Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

LetsEncrypt Prod Cer with DNS validation api key - Fails #6102

Open
blacks0cks1 opened this issue Nov 18, 2024 · 2 comments
Open

LetsEncrypt Prod Cer with DNS validation api key - Fails #6102

blacks0cks1 opened this issue Nov 18, 2024 · 2 comments

Comments

@blacks0cks1
Copy link

Steps to reproduce

The Issue is faced on OPNSENSE -

  1. New Certificate issue with DNS challenge works with "Let's Encrypt Test CA" (develeopment) but the Browser throws Error code: SEC_ERROR_UNKNOWN_ISSUER. / net::ERR_CERT_AUTHORITY_INVALID ( ACME works fine but LetsEncrypt CA cert issue )

  2. New Certificate Does not work with "Let's Encrypt Default", (Production ) fails with error "AcmeClient: domain validation failed (dns01) "
    ( ACME script doesn't not work )
    Debug log for Prod iteration -

System Log -
2024-11-18T18:33:06 | opnsense | AcmeClient: domain validation failed (dns01) -- | -- | --

Acme Log -

2024-11-18T18:33:06 acme.sh [Mon Nov 18 18:33:06 +07 2024] response='{"type":"dns-01","url":"https://acme-v02.api.letsencrypt.org/acme/chall-v3/431802796127/6Om-PQ","status":"pending","token":"K65bgsYC9h6TuCElMBWrxdv4G7wNZsF1YQBynJ4J8AA"}'
    }'
    "token": "K65bgsYC9h6TuCElMBWrxdv4G7wNZsF1YQBynJ4J8AA"
    "status": "pending",
    "url": "https://acme-v02.api.letsencrypt.org/acme/chall-v3/431802796127/6Om-PQ",
    "type": "dns-01",
2024-11-18T18:33:06 acme.sh [Mon Nov 18 18:33:06 +07 2024] _j_str='{
2024-11-18T18:33:06 acme.sh [Mon Nov 18 18:33:06 +07 2024] _json_decode
    }'
    "token": "K65bgsYC9h6TuCElMBWrxdv4G7wNZsF1YQBynJ4J8AA"
    "status": "pending",
    "url": "https://acme-v02.api.letsencrypt.org/acme/chall-v3/431802796127/6Om-PQ",
    "type": "dns-01",
2024-11-18T18:33:06 acme.sh [Mon Nov 18 18:33:06 +07 2024] original='{
2024-11-18T18:33:06 acme.sh [Mon Nov 18 18:33:06 +07 2024] code='200'
    '
    strict-transport-security: max-age=604800
    x-frame-options: DENY
    replay-nonce: q3AS6Q6n7chZOGbGQei4MHgKcF7rNI667Ln-eOI6MhAYzyfndB4
    location: https://acme-v02.api.letsencrypt.org/acme/chall-v3/431802796127/6Om-PQ
    link: https://acme-v02.api.letsencrypt.org/acme/authz-v3/431802796127;rel="up"
    link: https://acme-v02.api.letsencrypt.org/directory;rel="index"
    cache-control: public, max-age=0, no-cache
    boulder-requester: 1901126036
    content-length: 186
    content-type: application/json
    date: Mon, 18 Nov 2024 11:33:06 GMT
    server: nginx
2024-11-18T18:33:05 acme.sh [Mon Nov 18 18:33:05 +07 2024] _post_url='https://acme-v02.api.letsencrypt.org/acme/chall-v3/431802796127/6Om-PQ'
-- -- --
2024-11-18T18:33:05 acme.sh [Mon Nov 18 18:33:05 +07 2024] POST
2024-11-18T18:33:05 acme.sh [Mon Nov 18 18:33:05 +07 2024] body='{"protected": "eyJub25jZSI6ICJ1c2Ytak1nWFJCbG1NdHJZTW1sYU92U3ptNWxzWk51N1lsbXVLMUFNaUkwQkFqNlZJMTgiLCAidXJsIjogImh0dHBzOi8vYWNtZS12MDIuYXBpLmxldHNlbmNyeXB0Lm9yZy9hY21lL2NoYWxsLXYzLzQzMTgwMjc5NjEyNy82T20tUFEiLCAiYWxnIjogIkVTMjU2IiwgImtpZCI6ICJodHRwczovL2FjbWUtdjAyLmFwaS5sZXRzZW5jcnlwdC5vcmcvYWNtZS9hY2N0LzE5MDExMjYwMzYifQ", "payload": "e30", "signature": "k4Mipxj5COyXHCARaRI39NsRyPitEsTH2mLHXnUD2p5-K4dSK8chemLHXe0cCMHCLUGpZPLKBkF-kNxjL-RN5w"}'
-- -- --
2024-11-18T18:33:05 acme.sh [Mon Nov 18 18:33:05 +07 2024] sig='k4Mipxj5COyXHCARaRI39NsRyPitEsTH2mLHXnUD2p5-K4dSK8chemLHXe0cCMHCLUGpZPLKBkF-kNxjL-RN5w'
2024-11-18T18:33:05 acme.sh [Mon Nov 18 18:33:05 +07 2024] _sig_t='k4Mipxj5COyXHCARaRI39NsRyPitEsTH2mLHXnUD2p5+K4dSK8chemLHXe0cCMHCLUGpZPLKBkF+kNxjL+RN5w=='
2024-11-18T18:33:05 acme.sh [Mon Nov 18 18:33:05 +07 2024] _URGLY_PRINTF='1'
2024-11-18T18:33:05 acme.sh [Mon Nov 18 18:33:05 +07 2024] xxd exists=127
2024-11-18T18:33:05 acme.sh [Mon Nov 18 18:33:05 +07 2024] base64 single line.
2024-11-18T18:33:05 acme.sh [Mon Nov 18 18:33:05 +07 2024] _ec_s='7E2B87522BC7217A62C75DED1C08C1C22D41A964F2CA06417E90DC632FE44DE7'
2024-11-18T18:33:05 acme.sh [Mon Nov 18 18:33:05 +07 2024] _ec_r='938322A718F908EC971C2011691237F4DB11C8F8AD12C4C7DA62C75E7503DA9E'
    37:d=1 hl=2 l= 32 prim: INTEGER :7E2B87522BC7217A62C75DED1C08C1C22D41A964F2CA06417E90DC632FE44DE7'
    2:d=1 hl=2 l= 33 prim: INTEGER :938322A718F908EC971C2011691237F4DB11C8F8AD12C4C7DA62C75E7503DA9E
2024-11-18T18:33:05 acme.sh [Mon Nov 18 18:33:05 +07 2024] _signedECText=' 0:d=0 hl=2 l= 69 cons: SEQUENCE
2024-11-18T18:33:05 acme.sh [Mon Nov 18 18:33:05 +07 2024] protected64='eyJub25jZSI6ICJ1c2Ytak1nWFJCbG1NdHJZTW1sYU92U3ptNWxzWk51N1lsbXVLMUFNaUkwQkFqNlZJMTgiLCAidXJsIjogImh0dHBzOi8vYWNtZS12MDIuYXBpLmxldHNlbmNyeXB0Lm9yZy9hY21lL2NoYWxsLXYzLzQzMTgwMjc5NjEyNy82T20tUFEiLCAiYWxnIjogIkVTMjU2IiwgImtpZCI6ICJodHRwczovL2FjbWUtdjAyLmFwaS5sZXRzZW5jcnlwdC5vcmcvYWNtZS9hY2N0LzE5MDExMjYwMzYifQ'
2024-11-18T18:33:05 acme.sh [Mon Nov 18 18:33:05 +07 2024] base64 single line.
2024-11-18T18:33:05 acme.sh [Mon Nov 18 18:33:05 +07 2024] protected='{"nonce": "usf-jMgXRBlmMtrYMmlaOvSzm5lsZNu7YlmuK1AMiI0BAj6VI18", "url": "https://acme-v02.api.letsencrypt.org/acme/chall-v3/431802796127/6Om-PQ", "alg": "ES256", "kid": "https://acme-v02.api.letsencrypt.org/acme/acct/1901126036"}'
2024-11-18T18:33:05 acme.sh [Mon Nov 18 18:33:05 +07 2024] nonce='usf-jMgXRBlmMtrYMmlaOvSzm5lsZNu7YlmuK1AMiI0BAj6VI18'
2024-11-18T18:33:05 acme.sh [Mon Nov 18 18:33:05 +07 2024] Use _CACHED_NONCE='usf-jMgXRBlmMtrYMmlaOvSzm5lsZNu7YlmuK1AMiI0BAj6VI18'
2024-11-18T18:33:05 acme.sh [Mon Nov 18 18:33:05 +07 2024] _request_retry_times='1'
2024-11-18T18:33:05 acme.sh [Mon Nov 18 18:33:05 +07 2024] payload64='e30'
2024-11-18T18:33:05 acme.sh [Mon Nov 18 18:33:05 +07 2024] _t_url='https://acme-v02.api.letsencrypt.org/acme/chall-v3/431802796127/6Om-PQ'
-- -- --
2024-11-18T18:33:05 acme.sh [Mon Nov 18 18:33:05 +07 2024] Trigger domain validation.
2024-11-18T18:33:05 acme.sh [Mon Nov 18 18:33:05 +07 2024] start to deactivate authz
2024-11-18T18:33:05 acme.sh [Mon Nov 18 18:33:05 +07 2024] _chk_vlist='*.DOMAIN.net#K65bgsYC9h6TuCElMBWrxdv4G7wNZsF1YQBynJ4J8AA.gTQ2g2O6hudGe0PfEVx9e8GA9TNk5sKqJ2vVPhvSTm0#https://acme-v02.api.letsencrypt.org/acme/chall-v3/431802796127/6Om-PQ#dns-01#dns_linode_v4#https://acme-v02.api.letsencrypt.org/acme/authz-v3/431802796127,'
2024-11-18T18:33:05 acme.sh [Mon Nov 18 18:33:05 +07 2024] See: https://github.com/acmesh-official/acme.sh/wiki/How-to-debug-acme.sh
2024-11-18T18:33:05 acme.sh [Mon Nov 18 18:33:05 +07 2024] Please add '--debug' or '--log' to see more information.
2024-11-18T18:33:05 acme.sh [Mon Nov 18 18:33:05 +07 2024] _on_issue_err
2024-11-18T18:33:05 acme.sh [Mon Nov 18 18:33:05 +07 2024] Error adding TXT record to domain: _acme-challenge.DOMAIN.net
2024-11-18T18:33:05 acme.sh [Mon Nov 18 18:33:05 +07 2024]
2024-11-18T18:33:05 acme.sh [Mon Nov 18 18:33:05 +07 2024] APP
2024-11-18T18:33:05 acme.sh [Mon Nov 18 18:33:05 +07 2024] Adding TXT value: eBFk-rjlrVSjm-xPVTggqrducvcrvF9Sg53LX3TqqIk for domain: _acme-challenge.DOMAIN.net
2024-11-18T18:33:05 acme.sh [Mon Nov 18 18:33:05 +07 2024] dns_linode_v4_add exists=0
2024-11-18T18:33:05 acme.sh [Mon Nov 18 18:33:05 +07 2024] Found domain API file: /usr/local/share/examples/acme.sh/dnsapi/dns_linode_v4.sh
@github-actions GitHub Actions
Copy link

Please upgrade to the latest code and try again first. Maybe it's already fixed. acme.sh --upgrade If it's still not working, please provide the log with --debug 2, otherwise, nobody can help you.

@blacks0cks1
Copy link
Author

Thanks that fixed the issue, interesting given that OpnSense was up to date.

Appreciated.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@blacks0cks1