plugins
plugins copied to clipboard
opnsense
security/acme-client: deploy error results in certificate stuck in state validation error
Important notices Before you add a new report, we ask you kindly to acknowledge the following:
- [x] I have read the contributing guide lines at https://github.com/opnsense/plugins/blob/master/CONTRIBUTING.md
- [x] I have searched the existing issues, open and closed, and I'm convinced that mine is new.
- [x] The title contains the plugin to which this issue belongs
Describe the bug I had an disabled automation of type "Upload certificate to Synology DSM" in my config. It was obviously executed anyways and exited with an error. The certificate was stuck in state "validation failed". The certificate has been properly renewed. The import to the system trust was not executed.
Workaround:
- Delete the failing Automation
- Manually execute "(Re-) Import Certificate"
- Manually execute "Run Automations"
To Reproduce Steps to reproduce the behavior:
- Go to 'Services --> ACME Client'
- Configure Accounts, Challenge Types, Certificates an Automatons
- Add an Automation of type "Upload certificate to Synology DSM", that will fail. Disable it.
- Wait for the cron job to run for the certificate that needs renewal
- See error
Expected behavior
- Complete the ACME Run with error "automatons failed' instead of 'validation failed'.
- Don't run disabled Automations.
Screenshots
Relevant log files System Log
2022-08-31T04:12:00 Notice opnsense AcmeClient: issue/renewal not required for certificate: [***]
2022-08-30T04:12:00 Notice opnsense AcmeClient: issue/renewal not required for certificate: [***]
2022-08-29T04:14:29 Error opnsense AcmeClient: validation for certificate failed: [***]
2022-08-29T04:14:29 Error opnsense AcmeClient: domain validation failed (dns01)
2022-08-29T04:12:00 Notice opnsense AcmeClient: using challenge type: [***]
2022-08-29T04:12:00 Notice opnsense AcmeClient: account is registered: [***]
2022-08-29T04:12:00 Notice opnsense AcmeClient: using CA: letsencrypt
2022-08-29T04:12:00 Notice opnsense AcmeClient: renew certificate: [***]
2022-08-29T04:12:00 Notice opnsense AcmeClient: certificate must be issued/renewed: [***]
2022-08-28T20:51:53 Notice php (system local trust) skip intermediate certificate /C=US/O=Internet Security Research Group/CN=ISRG Root X1 from R3 (ACME Client)
2022-08-28T20:51:53 Notice php (system local trust) skip intermediate certificate /C=US/O=Let's Encrypt/CN=R3 from R3 (ACME Client)
2022-08-28T04:12:00 Notice opnsense AcmeClient: issue/renewal not required for certificate: [***]
2022-08-27T04:12:00 Notice opnsense AcmeClient: issue/renewal not required for certificate: [***]
ACME Log
2022-08-29T04:14:29 acme.sh [Mon Aug 29 04:14:29 CEST 2022] Deploy error.
2022-08-29T04:14:29 acme.sh [Mon Aug 29 04:14:29 CEST 2022] Error deploy for domain:[***]
2022-08-29T04:14:29 acme.sh [Mon Aug 29 04:14:29 CEST 2022] SYNO_Username & SYNO_Password must be set
2022-08-29T04:14:29 acme.sh [Mon Aug 29 04:14:29 CEST 2022] Installing full chain to: /var/etc/acme-client/certs/[***].[***]/fullchain.pem
2022-08-29T04:14:29 acme.sh [Mon Aug 29 04:14:29 CEST 2022] Installing key to: /var/etc/acme-client/keys/[***].[***]/private.key
2022-08-29T04:14:29 acme.sh [Mon Aug 29 04:14:29 CEST 2022] Installing CA to: /var/etc/acme-client/certs/[***].[***]/chain.pem
2022-08-29T04:14:29 acme.sh [Mon Aug 29 04:14:29 CEST 2022] Installing cert to: /var/etc/acme-client/certs/[***].[***]/cert.pem
2022-08-29T04:14:29 acme.sh [Mon Aug 29 04:14:29 CEST 2022] And the full chain certs is there: /var/etc/acme-client/home/[***]/fullchain.cer
2022-08-29T04:14:29 acme.sh [Mon Aug 29 04:14:29 CEST 2022] The intermediate CA cert is in: /var/etc/acme-client/home/[***]/ca.cer
2022-08-29T04:14:29 acme.sh [Mon Aug 29 04:14:29 CEST 2022] Your cert key is in: /var/etc/acme-client/home/[***]/[***].key
2022-08-29T04:14:29 acme.sh [Mon Aug 29 04:14:29 CEST 2022] Your cert is in: /var/etc/acme-client/home/[***]/[***].cer
2022-08-29T04:14:29 acme.sh [Mon Aug 29 04:14:29 CEST 2022] Cert success.
2022-08-29T04:14:29 acme.sh [Mon Aug 29 04:14:28 CEST 2022] Le_LinkCert='https://acme-v02.api.letsencrypt.org/acme/cert/[***]'
2022-08-29T04:14:28 acme.sh [Mon Aug 29 04:14:28 CEST 2022] Downloading cert.
2022-08-29T04:14:27 acme.sh [Mon Aug 29 04:14:27 CEST 2022] Le_OrderFinalize='https://acme-v02.api.letsencrypt.org/acme/finalize/[***]/[***]'
2022-08-29T04:14:27 acme.sh [Mon Aug 29 04:14:27 CEST 2022] Lets finalize the order.
2022-08-29T04:14:27 acme.sh [Mon Aug 29 04:14:27 CEST 2022] Verify finished, start to sign.
2022-08-29T04:14:27 acme.sh [Mon Aug 29 04:14:27 CEST 2022] Removed: Success
2022-08-29T04:14:25 acme.sh [Mon Aug 29 04:14:25 CEST 2022] Deleting record
2022-08-29T04:14:24 acme.sh [Mon Aug 29 04:14:24 CEST 2022] Removing txt: [***] for domain: _acme-challenge.[***]
2022-08-29T04:14:24 acme.sh [Mon Aug 29 04:14:24 CEST 2022] Removed: Success
2022-08-29T04:14:22 acme.sh [Mon Aug 29 04:14:22 CEST 2022] Deleting record
2022-08-29T04:14:20 acme.sh [Mon Aug 29 04:14:20 CEST 2022] Removing txt: [***] for domain: _acme-challenge.[***]
2022-08-29T04:14:20 acme.sh [Mon Aug 29 04:14:20 CEST 2022] Removing DNS records.
2022-08-29T04:14:20 acme.sh [Mon Aug 29 04:14:20 CEST 2022] Success
2022-08-29T04:14:18 acme.sh [Mon Aug 29 04:14:18 CEST 2022] Pending, The CA is processing your order, please just wait. (1/30)
2022-08-29T04:14:17 acme.sh [Mon Aug 29 04:14:17 CEST 2022] Verifying: [***]
2022-08-29T04:14:17 acme.sh [Mon Aug 29 04:14:17 CEST 2022] Success
2022-08-29T04:14:15 acme.sh [Mon Aug 29 04:14:15 CEST 2022] Pending, The CA is processing your order, please just wait. (1/30)
2022-08-29T04:14:13 acme.sh [Mon Aug 29 04:14:13 CEST 2022] It seems the CA server is busy now, let's wait and retry. Sleeping 1 seconds.
2022-08-29T04:14:12 acme.sh [Mon Aug 29 04:14:12 CEST 2022] Verifying: [***]
2022-08-29T04:12:12 acme.sh [Mon Aug 29 04:12:12 CEST 2022] Sleep 120 seconds for the txt records to take effect
2022-08-29T04:12:12 acme.sh [Mon Aug 29 04:12:12 CEST 2022] The txt record is added: Success.
2022-08-29T04:12:10 acme.sh [Mon Aug 29 04:12:10 CEST 2022] Adding record
2022-08-29T04:12:10 acme.sh [Mon Aug 29 04:12:10 CEST 2022] Adding txt value: [***] for domain: _acme-challenge.[***]
2022-08-29T04:12:10 acme.sh [Mon Aug 29 04:12:10 CEST 2022] The txt record is added: Success.
2022-08-29T04:12:05 acme.sh [Mon Aug 29 04:12:05 CEST 2022] Adding record
2022-08-29T04:12:04 acme.sh [Mon Aug 29 04:12:04 CEST 2022] Adding txt value: [***] for domain: _acme-challenge.[***]
2022-08-29T04:12:04 acme.sh [Mon Aug 29 04:12:04 CEST 2022] Getting webroot for domain='[***]'
2022-08-29T04:12:04 acme.sh [Mon Aug 29 04:12:04 CEST 2022] Getting webroot for domain='[***]'
2022-08-29T04:12:02 acme.sh [Mon Aug 29 04:12:01 CEST 2022] Getting domain auth token for each domain
2022-08-29T04:12:01 acme.sh [Mon Aug 29 04:12:01 CEST 2022] Multi domain='DNS:[***],DNS:[***]'
2022-08-29T04:12:01 acme.sh [Mon Aug 29 04:12:01 CEST 2022] Using CA: https://acme-v02.api.letsencrypt.org/directory
2022-08-29T04:12:00 acme.sh [Mon Aug 29 04:12:00 CEST 2022] Renew: '[***]'
Additional context None
Environment now: OPNsense 22.7.4-amd64 at the time of the error: OPNsense 22.7.2-amd64
