pfSense Gold Subscription

Author Topic: Acme cert help - 400 timeout  (Read 117 times)

0 Members and 1 Guest are viewing this topic.

Offline packetman_

  • Newbie
  • *
  • Posts: 4
  • Karma: +0/-0
    • View Profile
Acme cert help - 400 timeout
« on: January 12, 2018, 04:37:39 pm »
Greetings. I've been working the past few days to get a cert on my FW to no avail.
I am using port 80 standalone server mode

Ive narrowed the issue down to this section

Code: [Select]
"type": "http-01",
  "status": "invalid",
  "error": {
    "type": "urn:acme:error:connection",
    "detail": "Fetching http://secure.pardigital.net/.well-known/acme-challenge/3-i-fYswlY_QOk0wOCID81zpuUzfUAzyCuCTu66-XLQ: Timeout",
    "status": 400

Offline Gertjan

  • Hero Member
  • *****
  • Posts: 2279
  • Karma: +173/-9
    • View Profile
Re: Acme cert help - 400 timeout
« Reply #1 on: January 13, 2018, 07:43:46 pm »
Hi,

Seems to me that http://secure.pardigital.net is redirected (NATted ?) to some web server "Welcome to nginx on Fedora!" behind (?) pfSense

You saw https://doc.pfsense.org/index.php/ACME_package ? What method are you using ? "webroot" or http-01 isn't a good plan, chose another one like "FTP Webroot".
The directory and file ".well-known/acme-challenge/3-i-fYswlY_QOk0wOCID81zpuUzfUAzyCuCTu66-XLQ" would be created on that sever, and the ACME test will proceed.

Offline packetman_

  • Newbie
  • *
  • Posts: 4
  • Karma: +0/-0
    • View Profile
Re: Acme cert help - 400 timeout
« Reply #2 on: Yesterday at 01:34:56 pm »
The Nginx welcome page popped up due to me removing the NAT needed for this to work.
Im using the FTP method and I am still getting HTTP timeouts.

From the logs it seems that it successfully uploads the file to my local FTP server but then letsencrypt attempts to pull the file via HTTP, same as the standalone web server method. This times out consistently, and I have no log info of what goes on after the file is uploaded via FTP. It does not make sense (to me) that the webroot ftp method also requires port 80 open to the firewall...

Offline Gertjan

  • Hero Member
  • *****
  • Posts: 2279
  • Karma: +173/-9
    • View Profile
Re: Acme cert help - 400 timeout
« Reply #3 on: Yesterday at 02:43:31 pm »
Hi,

Upfront, I'm not an acme (or Letenscrypt) expert, but this is how I think it works :
The FTP method gives the acme script a way to put in place the needed files to check. These files where made by LetEnscrypt - hand over by a http (or https) request and the put in place somewhere. THe method is : manual DNS record adding, or automatcily when you chose the 'nsupdate' method, or the FTP method for a remote (not local) webserver, which is your case I guess, or some more methods.
Ones the files are in pace, the acme script signals LetEnscrypt it ready. From their side, a http request is made to test if the files with special info is present on the designated place.

I guess you could very well leave the NATting in place to your web server. The FTP method is perfect to put the directories and files in place on that server - your nginx web server. Yuou'll be needing a FTP service running on this server of course.

By no means LetEnscrypt will use FTP to access and check these files. Remember FTP, as such, is an old protocol and considered dead. Far more better is SFTP access, btw (much simpler).

Offline jimp

  • Administrator
  • Hero Member
  • *****
  • Posts: 21486
  • Karma: +1456/-26
    • View Profile
Re: Acme cert help - 400 timeout
« Reply #4 on: Today at 07:14:29 am »
Should that URL be open to the world? I can't reach it on port 80 over IPv4 or IPv6 right now. Perhaps the validation servers at Let's Encrypt also can't reach it?

Since it's a timeout, I would focus on firewall rules or other access rules, maybe even routing upstream, anything that could prevent LE from reaching your web server on port 80. Maybe you have something like pfBlocker filtering access or geoblocking?
Need help fast? Commercial Support!

Co-Author of pfSense: The Definitive Guide. - Check the Doc Wiki for FAQs.

Do not PM for help!