Bug #12623
closed
acme.sh package | DNS-ISPConfig settings
0%
Description
We are running a pfSense 2.5.2 on a qemu based virtual machine.
The acme.sh package is used to generate LetsEncrypt certificats, in our case we want to create a wildcard certificate, so we need a DNS challenge.
Our DNS Provider is DNS-ISPConfig based.
While the configuration we enter is correct, it seems the acme.sh script does not see all required ISPConfig extra settings.
The error we always get from pfSense UI based certificate renewal is:
[Tue Dec 21 11:09:45 CET 2021] You haven't specified the ISPConfig Login data, URL and whether you want check the ISPC SSL cert. Please try again. [Tue Dec 21 11:09:45 CET 2021] Error add txt for domain:_acme-challenge.example.org
From the package output it seems like the ISPConfig settings are provided as environment variables:
Array
(
[path] => /etc:/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/bin/
[PATH] => /etc:/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/bin/
[ISPC_User] => ispconfig_secret_user_name
[ISPC_Password] => ispconfig_secret_password
[ISPC_Api] => https://ispconfig.example.org:8080/remote/json.php
[ISPC_Api_Insecure] =>
)
We also saw that there is an --accountconfig used, and checked its contents:
ACME_DIRECTORY='https://acme-v02.api.letsencrypt.org/directory' ACCOUNT_EMAIL='foo@example.org' LOG_FILE='/tmp/acme/wildcard.example.org/acme_issuecert.log' LOG_LEVEL='3'
As a workaround we found that adding entries to the accountconf file, then executing the acme.sh call (as displayed in the package output) manually, will correctly generate the certificate and process callbacks, so the certificate is also displayed correctly and usable all around pfSense. But since it is a manual process, we would have to do it every 90 days.
The accountconf file looks like this after the manual change:
ACME_DIRECTORY='https://acme-v02.api.letsencrypt.org/directory' ACCOUNT_EMAIL='foo@example.org' LOG_FILE='/tmp/acme/wildcard.example.org/acme_issuecert.log' LOG_LEVEL='3' ISPC_User='ispconfig_secret_user_name' ISPC_Password='ispconfig_secret_password' ISPC_Api='https://ispconfig.example.org:8080/remote/json.php' ISPC_Api_Insecure='0'
We suspect that something with supplying the options via ENV is broken (then it might need a bug report in the acme.sh project possibly?) - or the configuration could be moved to the accountconf file, because this way it seems to work already.
Related issues
Updated by Viktor Gurov over 3 years ago
- Affected Version deleted (
2.5.2)
upstream fix:
https://github.com/acmesh-official/acme.sh/pull/3868
Updated by Viktor Gurov over 3 years ago
Fix is merged to the upstream acme.sh repository
Updated by Viktor Gurov about 3 years ago
- Is duplicate of Bug #12755: Acme package dns_ispconfig not working. added
Updated by Morten Trab about 3 years ago
Do we have an ETA on when the merge will be available in a release?
Updated by Morten Trab about 3 years ago
Still an issue after updating to Acme 0.6.10_1
Updated by Viktor Gurov about 3 years ago
- Related to Todo #12886: Update acme.sh from upstream added
Updated by Jim Pingle about 3 years ago
- Status changed from New to Feedback
- Assignee set to Viktor Gurov
The fix for this is now in the latest ACME package. Please update and test it again to see if it works.
Updated by Morten Trab about 3 years ago
I'm on 0.7_4 now and still see the exact same error - so no, still not fixed
Updated by Jim Pingle about 3 years ago
- Status changed from Feedback to New
The upstream code still has a problem. If you leave "Allow Insecure" blank now it should at least get past that part, but if you have 0 or 1 in there the test in that shell script will fail.
The script is trying to validate the contents of the variable but it can be empty, 0, or 1. And it's either testing for zero or nonzero in length which doesn't help it.
The test there probably needs rewritten with some better logic to validate the contents.
Updated by Jim Pingle about 3 years ago
I should add, I tested the script and it is placing the correct variables into the environment and the script does see them there, they get added to the accountconf.conf file after it makes it past that initial validity check that it's failing.
Updated by Morten Trab about 3 years ago
Leaving the Allow Insecure blank, results in a different error:
domain.com
Renewing certificate
account: domain.com
server: letsencrypt-production-2
/usr/local/pkg/acme/acme.sh --issue --domain 'domain.com' --dns 'dns_ispconfig' --domain '*.domain.com' --dns 'dns_ispconfig' --domain 'sv1.sub.domain.com' --dns 'dns_ispconfig' --home '/tmp/acme/domain.com/' --accountconf '/tmp/acme/domain.com/accountconf.conf' --force --reloadCmd '/tmp/acme/domain.com/reloadcmd.sh' --dnssleep '300' --log-level 3 --log '/tmp/acme/domain.com/acme_issuecert.log'
Array
(
[path] => /etc:/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/bin/
[PATH] => /etc:/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/bin/
[ISPC_User] => my_user
[ISPC_Password] => my_password
[ISPC_Api] => https://admin.domain.com:8080/remote/json.php
[ISPC_Api_Insecure] =>
)
[Thu Mar 10 21:58:17 CET 2022] Using CA: https://acme-v02.api.letsencrypt.org/directory
[Thu Mar 10 21:58:17 CET 2022] Multi domain='DNS:domain.com,DNS:*.domain.com,DNS:sv1.sub.domain.com'
[Thu Mar 10 21:58:17 CET 2022] Getting domain auth token for each domain
[Thu Mar 10 21:58:20 CET 2022] Getting webroot for domain='domain.com'
[Thu Mar 10 21:58:20 CET 2022] Getting webroot for domain='*.domain.com'
[Thu Mar 10 21:58:20 CET 2022] Getting webroot for domain='sv1.sub.domain.com'
[Thu Mar 10 21:58:20 CET 2022] Adding txt value: -eFxL6-_Om6WeYn8EcM9nJbax04egqQRKChN5-s_aLs for domain: _acme-challenge.domain.com
[Thu Mar 10 21:58:20 CET 2022] Getting Session ID
[Thu Mar 10 21:58:20 CET 2022] Please refer to https://curl.haxx.se/libcurl/c/libcurl-errors.html for error code: 60
[Thu Mar 10 21:58:20 CET 2022] Couldn't retrieve the Session ID.
[Thu Mar 10 21:58:20 CET 2022] Error add txt for domain:_acme-challenge.domain.com
[Thu Mar 10 21:58:20 CET 2022] Please check log file for more details: /tmp/acme/domain.com/acme_issuecert.log
What I can see is that error code 60 in libcurl is that it's unable to verify the certificate (even thou it's still valid for the next month)
Updated by Morten Trab about 3 years ago
This one fixes the issue: https://github.com/acmesh-official/acme.sh/commit/01ace11293f4cf27f8e761114f48148bbcbad063
Updated by Jim Pingle 12 months ago
- Status changed from New to Closed
- Assignee changed from Viktor Gurov to Jim Pingle
This has been fixed for a long time now.