pfSense bugtracker: Issueshttps://redmine.pfsense.org/https://redmine.pfsense.org/favicon.ico?16780521162024-02-26T09:51:00ZpfSense bugtracker
Redmine pfSense Packages - Bug #15292 (New): Certificate renewal with 'dns_inwx.sh' not working: Error ad...https://redmine.pfsense.org/issues/152922024-02-26T09:51:00ZLorenzo Marroccoli
<p>Hello,</p>
<p>we use Acme-package to obtain a wildcard certificate for our domain. It has always worked well. <br />Lately, the renewal process failed, as dns_inwx.sh is no longer able to add the necessary TXT-record via the API of the DNS provider INWX.<br />It started failing about five days ago and since then it failed once a day within the cron-scheduled-job. I tried manual renewal via GUI as well, same result.</p>
<p>The relevant log file is attached. (the domain has been redacted in the logs to somedomain.com)</p> pfSense Packages - Bug #15229 (New): ACME DNS-Selfhost verification issueshttps://redmine.pfsense.org/issues/152292024-02-03T07:50:08ZSTefan Graf
<p>When using Selfhost.de DNS verification and entering the requested information the renewal is not working.<br />To make it work the following amendments are required:</p>
<p>1. Update /usr/local/pkg/acme/acme.inc - line 1317</p>
<pre><code class="php syntaxhl"><span class="nv">$acme_domain_validation_method</span><span class="p">[</span><span class="s1">'dns_selfhost'</span><span class="p">]</span> <span class="o">=</span> <span class="k">array</span><span class="p">(</span><span class="s1">'name'</span> <span class="o">=></span> <span class="s2">"DNS-Selfhost"</span><span class="p">,</span>
<span class="s1">'fields'</span> <span class="o">=></span> <span class="k">array</span><span class="p">(</span>
<span class="s1">'SELFHOSTDNS_USERNAME'</span> <span class="o">=></span> <span class="k">array</span><span class="p">(</span><span class="s1">'name'</span> <span class="o">=></span> <span class="s2">"selfhostdns_username"</span><span class="p">,</span> <span class="s1">'columnheader'</span> <span class="o">=></span> <span class="s2">"Username (customer number - not email address or DynDNS account)"</span><span class="p">,</span> <span class="s1">'type'</span> <span class="o">=></span> <span class="s2">"textbox"</span><span class="p">,</span>
<span class="s1">'description'</span> <span class="o">=></span> <span class="s2">"Username"</span>
<span class="p">),</span>
<span class="s1">'SELFHOSTDNS_PASSWORD'</span> <span class="o">=></span> <span class="k">array</span><span class="p">(</span><span class="s1">'name'</span> <span class="o">=></span> <span class="s2">"selfhostdns_password"</span><span class="p">,</span> <span class="s1">'columnheader'</span> <span class="o">=></span> <span class="s2">"Password"</span><span class="p">,</span> <span class="s1">'type'</span> <span class="o">=></span> <span class="s2">"password"</span><span class="p">,</span>
<span class="s1">'description'</span> <span class="o">=></span> <span class="s2">"Password"</span>
<span class="p">),</span>
<span class="s1">'SELFHOSTDNS_MAP'</span> <span class="o">=></span> <span class="k">array</span><span class="p">(</span><span class="s1">'name'</span> <span class="o">=></span> <span class="s2">"selfhostdns_map"</span><span class="p">,</span> <span class="s1">'columnheader'</span> <span class="o">=></span> <span class="s2">"RecordID (found in brackets when editing the record)"</span><span class="p">,</span> <span class="s1">'type'</span> <span class="o">=></span> <span class="s2">"textbox"</span><span class="p">,</span>
<span class="s1">'description'</span> <span class="o">=></span> <span class="s2">"SELFHOSTDNS_MAP"</span>
<span class="p">)</span>
<span class="p">));</span>
</code></pre>
<p>2. Additional the password requires additional conversion to not break the URL syntax.<br /> For example the letter '#' needs to be converted to '%23'</p> pfSense Packages - Bug #15061 (New): acme.sh nsupdate with challengealias is failinghttps://redmine.pfsense.org/issues/150612023-12-04T17:57:02ZSeyfidin Hamraoui
<p>When using nsupdate with challengealias the wrong filename is used, therefore the script fails.</p>
<pre><code class="shell syntaxhl"><span class="o">[</span>Mon Dec 4 03:48:50 CET 2023] Using CA: https://acme-staging-v02.api.letsencrypt.org/directory
<span class="o">[</span>Mon Dec 4 03:48:50 CET 2023] Using pre generated key: /tmp/acme/domain/domain.de/domain.de.key.next
<span class="o">[</span>Mon Dec 4 03:48:50 CET 2023] Generate next pre-generate key.
<span class="o">[</span>Mon Dec 4 03:48:51 CET 2023] Single <span class="nv">domain</span><span class="o">=</span><span class="s1">'domain.de'</span>
<span class="o">[</span>Mon Dec 4 03:48:51 CET 2023] Getting domain auth token <span class="k">for </span>each domain
<span class="o">[</span>Mon Dec 4 03:48:54 CET 2023] Getting webroot <span class="k">for </span><span class="nv">domain</span><span class="o">=</span><span class="s1">'domain.de'</span>
<span class="o">[</span>Mon Dec 4 03:48:54 CET 2023] Adding txt value: gVr0HUKsGuBvrO7Iz-Ks-hfVuo0YAU0qBilM1cj6fW8 <span class="k">for </span>domain: dns.domain.de
<span class="o">[</span>Mon Dec 4 03:48:54 CET 2023] key /tmp/acme/DOMAIN/domain.densupdatedns.domain.de.key is unreadable
<span class="o">[</span>Mon Dec 4 03:48:54 CET 2023] Error add txt <span class="k">for </span>domain:dns.domain.de
<span class="o">[</span>Mon Dec 4 03:48:54 CET 2023] Please check log file <span class="k">for </span>more details: /tmp/acme/DOMAIN/acme_issuecert.log
</code></pre>
<p>Expected correct filename => /tmp/acme/DOMAIN/domain.densupdatedns.domain.de.key<br />Actual wrong filename => /tmp/acme/DOMAIN/domain.densupdate_acme-challenge.dns.domain.de.key</p>
<p><a class="external" href="https://github.com/pfsense/FreeBSD-ports/pull/1330">https://github.com/pfsense/FreeBSD-ports/pull/1330</a></p> pfSense Packages - Bug #14815 (New): ACME.sh ingnores Certificates in Trust Storehttps://redmine.pfsense.org/issues/148152023-09-27T16:02:59ZHannes Gebhart
<p>ACME.sh does not trust the certificates in /etc/ssl/certs. This a problem when you add a custom ACME provider. <br />Curl refuses to connect to the web address because it finds it insecure.<br />I think it relates to this problem: <a class="external" href="https://redmine.pfsense.org/issues/12737">https://redmine.pfsense.org/issues/12737</a><br />I also opend a github pull request with a working fix: <a class="external" href="https://github.com/pfsense/FreeBSD-ports/pull/1299">https://github.com/pfsense/FreeBSD-ports/pull/1299</a></p> pfSense Packages - Bug #14796 (New): ACME for domain registrar INWX in Germanyhttps://redmine.pfsense.org/issues/147962023-09-19T22:15:55ZK. K.
<p>I am using ACME with INWX in Germany and automatic renewal has worked up to (at least) 11 July 2023. The latest renewal, however, did no longer work despite no changes to the pfSense System. I got in contact with the INWX support and they said that their API now also supports HTTPS/2 while previosly they only offered HTTP/1 and 1.1. Their explanation for the issue was as follows:</p>
<p>HTTP/1 and 1.1 both support uppercase parameters, whilst HTTP/2 automatically converts those to lowercase, which results in ACME being unable to store the cookie, thus loosing access to the system.</p>
<p>Their initial suggestion was to update to the latest version of ACME - which I did (in one go for both pfSense to 2.7 CE and ACME to 0.7.5). Unfortunately, the problem persisted after the update, but they then provided me with a quick solution as follows:</p>
<p>In the dns_inwx.sh script there is one line, line 197, which slightly needs to be changed as follows:<br />OLD LINE: INWX_Cookie=$(printf "Cookie: %s" "$(grep "domrobot=" "$HTTP_HEADER" | grep "^Set-Cookie:" | _tail_n 1 | _egrep_o 'domrobot=[^;]*;' | tr -d ';')")<br />NEW LINE: INWX_Cookie=$(printf "Cookie: %s" "$(grep "domrobot=" "$HTTP_HEADER" | grep -i "^Set-Cookie:" | _tail_n 1 | _egrep_o 'domrobot=[^;]*;' | tr -d ';')")</p>
<p>In other words: the grep in the sequence '| grep "^Set-Cookie:" |' needs to be made case-insensitive and thus read '| grep -i "^Set-Cookie:" |'</p>
<p>After this small change, the renewal of certificates again works as before and the problem appears to be solved.</p>
<p>BTW, the (original) source code on github under <a class="external" href="https://github.com/acmesh-official/acme.sh/blob/master/dnsapi/dns_inwx.sh">https://github.com/acmesh-official/acme.sh/blob/master/dnsapi/dns_inwx.sh</a> also contains the "grep -i" command on line 197 - though I have not checked whether there are other changes in that file.</p> pfSense Packages - Feature #13292 (New): Separatorhttps://redmine.pfsense.org/issues/132922022-06-21T12:06:28ZMarc Mapplebeck
<p>It'd be really nice if there was a way to add a separator to the certificates list in the ACME package. Nothing fancy, similar to the separator option on NAT and Rules pages.</p> pfSense Packages - Bug #12670 (New): ACME package writes credentials to system loghttps://redmine.pfsense.org/issues/126702022-01-09T06:26:28ZFlorian Apollonerflorian@apolloner.eu
<p>The acme renewal cron currently dumps the config into the system log:<br /><pre>
<13>1 2022-01-09T03:57:32.299169+01:00 fw01.xxx.lan ACME 93105 - - ## Its time to renew ##
<13>1 2022-01-09T03:57:32.299183+01:00 fw01.xxx.lan ACME 93105 - - Renewing certificate
<13>1 2022-01-09T03:57:32.299198+01:00 fw01.xxx.lan ACME 93105 - - account: xxx
<13>1 2022-01-09T03:57:32.299212+01:00 fw01.xxx.lan ACME 93105 - - server: letsencrypt-production-2
<13>1 2022-01-09T03:57:32.300864+01:00 fw01.xxx.lan ACME 93105 - -
<13>1 2022-01-09T03:57:32.300896+01:00 fw01.xxx.lan ACME 93105 - - /usr/local/pkg/acme/acme.sh --issue --domain '*.infra.xxx.co.at' --dns 'dns_inwx' --home '/tmp/acme/infra.xxx.co.at/' --accountconf '/tmp/acme/infra.xxx.co.at/accountconf.conf' --force --reloadCmd '/tmp/acme/infra.xxx.co.at/reloadcmd.sh' --log-level 3 --log '/tmp/acme/infra.xxx.co.at/acme_issuecert.log'
<13>1 2022-01-09T03:57:32.300916+01:00 fw01.xxx.lan ACME 93105 - - Array
<13>1 2022-01-09T03:57:32.300931+01:00 fw01.xxx.lan ACME 93105 - - (
<13>1 2022-01-09T03:57:32.300945+01:00 fw01.xxx.lan ACME 93105 - - [path] => /etc:/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/bin/
<13>1 2022-01-09T03:57:32.300958+01:00 fw01.xxx.lan ACME 93105 - - [PATH] => /etc:/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/bin/
<13>1 2022-01-09T03:57:32.300972+01:00 fw01.xxx.lan ACME 93105 - - [INWX_User] => XXX
<13>1 2022-01-09T03:57:32.300985+01:00 fw01.xxx.lan ACME 93105 - - [INWX_Password] => YYY
<13>1 2022-01-09T03:57:32.300999+01:00 fw01.xxx.lan ACME 93105 - - [INWX_Shared_Secret] =>
<13>1 2022-01-09T03:57:32.301013+01:00 fw01.xxx.lan ACME 93105 - - )
<13>1 2022-01-09T03:57:38.616297+01:00 fw01.xxx.lan ACME 93105 - - [Sun Jan 9 03:57:33 CET 2022] Using CA: https://acme-v02.api.letsencrypt.org/directory
</pre></p>
<p>Imo this array shouldn't be spit out as it leaks information.</p> pfSense Packages - Bug #12623 (New): acme.sh package | DNS-ISPConfig settingshttps://redmine.pfsense.org/issues/126232021-12-21T04:43:49ZKarsten Deubert
<p>We are running a pfSense 2.5.2 on a qemu based virtual machine.</p>
<p>The acme.sh package is used to generate LetsEncrypt certificats, in our case we want to create a wildcard certificate, so we need a DNS challenge.<br />Our DNS Provider is DNS-ISPConfig based.</p>
<p>While the configuration we enter is correct, it seems the acme.sh script does not see all required ISPConfig extra settings.</p>
<p>The error we always get from pfSense UI based certificate renewal is:</p>
<pre>
[Tue Dec 21 11:09:45 CET 2021] You haven't specified the ISPConfig Login data, URL and whether you want check the ISPC SSL cert. Please try again.
[Tue Dec 21 11:09:45 CET 2021] Error add txt for domain:_acme-challenge.example.org
</pre>
<p>From the package output it seems like the ISPConfig settings are provided as environment variables:</p>
<pre>
Array
(
[path] => /etc:/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/bin/
[PATH] => /etc:/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/bin/
[ISPC_User] => ispconfig_secret_user_name
[ISPC_Password] => ispconfig_secret_password
[ISPC_Api] => https://ispconfig.example.org:8080/remote/json.php
[ISPC_Api_Insecure] =>
)
</pre>
<p>We also saw that there is an --accountconfig used, and checked its contents:</p>
<pre>
ACME_DIRECTORY='https://acme-v02.api.letsencrypt.org/directory'
ACCOUNT_EMAIL='foo@example.org'
LOG_FILE='/tmp/acme/wildcard.example.org/acme_issuecert.log'
LOG_LEVEL='3'
</pre>
<p>As a <strong>workaround</strong> we found that adding entries to the accountconf file, then executing the acme.sh call (as displayed in the package output) manually, will correctly generate the certificate and process callbacks, so the certificate is also displayed correctly and usable all around pfSense. But since it is a manual process, we would have to do it every 90 days.</p>
<p>The accountconf file looks like this after the manual change:<br /><pre>
ACME_DIRECTORY='https://acme-v02.api.letsencrypt.org/directory'
ACCOUNT_EMAIL='foo@example.org'
LOG_FILE='/tmp/acme/wildcard.example.org/acme_issuecert.log'
LOG_LEVEL='3'
ISPC_User='ispconfig_secret_user_name'
ISPC_Password='ispconfig_secret_password'
ISPC_Api='https://ispconfig.example.org:8080/remote/json.php'
ISPC_Api_Insecure='0'
</pre></p>
<p>We suspect that something with supplying the options via ENV is broken (then it might need a bug report in the acme.sh project possibly?) - or the configuration could be moved to the accountconf file, because this way it seems to work already.</p> pfSense Packages - Feature #11827 (New): Please include acme deploy folder/scriptshttps://redmine.pfsense.org/issues/118272021-04-20T16:07:32ZPete Holzmann
<p>The acme project includes a <code>deploy</code> folder with several dozen scripts available to the --deploy-hook switch.</p>
<p>pfSense has no GUI for this. I understand. But <strong>it would be very helpful to NOT remove that folder from the installed package.</strong></p>
<p>It would greatly help to be able to use the already-installed version of acme.sh in pfSense to create post-renewal deployment scripts for devices on the LAN. (Especially considering that pfSense's acme package already can easily manage cert setup and renewal.)</p> pfSense Packages - Feature #11826 (New): Preserve acme SAN Method parameters for new cert creationshttps://redmine.pfsense.org/issues/118262021-04-20T14:02:39ZPete Holzmann
<p>In a given environment, it is very likely that SAN Method parameters (eg API Token) will be identical for every SAN created.<br />Right now the user must manually retrieve the token from a previous cert, or from the API host.</p>
<p>It would be a nice UX bump to have the most recent such parameter already in place by default.</p> pfSense Packages - Feature #9833 (New): ACME: add ability to use custom ACME serverhttps://redmine.pfsense.org/issues/98332019-10-18T04:52:18ZFilippo Tessarotto
<p>Hi, on September 2019 the Smallstep company released a feature on their <ins>step-ca</ins> tool that allows to serve private CA responding to ACMEv2 protocol:</p>
<p><a class="external" href="https://smallstep.com/blog/private-acme-server/">https://smallstep.com/blog/private-acme-server/</a></p>
<p>I would like to be able to specify in the <ins>ACME Server</ins> list my own custom server URL, i.e. <code>https://my-ca.local:8443/acme/acme/directory</code>.</p>
<p>Is this feasible?</p>
<p>Best regards, Filippo</p> pfSense Packages - Bug #9348 (New): Results of Acme certificate issuance/renewal are not properly...https://redmine.pfsense.org/issues/93482019-02-22T12:08:48ZIsaac McDonald
<p>The results of an Acme certificate issuance/renewal aren't properly formatted. Even when there are no errors the results look like a core dump which diminishes confidence in the quality of this plugin.</p>
<p><strong>Steps to reproduce:</strong><br /><strong>1.</strong> Navigate to services ---> Acme Certificates<br /><strong>2.</strong> Click Add<br /><strong>3.</strong> Enter a name for the certificate and use foo.example.com as the domain name in the SAN list.<br /><strong>4.</strong> Use a DNS update method such as "DNS-NSUpdate / RFC 2136" or "DNS-ClouDNS" and enter bogus information<br /><strong>5.</strong> Click Save<br /><strong>6.</strong> Click "Issue renew" next to the certificate you just created.<br /><strong>7.</strong> Note the results of the cert issuance/renewal aren't properly formatted</p>
<p>See attached screenshot.</p> pfSense Packages - Feature #9299 (New): ACME package : Automate add/remove firewall rule for port...https://redmine.pfsense.org/issues/92992019-01-30T22:09:58ZYuri Weinstein
<p>Currently if user wants to fordward port 80 (for stand alone method for example) to a different port and also not to keep this port open, he would have to add NAT/rule + schedule for it.</p>
<p>It’d be very useful if Acme UI and logic would, before checking for renewed certificates add NAT/rule, then run certificate update and then automatically remove/disable NAT/rule</p> pfSense Packages - Bug #8560 (New): ACME: can't update DNS records in DNSMadeEasy registar for se...https://redmine.pfsense.org/issues/85602018-06-08T13:15:35ZAlex Kolesnikpfsenseorg3@temp.spb.ru
<p>The API key/id of the 3rd domain is used for updating records of the 1st domain. Please, see attached screenshots.</p> pfSense Packages - Bug #7453 (New): DNS-ovh need to save or display consumer key https://redmine.pfsense.org/issues/74532017-04-06T10:54:06ZCédric Caron
<p>Consumer key is generated at the first connection to OVH ([Thu Apr 6 17:46:00 CEST 2017] OVH consumer key is empty, Let's get one:) and need to be saved for the next connections.</p>
<p>This can be done automaticaly if the field is empty in the settings or by displaying the key to allow the user to fill the parameter.</p>