Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

security/acme-client: Issue with /var RAM disk option #884

Closed
daemongloom opened this issue Oct 1, 2018 · 7 comments
Closed

security/acme-client: Issue with /var RAM disk option #884

daemongloom opened this issue Oct 1, 2018 · 7 comments
Assignees
@fichtner
Labels
feature Adding new functionality

Comments

@daemongloom
Copy link

Current acme-client domain configuration folder (/var/etc/acme-client/home/) recreates after each reboot if /var RAM disk option is enabled at "System: Settings: Miscellaneous" thus making renewing letsencrypt certificate impossible.
Either location of acme-client folder should be changed or warning in letsencrypt plugin settings should be added.
@fichtner
Copy link
Member

fichtner commented Oct 1, 2018

There's a third option: setting xxx_var_mfs="/var/etc/acme-client" in the rc.conf.d template

@fichtner fichtner added the feature Adding new functionality label Oct 1, 2018
@labor4
Copy link

labor4 commented Oct 10, 2018

Thanks for finding this. I was lost.

@fichtner fichtner assigned fichtner and unassigned fraenki Oct 10, 2018
fichtner added a commit that referenced this issue Oct 10, 2018
@fichtner
security/acme-client: /var MFS awareness; closes #884
cd14eff 
(cherry picked from commit 31e8ba8)
@labor4
Copy link

labor4 commented Oct 14, 2018

How is this working:
This seems to be under the 19.1d tag.
Will this be available via patch earlier? Or will you include it in the maint updates?
thanks!

@fabianfrz
Copy link
Member

The opnsense-patch utility can download any patch from GitHub so yes it can.

opnsense-patch -c plugins cd14eff

@fichtner
Copy link
Member

It'll be in 18.7.5 tomorrow.

@EugenMayer
Copy link

Actually having the same issue in 18.7.7

Mon Nov 19 12:29:41 CET 2018] ACME_DIRECTORY='https://acme-v01.api.letsencrypt.org/directory'
[Mon Nov 19 12:29:41 CET 2018] Use length 4096
[Mon Nov 19 12:29:41 CET 2018] Using RSA: 4096
[Mon Nov 19 12:29:54 CET 2018] The domain key is here: /var/etc/acme-client/home/XXXXXXX.key
[Mon Nov 19 12:29:54 CET 2018] Create domain key error.
[Mon Nov 19 12:29:54 CET 2018] pid
[Mon Nov 19 12:29:54 CET 2018] No need to restore nginx, skip.
[Mon Nov 19 12:29:54 CET 2018] _clearupdns
[Mon Nov 19 12:29:54 CET 2018] skip dns.
[Mon Nov 19 12:29:55 CET 2018] _on_issue_err
[Mon Nov 19 12:29:55 CET 2018] Please check log file for more details: /var/log/acme.sh.log
root@gateway:~ # tail -f /var/log/acme.sh.log
[Mon Nov 19 12:31:53 CET 2018] Use length 2048
[Mon Nov 19 12:31:53 CET 2018] Using RSA: 2048
[Mon Nov 19 12:31:54 CET 2018] The domain key is here: /var/etc/acme-client/home/XXXXXXX.key
[Mon Nov 19 12:31:54 CET 2018] Create domain key error.
[Mon Nov 19 12:31:54 CET 2018] pid
[Mon Nov 19 12:31:54 CET 2018] No need to restore nginx, skip.

@EugenMayer
Copy link

EugenMayer commented Nov 19, 2018
edited
Loading

It might be somehow related to something we do in opnsense, maybe a different issue.
i had foo.mydomain.tld as CN and www.foo.mydomain.tld as a SAN .. and creating the key failed as seen above.

Removing the SAN 'fixed it'. Since this is for sure not LE / acme.sh limitation (this works on my other platforms without any issues) it might be some wrapper in opnsense.

If of interest, its Cloudflare + DNS-01, 18.7.7, acme.sh on 2.7.9

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@fichtner fichtner

Labels
feature Adding new functionality
Milestone
No milestone
Development

No branches or pull requests
6 participants
@EugenMayer @fraenki @fichtner @daemongloom @fabianfrz @labor4