Letsencrypt 1.0.22 renew issue on FreeBSD

wattie

Verified User
Joined
May 31, 2008
Messages
1,234
Location
Bulgaria
First attempt: I am getting the following error:

Code:
# /usr/local/directadmin/scripts # ./letsencrypt.sh renew <DOMAIN> 4096
Getting challenge for <DOMAIN> from acme-server...
Waiting for domain verification...
Challenge is valid.
Getting challenge for mail.<DOMAIN> from acme-server...
Waiting for domain verification...
Challenge is valid.
Getting challenge for offcrm.<DOMAIN> from acme-server...
Waiting for domain verification...
Challenge is . Details: . Exiting...

Second attempt:

Code:
root@srv2:/usr/local/directadmin/scripts # ./letsencrypt.sh renew <DOMAIN> 4096
Getting challenge for <DOMAIN> from acme-server...
Waiting for domain verification...
Challenge is valid.
Getting challenge for mail.<DOMAIN> from acme-server...
Nonce is empty. Exiting. dig output of acme-v01.api.letsencrypt.org:
api.letsencrypt.org-ng.edgekey.net.
e14990.dscx.akamaiedge.net.
2.23.113.191
Full nonce request output:

Third attempt:

Code:
root@srv2:/usr/local/directadmin/scripts # ./letsencrypt.sh renew <DOMAIN> 4096
Getting challenge for <DOMAIN> from acme-server...
Waiting for domain verification...
Challenge is valid.
Getting challenge for mail.<DOMAIN> from acme-server...
Waiting for domain verification...
Challenge is valid.
Getting challenge for offcrm.<DOMAIN> from acme-server...
Waiting for domain verification...
Challenge is valid.
Getting challenge for srv2.<DOMAIN> from acme-server...
Waiting for domain verification...
Challenge is valid.
Getting challenge for www.<DOMAIN> from acme-server...
Waiting for domain verification...
Challenge is valid.
Generating 4096 bit RSA key for <DOMAIN>...
openssl genrsa 4096 > "/usr/local/directadmin/data/users/<USER>/domains/<DOMAIN>.key.new"
Generating RSA private key, 4096 bit long modulus
.................................................................++
............................++
e is 65537 (0x10001)
Nonce is empty. Exiting. dig output of acme-v01.api.letsencrypt.org:
api.letsencrypt.org-ng.edgekey.net.
e14990.dscx.akamaiedge.net.
2.23.113.191
Full nonce request output:

OS is FreeBSD 11.1. Installed version of Let's Encrypt client: 1.0.22
 
Last edited:
I don't know why that happened but it looks to be a firewall (ipfw) related issue:

Code:
# /usr/local/directadmin/scripts # ./letsencrypt.sh renew <DOMAIN> 4096
Getting challenge for <DOMAIN> from acme-server...
Waiting for domain verification...
Challenge is . Details: . Exiting...

# /usr/local/directadmin/scripts # /etc/rc.d/ipfw stop
# /usr/local/directadmin/scripts # ./letsencrypt.sh renew <DOMAIN> 4096
Getting challenge for <DOMAIN> from acme-server...
Waiting for domain verification...
Challenge is valid.
Getting challenge for fmiproject.<DOMAIN> from acme-server...
Waiting for domain verification...
Challenge is valid.
Getting challenge for la.<DOMAIN> from acme-server...
Waiting for domain verification...
Challenge is valid.
Getting challenge for milena.<DOMAIN> from acme-server...
Waiting for domain verification...
Challenge is valid.
Getting challenge for omi.<DOMAIN> from acme-server...
Waiting for domain verification...
Challenge is valid.
Getting challenge for sofizmi.<DOMAIN> from acme-server...
Waiting for domain verification...
Challenge is valid.
Getting challenge for www.<DOMAIN> from acme-server...
Waiting for domain verification...
Challenge is valid.
Generating 4096 bit RSA key for <DOMAIN>...
openssl genrsa 4096 > "/usr/local/directadmin/data/users/<USER>/domains/<DOMAIN>.key.new"
Generating RSA private key, 4096 bit long modulus
.++
.................................................++
e is 65537 (0x10001)
Checking Certificate Private key match... Match!
Certificate for <DOMAIN> has been created successfully!

Here is my ipfw config:

Code:
# /etc # cat ipfw.rules
#!/bin/sh
#################################################
# ipfw Firewall Commands
#################################################
cmd="ipfw -q add"
ipfw -q -f flush
pif="em0"

#################################################
# Allow Loopback and Deny Loopback Spoofing
#################################################
$cmd allow all from any to any via lo0
$cmd deny all from any to 127.0.0.0/8
$cmd deny all from 127.0.0.0/8 to any
#$cmd allow udp from any to any frag
$cmd deny tcp from any to any frag
$cmd reass udp from any to any in

#################################################
# Stateful rules
#################################################
$cmd check-state
$cmd allow icmp from any to any keep-state
$cmd deny tcp from any to any established
$cmd allow all from any to any out keep-state

#################################################
# Table 10 for IP blocks
#################################################
ipfw -q table 10 add 127.0.0.2
ipfw -q add 900 deny ip from 'table(10)' to any

#################################################
# Incoming/Outgoing Services
#################################################
$cmd 60001 allow tcp from any to any 21 setup limit src-addr 10
$cmd 60002 allow tcp from any to any 22 setup limit src-addr 8
$cmd 60003 allow tcp from any to any 25 setup limit src-addr 10
$cmd 60004 allow tcp from any to any 587 setup limit src-addr 20
$cmd 60005 allow tcp from any to any 53 setup limit src-addr 10
$cmd 60006 allow udp from any to any 53 limit src-addr 50
$cmd 60007 allow tcp from any to any 80 setup limit src-addr 30
$cmd 60008 allow tcp from any to any 110 setup limit src-addr 30
$cmd 60009 allow tcp from any to any 143 setup limit src-addr 20
$cmd 60010 allow tcp from any to any 443 setup limit src-addr 10
$cmd 60011 allow tcp from any to any 2222 setup limit src-addr 12
$cmd 60012 allow tcp from any to any 35000-35999 in setup limit src-addr 50
$cmd 60013 allow tcp from any to any 993 setup limit src-addr 20
$cmd 60014 allow tcp from any to any 995 setup limit src-addr 10
$cmd 60015 allow tcp from any to any 465 setup limit src-addr 10
$cmd 60016 allow tcp from any to any 585 setup limit src-addr 10
$cmd 60017 allow tcp from 127.0.0.1 to any 3310 setup limit src-addr 10

#################################################
# Deny Port scanning (Nmap)
#################################################
$cmd 00600 deny log logamount 50 ip from any to any ipoptions rr
$cmd 00610 deny log logamount 50 ip from any to any ipoptions ts
$cmd 00620 deny log logamount 50 ip from any to any ipoptions lsrr
$cmd 00630 deny log logamount 50 ip from any to any ipoptions ssrr
$cmd 00640 deny log logamount 50 tcp from any to any tcpflags syn,fin
$cmd 00650 deny log logamount 50 tcp from any to any tcpflags syn,rst


#################################################
# Deny and Log
#################################################
$cmd deny log all from any to any
 
Last edited:
Curl is not in ports - only the DA one. Here's the output of the test:

# /usr/local/bin/curl -I -L -k -X GET http://<DOMAIN>/.well-known/acme-challenge/test.txt
HTTP/1.1 200 OK
Date: Wed, 11 Apr 2018 21:19:55 GMT
Server: Apache
Upgrade: h2,h2c
Connection: Upgrade
Last-Modified: Wed, 11 Apr 2018 21:19:35 GMT
ETag: "5-5699932241249"
Accept-Ranges: bytes
Content-Length: 5
Vary: User-Agent
Content-Type: text/plain

I rebuilt curl from custombuild - no luck.

When ipfw is off, it works always. When ipfw is on, it works occasionally - most of the times it does not work.
 
Back
Top