:OPNsenseTLSCert,DNS:bulkley.systems,DNS:.bulkley.systems’
[Sun Sep 20 00:07:37 UTC 2020] Getting domain auth token for each domain
[Sun Sep 20 00:07:38 UTC 2020] d=‘bulkley.systems’
[Sun Sep 20 00:07:38 UTC 2020] d=’.bulkley.systems’
[Sun Sep 20 00:07:38 UTC 2020] d
[Sun Sep 20 00:07:38 UTC 2020] url=‘https://acme-v02.api.letsencrypt.org/acme/new-order
[Sun Sep 20 00:07:38 UTC 2020] payload=’{“identifiers”: [{“type”:“dns”,“value”:“OPNsenseTLSCert”},{“type”:“dns”,“value”:“bulkley.systems”},{“type”:“dns”,“value”:".bulkley.systems"}]}’
[Sun Sep 20 00:07:38 UTC 2020] RSA key
[Sun Sep 20 00:07:40 UTC 2020] HEAD
[Sun Sep 20 00:07:40 UTC 2020] _post_url=‘https://acme-v02.api.letsencrypt.org/acme/new-nonce
[Sun Sep 20 00:07:40 UTC 2020] _CURL='curl -L --silent --dump-header /var/etc/acme-client/home/http.header --trace-ascii /tmp/tmp.Ay2ceMVw -g -I ’
[Sun Sep 20 00:07:40 UTC 2020] _ret=‘0’
[Sun Sep 20 00:07:40 UTC 2020] POST
[Sun Sep 20 00:07:40 UTC 2020] _post_url=‘https://acme-v02.api.letsencrypt.org/acme/new-order
[Sun Sep 20 00:07:40 UTC 2020] _CURL='curl -L --silent --dump-header /var/etc/acme-client/home/http.header --trace-ascii /tmp/tmp.Ay2ceMVw -g ’
[Sun Sep 20 00:07:41 UTC 2020] _ret=‘0’
[Sun Sep 20 00:07:41 UTC 2020] code=‘400’
[Sun Sep 20 00:07:41 UTC 2020] Le_LinkOrder
[Sun Sep 20 00:07:41 UTC 2020] Le_OrderFinalize
[Sun Sep 20 00:07:41 UTC 2020] Create new order error. Le_OrderFinalize not found. {
“type”: “urn:ietf:params:acme:error:rejectedIdentifier”,
“detail”: “Error creating new order :: Cannot issue for “opnsensetlscert”: Domain name needs at least one dot”,
“status”: 400
}
[Sun Sep 20 00:07:41 UTC 2020] pid
[Sun Sep 20 00:07:41 UTC 2020] No need to restore nginx, skip.
[Sun Sep 20 00:07:41 UTC 2020] _clearupdns
[Sun Sep 20 00:07:41 UTC 2020] dns_entries
[Sun Sep 20 00:07:41 UTC 2020] skip dns.
[Sun Sep 20 00:07:41 UTC 2020] _on_issue_err
[Sun Sep 20 00:07:41 UTC 2020] Please check log file for more details: /var/log/acme.sh.log
[Sun Sep 20 00:07:41 UTC 2020] Diagnosis versions:
openssl:openssl
OpenSSL 1.1.1d-freebsd 10 Sep 2019
apache:
apache doesn’t exists.
nginx:
nginx doesn’t exists.
socat:
socat by Gerhard Rieger and contributors - see www.dest-unreach.org
socat version 1.7.3.4 on Sep 1 2020 03:26:02
running on FreeBSD version FreeBSD 12.1-RELEASE-p8-HBSD #0 b3665671c4d(stable/20.7)-dirty: Thu Aug 27 05:58:53 CEST 2020 root@sensey64:/usr/obj/usr/src/amd64.amd64/sys/SMP, release 12.1-RELEASE-p8-HBSD, machine amd64
features:
#define WITH_STDIO 1
#define WITH_FDNUM 1
#define WITH_FILE 1
#define WITH_CREAT 1
#define WITH_GOPEN 1
#define WITH_TERMIOS 1
#define WITH_PIPE 1
#define WITH_UNIX 1
#undef WITH_ABSTRACT_UNIXSOCKET
#define WITH_IP4 1
#define WITH_IP6 1
#define WITH_RAWIP 1
#define WITH_GENERICSOCKET 1
#undef WITH_INTERFACE
#define WITH_TCP 1
#define WITH_UDP 1
#define WITH_SCTP 1
#define WITH_LISTEN 1
#define WITH_SOCKS4 1
#define WITH_SOCKS4A 1
#define WITH_PROXY 1
#define WITH_SYSTEM 1
#define WITH_EXEC 1
#undef WITH_READLINE
#undef WITH_TUN
#define WITH_PTY 1
#define WITH_OPENSSL 1
#undef WITH_FIPS
#define WITH_LIBWRAP 1
#define WITH_SYCLS 1
#define WITH_FILAN 1
#define WITH_RETRY 1
#define WITH_MSGLEVEL 0 /debug/

My web server is (include version): socat version 1.7.3.4

The operating system my web server runs on is (include version): FreeBSD version FreeBSD 12.1-RELEASE-p8-HBSD

My hosting provider, if applicable, is: ClouDNS Premium

I can login to a root shell on my machine (yes or no, or I don’t know): yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel):

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot): Acme v2

1 Like
2

It looks like something is going wrong with the way OPNsense is calling acme.sh.

OPNsenseTLSCert should not be there. It should just be bulkley.systems and .bulkley.systems.

Can you see anywhere in the Web UI where it says OPNsenseTLSCert for the domain? You need to get rid of that somehow.

2 Likes
3

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.