Netgate SG-1000 microFirewall

Author Topic: SOLVED! Got an LE certificate -- really?  (Read 356 times)

0 Members and 1 Guest are viewing this topic.

Offline -flo-

  • Sr. Member
  • ****
  • Posts: 387
  • Karma: +31/-0
    • View Profile
SOLVED! Got an LE certificate -- really?
« on: February 05, 2018, 10:15:04 am »
So acme worked and told me "[Mon Feb 5 17:06:02 CET 2018] Cert success.". It tells me some places where some files are deployed.

Now what?

How do I get pfsense to serve the generated certificate? Shouldn't the script install a certificate to System / Certificate Manager / Certificates? I have something there with "Issuer" = "private key only" and no value in "Distinguished Name". That's not a certificate, is it?

« Last Edit: February 11, 2018, 08:09:16 am by -flo- »

Offline Gertjan

  • Hero Member
  • *****
  • Posts: 2435
  • Karma: +192/-9
    • View Profile
Re: Got an LE certificate -- really?
« Reply #1 on: February 05, 2018, 10:31:02 am »
Hi,

So acme worked and told me "[Mon Feb 5 17:06:02 CET 2018] Cert success.".
There should be something more :
Code: [Select]
-----BEGIN CERTIFICATE-----
MIIGijCCBXKgAwIBAgISA6zWrMGwCMNGItmDjXaMup/LMA0GCSqGSIb3DQEBCwUA
MEoxCzAJBgNVBAYTAlVTMRYwFAYDVQQKEw1MZXQncyBFbmNyeXB0MSMwIQYDVQQD
ExpMZXQncyBFbmNyeXB0IEF1dGhvcml0eSBYMzAeFw0xODAyMDUxNTMxMzZaFw0x
ODA1MDYxNTMxMzZaMB8xHTAbBgNVBAMTFGJyaXQtaG90ZWwtZnVtZWwubmV0MIIC

[ big snip here ]

mOkYsbIJRV5bfvkD5/v12adKteFNElTV4OtPRWHO3IIwZJLmytuXyEACEOsa+eVw
kl/37y/Dafs5y08ISksWSE0zEfcR70w5ryG7XRCzUP4fAovjeE73siTiXOHFQzkV
SERzpdyFseiqFNmQq4tmB+A6q+hlzTeT2ultxc1SAw4Q5GXwTUwz37eJWz5y9UIL
+/f9hqglOMJDz2vQgw5z1YO9eas88VSWlhD+bpZ0wzVZ3+tZenUAuGN5kUnOmsBw
1mhXHbjcEoVOhaAV5CjhlWtJYymrz5mZ9l39RW4RYiCWrHGKDtQsxUT1ZC7PDg==
-----END CERTIFICATE-----
[Mon Feb 5 17:31:36 CET 2018] Your cert is in /tmp/acme/brit-hotel-fumel.net//brit-hotel-fumel.net/brit-hotel-fumel.net.cer (but we don't care !!)
[Mon Feb 5 17:31:36 CET 2018] Your cert key is in /tmp/acme/brit-hotel-fumel.net//brit-hotel-fumel.net/brit-hotel-fumel.net.key (but we don't care !!)
[Mon Feb 5 17:31:37 CET 2018] The intermediate CA cert is in /tmp/acme/brit-hotel-fumel.net//brit-hotel-fumel.net/ca.cer (but we don't care !!)
[Mon Feb 5 17:31:37 CET 2018] And the full chain certs is there: /tmp/acme/brit-hotel-fumel.net//brit-hotel-fumel.net/fullchain.cer (but we don't care !!)
[Mon Feb 5 17:31:37 CET 2018] Run reload cmd: /tmp/acme/brit-hotel-fumel.net/reloadcmd.sh (we care !!)

IMPORT CERT brit-hotel-fumel.net, /tmp/acme/brit-hotel-fumel.net/brit-hotel-fumel.net/brit-hotel-fumel.net.key, /tmp/acme/brit-hotel-fumel.net/brit-hotel-fumel.net/brit-hotel-fumel.net.cer
update cert![Mon Feb 5 17:31:38 CET 2018] Reload success
Normally, the horror part start now : integrating the cert into the web servers, (mail servers, any servers).
But pfSense makes this all so easy.
It tells me some places where some files are deployed.
Goto System => Certificate Manager => Certificates and checkout the tab called "Certificates".
You should find this : see image.

You could use it like this :
Goto System => AdvancedAdmin Access and switch from http to https, and select your new certificate from Letsenscrypt in the list.
Validate.

« Last Edit: February 05, 2018, 10:36:49 am by Gertjan »

Offline -flo-

  • Sr. Member
  • ****
  • Posts: 387
  • Karma: +31/-0
    • View Profile
Re: Got an LE certificate -- really?
« Reply #2 on: February 05, 2018, 10:57:37 am »
Okay, this is exactly how I tried this. The response from acme looked very alike yours including the ----BEGIN CERTIFICATE----- etc. part. But the last line is this:

[Mon Feb 5 17:06:04 CET 2018] Call hook error.

Something went wrong here, but what is it?

In the certificates there is no certificate, see attachment. When I selected this pfSense replaced it with a self signed certificate every time.

Offline -flo-

  • Sr. Member
  • ****
  • Posts: 387
  • Karma: +31/-0
    • View Profile
Re: Got an LE certificate -- really?
« Reply #3 on: February 05, 2018, 11:05:07 am »
Guess what: I manually imported the certificate from the files and this works now!

So it boils down to the question: Why did the acme package not finish the job?

Offline Gertjan

  • Hero Member
  • *****
  • Posts: 2435
  • Karma: +192/-9
    • View Profile
Re: Got an LE certificate -- really?
« Reply #4 on: February 05, 2018, 03:43:07 pm »
Have a look here /tmp/acme/...... you will find several files directories and more files.
There is a log file that traces the entire procedure.
Hopefully with some more info.
Btw : log files are always usefull as soon as the word "error" pops up.

I guess, what I can make from what you gave: "hook error", that all the cert files are there, somewhere in /tmp/acme/,and that they just needed to be integrated into pfSense.
Strange if that fails, works for me every time.

Btw : latest pfSense and latest acme version, right ?


Offline -flo-

  • Sr. Member
  • ****
  • Posts: 387
  • Karma: +31/-0
    • View Profile
Re: Got an LE certificate -- really?
« Reply #5 on: February 06, 2018, 12:23:52 am »
[...] /tmp/acme/...... [...] There is a log file that traces the entire procedure.
Hopefully with some more info.

No, nothing additional to the output in the GUI after the line "Call hook error."

Btw : latest pfSense and latest acme version, right ?

Well, no. I have pfSense 2.4, while the acme package is installed with the latest version. This may be the reason but the package claimed to be compatible. I will try this after an update to the latest 2.4 but I tend be stay behind the latest pfSense version.

I make a reminder to update this thread once I checked after an update.

Offline jimp

  • Administrator
  • Hero Member
  • *****
  • Posts: 21571
  • Karma: +1471/-26
    • View Profile
Re: Got an LE certificate -- really?
« Reply #6 on: February 06, 2018, 08:10:13 am »
The package is only kept up-to-date on the most recent x.y.z release branch and sometimes one behind for significant security issues.

So unless you're on 2.4.2 or 2.4.2-p1 you are using an outdated package and most likely your problem is from that.

If you can reproduce the problem on 2.4.2-p1 or a 2.4.3 snapshot then we can investigate more.

There is another large update coming for the ACME package as Let's Encrypt is rolling out ACME v2 this month with support for wildcard certificates. I have a working test version here that I may be pushing to 2.4.3 development snapshots this week.
Need help fast? Commercial Support!

Co-Author of pfSense: The Definitive Guide. - Check the Doc Wiki for FAQs.

Do not PM for help!

Offline Gertjan

  • Hero Member
  • *****
  • Posts: 2435
  • Karma: +192/-9
    • View Profile
Re: Got an LE certificate -- really?
« Reply #7 on: February 06, 2018, 10:31:55 am »
[Mon Feb 5 17:06:04 CET 2018] Call hook error.
This is the place where the error is flagged :
https://github.com/pfsense/FreeBSD-ports/blob/730d06a104acfa87dd8e919e894aec275cfc3826/security/pfSense-pkg-acme/files/usr/local/pkg/acme/acme.sh#L3963

That moment is pretty special, as 99 % of the work is done, and the only thing that rests to do is copying the cert info into the "pfSense GUI" (lines 3969 etc) - after that, all is ok.
As you said, you found the certs in /tmp/acme/....
You did by hand what does lines lines 3969 etc

The why part, I don't know. Maybe related to your method you chose. In my case $_post_hook" and $_pre_hook" are empty so
Code: [Select]
_on_issue_success "$_post_hook" " and "$_renew_hook" does not return "0" or false what triggers the error for you.


Offline -flo-

  • Sr. Member
  • ****
  • Posts: 387
  • Karma: +31/-0
    • View Profile
Re: Got an LE certificate -- really?
« Reply #8 on: February 06, 2018, 12:43:29 pm »
Those hooks are empty in my case also: But anyway the code continues after the warning. "Something" gets added to the certificate after all but its only garbage ...

I'll see after an update, checked into Release Notes of 2.4.1 and 2.4.2 today.

Offline Gertjan

  • Hero Member
  • *****
  • Posts: 2435
  • Karma: +192/-9
    • View Profile
Re: Got an LE certificate -- really?
« Reply #9 on: February 06, 2018, 03:49:58 pm »
About 2.4.2 : it rocks (for me).

Offline -flo-

  • Sr. Member
  • ****
  • Posts: 387
  • Karma: +31/-0
    • View Profile
Re: SOLVED! Got an LE certificate -- really?
« Reply #10 on: February 11, 2018, 08:11:16 am »
2.4.2_1 rocks here now also.

And the acme script actually works. So the problem I had is confirmed to be an incompatibility between versions.

Is there btw. any way to remove unused certificates from pfSense??

Offline thekorn

  • Newbie
  • *
  • Posts: 2
  • Karma: +0/-0
    • View Profile
Re: Got an LE certificate -- really?
« Reply #11 on: February 19, 2018, 04:04:50 pm »
The package is only kept up-to-date on the most recent x.y.z release branch and sometimes one behind for significant security issues.

So unless you're on 2.4.2 or 2.4.2-p1 you are using an outdated package and most likely your problem is from that.

If you can reproduce the problem on 2.4.2-p1 or a 2.4.3 snapshot then we can investigate more.

I'm on 2.4.2-p1 and I'm having this exact issue.  (lucky googlin' brought me here!)  I, too, am getting the call hook error, and only the private key showing up in the certificate manager, with no way to delete it.

Happy to give you any logs you want, just don't know what would be useful.  (I have very little experience with certificates and CAs, so bear with!)

Offline optic

  • Newbie
  • *
  • Posts: 1
  • Karma: +0/-0
    • View Profile
Re: SOLVED! Got an LE certificate -- really?
« Reply #12 on: Yesterday at 05:54:25 am »
Um, Google led me here for this too...

On a fresh 2.4.2-RELEASE-p1, acme package 0.1.34, DNS-Manual validation.

Same symptoms as above: renew goes ok, gives locations of certs, but then "Call Hook Error" with nothing more in the logs and only the private key in the cert manager.

Manually importing into cert manager works.

Anything I can try, to pin this down?

Offline jimp

  • Administrator
  • Hero Member
  • *****
  • Posts: 21571
  • Karma: +1471/-26
    • View Profile
Re: SOLVED! Got an LE certificate -- really?
« Reply #13 on: Yesterday at 07:25:55 am »
Since the OP in this thread is solved and working now, I'm locking this one. There is another open thread to use for similar symptoms here:

https://forum.pfsense.org/index.php?topic=144321.0
Need help fast? Commercial Support!

Co-Author of pfSense: The Definitive Guide. - Check the Doc Wiki for FAQs.

Do not PM for help!