Join GitHub today
GitHub is home to over 31 million developers working together to host and review code, manage projects, and build software together.Sign up
ACME (Lets Encrypt) Can't Validate Certs HTTP (Create domain key error) #1192
I seem to be having an issue validating certificates via HTTP validation on OPNsense 19.1
Log on First Cert creation, and issue attempt: https://pastebin.com/7rWWHRXW
Select Cert and Click Issue Certificate again: https://pastebin.com/xx9pRMpB
My IP address is correct, DNS to my OPNsense Public IP is correct.
Thanks, I'd like to help more directly myself, maybe I can take a look at the source script, but I'm unsure which one OPNsense is currently using in it's active branch.
Also the logs don't seem to:
You'd expect all these events to show in the log, service enabled/disabled, CSR created but not sent, etc.
Just food for thought on my first couple attempts using this plugin...
Thanks Neilpang! I'm assuming I simply run check for updates on my OPNsense server?
I'll give a try right now. :D
Alright, this does appear to be resolved, as I now get more detailed information in the logs... however I'm still not sure why it's failing now: here are the lines I get now when it is failing:
[Mon Feb 18 22:48:09 UTC 2019] opn.zewwy.ca:Verify error:Fetching (edited to remove hyperlink)h[t]tp://opn.zewwy.ca/.well-known/acme-challenge/Ls0lVWwDMThzC3kHqES05gI2Yo7yW2sODLXJ4XuvQRU: Timeout during connect (likely firewall problem)
alrighty, attempt to access the OPNsense webserver for validation...
ugh.... DNS rebind attack .... what?
OMG... I forgot to change the MGMT UI port!!! changing via System -> Administration...
YEAH!!!! FINALLY!!! WOOOOOOOOOOOOO!
Thank you NEILPANG!
No, FreeBSD ports is lacking behind. I can try to update their port next week.…
On 18. Feb 2019, at 22:48, Zewwy ***@***.***> wrote: Thanks Neilpang! I'm assuming I simply run check for updates on my OPNsense server? I'll give a try right now. :D — You are receiving this because you commented. Reply to this email directly, view it on GitHub, or mute the thread.
Sorry didn't quite follow that. :)
From my testing of a regular OPNsense server with a direct public IP address. The Create Domain Key error was passed. I wasn't sure if this was due to an actual change in the script, or me trying a different account email address under the accounts area.
I'll be doing a bit more testing with my other OPNsense VM that behind a NAT. I will report my results.
Ugh... so I figured it might have been my firewall that is doing the NATing, and I decided to quickly create a HAproxy backend server pointing to a very basic IIS server. I was able to access it via the WAN IP of the OPNsense server (before the firewalls NAT), but I was unable to access it from the internet.
So I adjusted my firewall access rule (security rule, as the NAT rule was fine), and I was able to access the IIS server behind the OPNserver via the firewall NAT. Which meant the internet access form the outside world to my OPNsense was again perfectly fine at this point.
So I figured I had it covered. Re-confired the OPNsense server just like I did the one that had a Public IP and is working) but it still fails with the exact same vague error:
Can not create domain Key.... I've tried this now 100 times!
well I don't have them or I deleted (cause it kept saying validation failed) them and am trying again. how do I get past this?
Just an FYI: I ran CertBot for my Wordpress against my main domain (zewwy.ca) which has a different IP address then the other certs I did above.
Then I attempted my NATed OPNsense which failed, then I attempted a Non NATed, directly public IP based OPNsense, which was the first one I reported that failed at the beginning of this post (opn.zewwy.ca). Which always does the same thing, first click the log goes up to "ACCOUNT_THUMBPRINT=", then second click went up to domain key failed. So even my first attempts for this still failed the exact same way, it wasn't till you told me to try again, it amazingly worked, and I have no idea what changed.... (clicking the valid cert, and clicking re-issue works)
Then I tried again with my NATed OPNsense behind my firewall with yet a different Public IP, again NATed (on port 80) to the OPNsense server (sync.zewwy.ca). Which was my most recent log posts you told me the Certificate already exists. What do I have to do? Create a whole new DNS record for this now? Test2.zewwy.ca? When is there certificate collisions? any records under the same domain? E.G test1.zewwy.ca, test2.zewwy.ca can't be made if a cert already exists for zewwy.ca?
I'm going to create a couple new records on my DNS provider portal right now (all pointing to the Public IP address on my Firewall that has a port 80 NAT rule to send those HTTP requests to the OPNsense's WAN IP), I hope the 3 hours will be enough. This way they should be "all new requests" and there shouldn't be an existing domain certificate?
ok... so it turns out it was my firewal!! the one doing the NAT, and the security rules.
So basically it turns out:
if in the acme script log (running "tail -f /var/log/acme.sh.log") you'll notice:
The script hangs @ [DATESTAMP] ACCOUNT_THUMBPRINT=
If this happens there's a Firewall issue preventing the Lets encrypt servers from accessing the required web services created by the service.
What i did to resolve this (even though I had opened up the firewall rule I had initially and had it working with a IIS web site and the HAproxy plugin and figured this was good enough for the validations to succeed) at this point my firewall was literally the only thing I could think of as the culprit... and it was, by opening up the security rule (completely open wayyyyyyyy more than I would have ever wanted) and attempting to create and validate another cert finally worked!
One last thing I noticed about this.... I had my rule created like I usually did (that would cause domain key error and cert validation failure).
Then when I opened the rule to allow the traffic it succeeded in the certificate validation when i was monitoring the logs. Which is awesome.
However the cert in the OPNsense UI still says validation failed? I know the cert actually succeeded per the acme.sh.log file.
Any idea why the UI doesn't correct itself?