Bug #12623
openacme.sh package | DNS-ISPConfig settings
0%
Description
We are running a pfSense 2.5.2 on a qemu based virtual machine.
The acme.sh package is used to generate LetsEncrypt certificats, in our case we want to create a wildcard certificate, so we need a DNS challenge.
Our DNS Provider is DNS-ISPConfig based.
While the configuration we enter is correct, it seems the acme.sh script does not see all required ISPConfig extra settings.
The error we always get from pfSense UI based certificate renewal is:
[Tue Dec 21 11:09:45 CET 2021] You haven't specified the ISPConfig Login data, URL and whether you want check the ISPC SSL cert. Please try again. [Tue Dec 21 11:09:45 CET 2021] Error add txt for domain:_acme-challenge.example.org
From the package output it seems like the ISPConfig settings are provided as environment variables:
Array ( [path] => /etc:/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/bin/ [PATH] => /etc:/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/bin/ [ISPC_User] => ispconfig_secret_user_name [ISPC_Password] => ispconfig_secret_password [ISPC_Api] => https://ispconfig.example.org:8080/remote/json.php [ISPC_Api_Insecure] => )
We also saw that there is an --accountconfig used, and checked its contents:
ACME_DIRECTORY='https://acme-v02.api.letsencrypt.org/directory' ACCOUNT_EMAIL='foo@example.org' LOG_FILE='/tmp/acme/wildcard.example.org/acme_issuecert.log' LOG_LEVEL='3'
As a workaround we found that adding entries to the accountconf file, then executing the acme.sh call (as displayed in the package output) manually, will correctly generate the certificate and process callbacks, so the certificate is also displayed correctly and usable all around pfSense. But since it is a manual process, we would have to do it every 90 days.
The accountconf file looks like this after the manual change:
ACME_DIRECTORY='https://acme-v02.api.letsencrypt.org/directory' ACCOUNT_EMAIL='foo@example.org' LOG_FILE='/tmp/acme/wildcard.example.org/acme_issuecert.log' LOG_LEVEL='3' ISPC_User='ispconfig_secret_user_name' ISPC_Password='ispconfig_secret_password' ISPC_Api='https://ispconfig.example.org:8080/remote/json.php' ISPC_Api_Insecure='0'
We suspect that something with supplying the options via ENV is broken (then it might need a bug report in the acme.sh project possibly?) - or the configuration could be moved to the accountconf file, because this way it seems to work already.
Related issues