Project

General

Profile

Actions

Bug #12623

open

acme.sh package | DNS-ISPConfig settings

Added by Karsten Deubert 5 months ago. Updated 2 months ago.

Status:
New
Priority:
Normal
Assignee:
Category:
ACME
Target version:
-
Start date:
Due date:
% Done:

0%

Estimated time:
Plus Target Version:
Affected Version:
Affected Plus Version:
Affected Architecture:

Description

We are running a pfSense 2.5.2 on a qemu based virtual machine.

The acme.sh package is used to generate LetsEncrypt certificats, in our case we want to create a wildcard certificate, so we need a DNS challenge.
Our DNS Provider is DNS-ISPConfig based.

While the configuration we enter is correct, it seems the acme.sh script does not see all required ISPConfig extra settings.

The error we always get from pfSense UI based certificate renewal is:

[Tue Dec 21 11:09:45 CET 2021] You haven't specified the ISPConfig Login data, URL and whether you want check the ISPC SSL cert. Please try again.
[Tue Dec 21 11:09:45 CET 2021] Error add txt for domain:_acme-challenge.example.org

From the package output it seems like the ISPConfig settings are provided as environment variables:

Array
(
    [path] => /etc:/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/bin/
    [PATH] => /etc:/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/bin/
    [ISPC_User] => ispconfig_secret_user_name
    [ISPC_Password] => ispconfig_secret_password
    [ISPC_Api] => https://ispconfig.example.org:8080/remote/json.php
    [ISPC_Api_Insecure] => 
)

We also saw that there is an --accountconfig used, and checked its contents:

ACME_DIRECTORY='https://acme-v02.api.letsencrypt.org/directory'
ACCOUNT_EMAIL='foo@example.org'
LOG_FILE='/tmp/acme/wildcard.example.org/acme_issuecert.log'
LOG_LEVEL='3'

As a workaround we found that adding entries to the accountconf file, then executing the acme.sh call (as displayed in the package output) manually, will correctly generate the certificate and process callbacks, so the certificate is also displayed correctly and usable all around pfSense. But since it is a manual process, we would have to do it every 90 days.

The accountconf file looks like this after the manual change:

ACME_DIRECTORY='https://acme-v02.api.letsencrypt.org/directory'
ACCOUNT_EMAIL='foo@example.org'
LOG_FILE='/tmp/acme/wildcard.example.org/acme_issuecert.log'
LOG_LEVEL='3'
ISPC_User='ispconfig_secret_user_name'
ISPC_Password='ispconfig_secret_password'
ISPC_Api='https://ispconfig.example.org:8080/remote/json.php'
ISPC_Api_Insecure='0'

We suspect that something with supplying the options via ENV is broken (then it might need a bug report in the acme.sh project possibly?) - or the configuration could be moved to the accountconf file, because this way it seems to work already.


Related issues

Related to Todo #12886: Update acme.sh from upstreamClosedJim Pingle

Actions
Is duplicate of Bug #12755: Acme package dns_ispconfig not working.Duplicate

Actions
Actions #1

Updated by Viktor Gurov 5 months ago

  • Affected Version deleted (2.5.2)
Actions #2

Updated by Viktor Gurov 4 months ago

Fix is merged to the upstream acme.sh repository

Actions #3

Updated by Viktor Gurov 4 months ago

  • Is duplicate of Bug #12755: Acme package dns_ispconfig not working. added
Actions #4

Updated by Morten Trab 4 months ago

Do we have an ETA on when the merge will be available in a release?

Actions #5

Updated by Morten Trab 3 months ago

Still an issue after updating to Acme 0.6.10_1

Actions #6

Updated by Viktor Gurov 3 months ago

  • Related to Todo #12886: Update acme.sh from upstream added
Actions #7

Updated by Jim Pingle 3 months ago

  • Status changed from New to Feedback
  • Assignee set to Viktor Gurov

The fix for this is now in the latest ACME package. Please update and test it again to see if it works.

Actions #8

Updated by Morten Trab 2 months ago

I'm on 0.7_4 now and still see the exact same error - so no, still not fixed

Actions #9

Updated by Jim Pingle 2 months ago

  • Status changed from Feedback to New

The upstream code still has a problem. If you leave "Allow Insecure" blank now it should at least get past that part, but if you have 0 or 1 in there the test in that shell script will fail.

The script is trying to validate the contents of the variable but it can be empty, 0, or 1. And it's either testing for zero or nonzero in length which doesn't help it.

The test there probably needs rewritten with some better logic to validate the contents.

Actions #10

Updated by Jim Pingle 2 months ago

I should add, I tested the script and it is placing the correct variables into the environment and the script does see them there, they get added to the accountconf.conf file after it makes it past that initial validity check that it's failing.

Actions #11

Updated by Morten Trab 2 months ago

Leaving the Allow Insecure blank, results in a different error:

domain.com
Renewing certificate 
account: domain.com 
server: letsencrypt-production-2 

/usr/local/pkg/acme/acme.sh  --issue  --domain 'domain.com' --dns 'dns_ispconfig'  --domain '*.domain.com' --dns 'dns_ispconfig'  --domain 'sv1.sub.domain.com' --dns 'dns_ispconfig'  --home '/tmp/acme/domain.com/' --accountconf '/tmp/acme/domain.com/accountconf.conf' --force --reloadCmd '/tmp/acme/domain.com/reloadcmd.sh' --dnssleep '300' --log-level 3 --log '/tmp/acme/domain.com/acme_issuecert.log'
Array
(
    [path] => /etc:/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/bin/
    [PATH] => /etc:/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/bin/
    [ISPC_User] => my_user
    [ISPC_Password] => my_password
    [ISPC_Api] => https://admin.domain.com:8080/remote/json.php
    [ISPC_Api_Insecure] => 
)
[Thu Mar 10 21:58:17 CET 2022] Using CA: https://acme-v02.api.letsencrypt.org/directory
[Thu Mar 10 21:58:17 CET 2022] Multi domain='DNS:domain.com,DNS:*.domain.com,DNS:sv1.sub.domain.com'
[Thu Mar 10 21:58:17 CET 2022] Getting domain auth token for each domain
[Thu Mar 10 21:58:20 CET 2022] Getting webroot for domain='domain.com'
[Thu Mar 10 21:58:20 CET 2022] Getting webroot for domain='*.domain.com'
[Thu Mar 10 21:58:20 CET 2022] Getting webroot for domain='sv1.sub.domain.com'
[Thu Mar 10 21:58:20 CET 2022] Adding txt value: -eFxL6-_Om6WeYn8EcM9nJbax04egqQRKChN5-s_aLs for domain:  _acme-challenge.domain.com
[Thu Mar 10 21:58:20 CET 2022] Getting Session ID
[Thu Mar 10 21:58:20 CET 2022] Please refer to https://curl.haxx.se/libcurl/c/libcurl-errors.html for error code: 60
[Thu Mar 10 21:58:20 CET 2022] Couldn't retrieve the Session ID.
[Thu Mar 10 21:58:20 CET 2022] Error add txt for domain:_acme-challenge.domain.com
[Thu Mar 10 21:58:20 CET 2022] Please check log file for more details: /tmp/acme/domain.com/acme_issuecert.log

What I can see is that error code 60 in libcurl is that it's unable to verify the certificate (even thou it's still valid for the next month)

Actions

Also available in: Atom PDF