Project

General

Profile

Actions
Copy link

Bug #12623

open

acme.sh package | DNS-ISPConfig settings

Added by Karsten Deubert over 2 years ago. Updated about 2 years ago.

Status:
New
Priority:
Normal
Assignee:
Viktor Gurov
Category:
ACME
Target version:
-
Start date:
Due date:
% Done:

0%

Estimated time:
Plus Target Version:
Affected Version:
Affected Plus Version:
Affected Architecture:

Description

We are running a pfSense 2.5.2 on a qemu based virtual machine.

The acme.sh package is used to generate LetsEncrypt certificats, in our case we want to create a wildcard certificate, so we need a DNS challenge.
Our DNS Provider is DNS-ISPConfig based.

While the configuration we enter is correct, it seems the acme.sh script does not see all required ISPConfig extra settings.

The error we always get from pfSense UI based certificate renewal is:

[Tue Dec 21 11:09:45 CET 2021] You haven't specified the ISPConfig Login data, URL and whether you want check the ISPC SSL cert. Please try again.
[Tue Dec 21 11:09:45 CET 2021] Error add txt for domain:_acme-challenge.example.org

From the package output it seems like the ISPConfig settings are provided as environment variables:

Array
(
    [path] => /etc:/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/bin/
    [PATH] => /etc:/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/bin/
    [ISPC_User] => ispconfig_secret_user_name
    [ISPC_Password] => ispconfig_secret_password
    [ISPC_Api] => https://ispconfig.example.org:8080/remote/json.php
    [ISPC_Api_Insecure] => 
)

We also saw that there is an --accountconfig used, and checked its contents:

ACME_DIRECTORY='https://acme-v02.api.letsencrypt.org/directory'
ACCOUNT_EMAIL='foo@example.org'
LOG_FILE='/tmp/acme/wildcard.example.org/acme_issuecert.log'
LOG_LEVEL='3'

As a workaround we found that adding entries to the accountconf file, then executing the acme.sh call (as displayed in the package output) manually, will correctly generate the certificate and process callbacks, so the certificate is also displayed correctly and usable all around pfSense. But since it is a manual process, we would have to do it every 90 days.

The accountconf file looks like this after the manual change:

ACME_DIRECTORY='https://acme-v02.api.letsencrypt.org/directory'
ACCOUNT_EMAIL='foo@example.org'
LOG_FILE='/tmp/acme/wildcard.example.org/acme_issuecert.log'
LOG_LEVEL='3'
ISPC_User='ispconfig_secret_user_name'
ISPC_Password='ispconfig_secret_password'
ISPC_Api='https://ispconfig.example.org:8080/remote/json.php'
ISPC_Api_Insecure='0'

We suspect that something with supplying the options via ENV is broken (then it might need a bug report in the acme.sh project possibly?) - or the configuration could be moved to the accountconf file, because this way it seems to work already.

Related issues

Related to Todo #12886: Update acme.sh from upstreamClosedJim Pingle

Actions
Is duplicate of Bug #12755: Acme package dns_ispconfig not working.Duplicate

Actions
Actions
Copy link

Also available in: Atom PDF