The pfSense Store

Author Topic: Acme/LE help  (Read 183 times)

0 Members and 1 Guest are viewing this topic.

Offline wgstarks

  • Jr. Member
  • **
  • Posts: 39
  • Karma: +0/-0
    • View Profile
Acme/LE help
« on: December 02, 2017, 07:08:26 pm »
I'm trying to get LE certificate following the instructions here. I'm trying to set nsupdate for validation as recommended, but I don't know what to paste into the KEY field.



Every time I try to generate a certificate I get a null key error.
pfSense vs 2.4.2
Box: Minisys IBOX-501 N10E
CPU: Intel Atom E3845
NIC: Intel WG82583 1000M x 4
RAM: 8GB

Offline Gertjan

  • Hero Member
  • *****
  • Posts: 2147
  • Karma: +165/-9
    • View Profile
Re: Acme/LE help
« Reply #1 on: December 03, 2017, 07:32:11 am »
Hi,

You missed this part :
Quote
Before starting, an appropriate DNS key and settings must be in place in the DNS infrastructure for the domain ...
just above.

Have a look at this https://doc.pfsense.org/index.php/RFC2136_Dynamic_DNS for some useful instructions.
The key ( "/0/4bxF9A08n/zke/vANyQ==" as mentioned that page) is the key used by bind (on the DNS server side) and pfSense, in the LE package.

Offline wgstarks

  • Jr. Member
  • **
  • Posts: 39
  • Karma: +0/-0
    • View Profile
Re: Acme/LE help
« Reply #2 on: December 03, 2017, 07:43:45 am »
Hi,

You missed this part :
Quote
Before starting, an appropriate DNS key and settings must be in place in the DNS infrastructure for the domain ...
just above.

Have a look at this https://doc.pfsense.org/index.php/RFC2136_Dynamic_DNS for some useful instructions.
The key ( "/0/4bxF9A08n/zke/vANyQ==" as mentioned that page) is the key used by bind (on the DNS server side) and pfSense, in the LE package.
Thanks but that info is all completely over my head.😁
I’m using Namecheap for DNS so guessing that that doesn’t qualify as “directly controlled”?

Perhaps there is a simpler verification method? I was just attempting this one because it was recommended in the wiki.
pfSense vs 2.4.2
Box: Minisys IBOX-501 N10E
CPU: Intel Atom E3845
NIC: Intel WG82583 1000M x 4
RAM: 8GB

Offline Gertjan

  • Hero Member
  • *****
  • Posts: 2147
  • Karma: +165/-9
    • View Profile
Re: Acme/LE help
« Reply #3 on: December 03, 2017, 12:01:25 pm »
Thanks but that info is all completely over my head.😁
I’m using Namecheap for DNS so guessing that that doesn’t qualify as “directly controlled”?

Perhaps there is a simpler verification method? I was just attempting this one because it was recommended in the wiki.
The dns-nsupdate is useful when you control your domain on your ow DNS server - like bind (named) on your own server or VPS. You'll be needing root access.
Name-cheap, however, needs a special API I guess, as many other DNS host offer.
Name-cheap has been discussed on the forum already like here (a couple of lines below) Let's Encypt w Acme package working, but not ideal.

edit : and the conclusion is : probably not possible.
« Last Edit: December 03, 2017, 12:05:43 pm by Gertjan »

Offline wgstarks

  • Jr. Member
  • **
  • Posts: 39
  • Karma: +0/-0
    • View Profile
Re: Acme/LE help
« Reply #4 on: December 03, 2017, 04:40:33 pm »
I thought I finally got things working using the haproxy method but there is still a timeout error.
Code: [Select]
LE_Cert
Renewing certificateaccount: LE_Cert
server: letsencrypt-production


/usr/local/pkg/acme/acme.sh --issue -d 'dahoney.me' --home '/tmp/acme/LE_Cert/' --accountconf '/tmp/acme/LE_Cert/accountconf.conf' --force --reloadCmd '/tmp/acme/LE_Cert/reloadcmd.sh' --webroot pfSenseacme --log-level 3 --log '/tmp/acme/LE_Cert/acme_issuecert.log'

Array
(
[path] => /etc:/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/bin/
[PATH] => /etc:/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/bin/
[folder] => /tmp/haproxy_chroot/.well-known/acme-challenge/
)
[Sun Dec 3 17:34:15 EST 2017] Single domain='dahoney.me'
[Sun Dec 3 17:34:15 EST 2017] Getting domain auth token for each domain
[Sun Dec 3 17:34:15 EST 2017] Getting webroot for domain='dahoney.me'
[Sun Dec 3 17:34:15 EST 2017] Getting new-authz for domain='dahoney.me'
[Sun Dec 3 17:34:21 EST 2017] The new-authz request is ok.
[Sun Dec 3 17:34:21 EST 2017] Verifying:dahoney.me
[Sun Dec 3 17:34:21 EST 2017] Found domain http api file: /tmp/acme/LE_Cert//httpapi/pfSenseacme.sh

challenge_response_put LE_Cert, dahoney.me
FOUND domainitemwebroot
put token at: /tmp/haproxy_chroot/.well-known/acme-challenge//<redacted>
[Sun Dec 3 17:34:25 EST 2017] Pending
[Sun Dec 3 17:34:28 EST 2017] Pending
[Sun Dec 3 17:34:31 EST 2017] Found domain http api file: /tmp/acme/LE_Cert//httpapi/pfSenseacme.sh
[Sun Dec 3 17:34:30 EST 2017] dahoney.me:Verify error:Fetching http://dahoney.me/.well-known/acme-challenge/<redacted>: Timeout
[Sun Dec 3 17:34:31 EST 2017] Please check log file for more details: /tmp/acme/LE_Cert/acme_issuecert.log

What did I miss?
pfSense vs 2.4.2
Box: Minisys IBOX-501 N10E
CPU: Intel Atom E3845
NIC: Intel WG82583 1000M x 4
RAM: 8GB

Offline Gertjan

  • Hero Member
  • *****
  • Posts: 2147
  • Karma: +165/-9
    • View Profile
Re: Acme/LE help
« Reply #5 on: December 03, 2017, 06:44:59 pm »
This :
Quote
dahoney.me:Verify error:Fetching http://dahoney.me/.well-known/acme-challenge/<redacted>: Timeout
A "request" has been sent from the "LE 'server and 'http://dahoney.me/.well-known/acme-challenge" did not bring back the right reply.
This means :
dahoney.me has to resolve to the IP your pfSense is using.
Port 80 has to be open.
etc. (see the acme/le manual about the subject).

Offline wgstarks

  • Jr. Member
  • **
  • Posts: 39
  • Karma: +0/-0
    • View Profile
Re: Acme/LE help
« Reply #6 on: December 03, 2017, 06:47:50 pm »
Doesn't haproxy open the port when it runs?
pfSense vs 2.4.2
Box: Minisys IBOX-501 N10E
CPU: Intel Atom E3845
NIC: Intel WG82583 1000M x 4
RAM: 8GB

Offline Gertjan

  • Hero Member
  • *****
  • Posts: 2147
  • Karma: +165/-9
    • View Profile
Re: Acme/LE help
« Reply #7 on: December 04, 2017, 12:13:22 am »
I don't know ^^ I guess not.
When I 'surf' to "http://dahoney.me/" I'm smached with a huge "cloudfare error", better make that work first.
Also : 2 A and AAAA records ! Multiwan ?

I'm using "LE + nsupdate" - I hope haproxy users will chime in.

edit : a start : https://forum.pfsense.org/index.php?topic=140857.0 - two forum lines away.
« Last Edit: December 04, 2017, 12:18:26 am by Gertjan »

Offline wgstarks

  • Jr. Member
  • **
  • Posts: 39
  • Karma: +0/-0
    • View Profile
Re: Acme/LE help
« Reply #8 on: December 04, 2017, 10:18:38 am »
I’m in the middle of switching my DNS servers from Namecheap to Cloudflare, just waiting for the changes to take effect (up to 24 hrs). Plan to try authentication using txt record.

Not sure why you’re seeing multiple A records? I have one A record and a couple of CNAME’s. Maybe something due to the changing DNS servers? I do see a bunch of MX records which seems strange since I’m not running any email on this site. Currently just planning to use it for VPN. Maybe the MX records are just placeholders?
pfSense vs 2.4.2
Box: Minisys IBOX-501 N10E
CPU: Intel Atom E3845
NIC: Intel WG82583 1000M x 4
RAM: 8GB