pfSense » pfSense Packages

Jim Pingle wrote:

Delete it, it's not needed. It's a leftover from previous ACME certificates.

Entries are never removed automatically.

Current ACME certs are signed by R3 or similar, the old X3 CA is retired.

How was I able to go 390+ days before upgrading to 21.02 without getting daily expiring messages? And it doesn't bother you that the message says both that the certificate is going to expire in 23 days and also that it expired 393 days ago?

And I should ask is there a way to delete the certificate but keep the test config in case I need to test in the future?

Craig Leres wrote:

How was I able to go 390+ days before upgrading to 21.02 without getting daily expiring messages?

Expiration notices are new in 21.02/2.5.0

And it doesn't bother you that the message says both that the certificate is going to expire in 23 days and also that it expired 393 days ago?

You have two entries there.

• Certificate Authority: Acmecert: O=Let's Encrypt, CN=Let's Encrypt Authority X3, C=US (aaaaaa7dbaf4c): Expiring soon, in 23 days

• Certificate: tester.example.com-test (aaaaaaf463c2f): Expired 393 days ago

That "tester.example.com" cert is the one that expired 393 days ago.

And I should ask is there a way to delete the certificate but keep the test config in case I need to test in the future?

Not sure what you mean here. You can renew the test cert if it's from an internal CA and you want to keep it around, or make a new test cert if it's from an external source. There is no reason to keep around the old ACME X3 cert, but you could take a config backup if you wanted to keep a copy.

Jim Pingle wrote:

Craig Leres wrote:

How was I able to go 390+ days before upgrading to 21.02 without getting daily expiring messages?

Expiration notices are new in 21.02/2.5.0

And it doesn't bother you that the message says both that the certificate is going to expire in 23 days and also that it expired 393 days ago?

You have two entries there.

Entry 1:

• Certificate Authority: Acmecert: O=Let's Encrypt, CN=Let's Encrypt Authority X3, C=US (aaaaaa7dbaf4c): Expiring soon, in 23 days

Entry 2:

• Certificate: tester.example.com-test (aaaaaaf463c2f): Expired 393 days ago

That "tester.example.com" cert is the one that expired 393 days ago.

I missed that; got it now, thanks.

And I should ask is there a way to delete the certificate but keep the test config in case I need to test in the future?

Not sure what you mean here. You can renew the test cert if it's from an internal CA and you want to keep it around, or make a new test cert if it's from an external source. There is no reason to keep around the old ACME X3 cert, but you could take a config backup if you wanted to keep a copy.

Given there is a button to enable/disable certificate renewal I wouldn't expect to be informed about certificates that are not "on". Maybe I want to pause renewal for months and then turn it back on? Anyway...

When you said, "Delete it" I thought deleting the acme config in the gui would fix it. But no, I did that and still get the expired warnings...

So if a user ever generates a Let's Encrypt certificate (either for testing or production) and later stops using it and turns it off in the gui, perhaps even remove it from the config, it will eventually expire and then will generate expiry notifications until the user figures out how to login to pfsense and manually remove it from the filesystem? (And hopefully not remove the wrong certificate?) That is in no way end-user-friendly.

Warnings about expired certificates is a good feature but the current implementation appears to have some rough edges.

You delete the entry from the certificate manager, which is where the warning was generated. Not ACME.

Any further discussion must happen on the forum, Redmine is not the correct place for this.