Wildcard domain renewal fails
-
My problem is everyday pfsense 2.7.1 / acme 0.7.5 sends me a message like this:-
Notifications in this message: 1
03:01:00 The following CA/Certificate entries are expiring:
Certificate: star.example.com (6571dca5067ae): Expiring soon, in 14 daysI am trying to renew example.com and *.example.com with letsencrypt. When I press Issue/Renew I get a new certificate for the next 90 days which works, tested/examined on www.example.com.
I am coming to the end of first 90 day certificate, so this is my first real renewal. I have also received expiry notices from letsencrypt but not all that frequent.I am configured with only one certificate with ‘Domain SAN list’ of example.com and *.example.com the DNS update mechanism works as lets encrypt issues new working certificates.
No I'm not really trying to renew example.com, simply replaced the real domain. pfsense uses word star i use *.
HELP!!!
pfsense trace removed as submit refused as spam
-
@Boab said in Wildcard domain renewal fails:
I am coming to the end of first 90 day certificate, so this is my first real renewal. I have also received expiry notices from letsencrypt but not all that frequent.
That's why this default value exists :
If something fails, you have 30 days to find the solution.
Didn't know that LE sends mails to warn you for a soon-to-expire certificate - that's a nice of them.I also have a domain name that I use to with acme, and I renew it as a wild card :
This means I have to entries :
"domain.tld" and *.domain.tld" :If the renewal goes wrong, do what the 'error' message said, somewhere at the bottom : look at the acme log file, it will contain the message that tells why it fails.
Its shows you where you can find it :
/tmp/acme/[your-domaine-here.tld]/ and in that folder you'll find the very detailed log file acme_issuecert.log -
@Gertjan Thanks for the reply.
I have renewal set for 60 days and have been getting the emails for the last two weeks.
My table looks like yours but I don't have the Zone entry - will try that.
I don't see any obvious error message all appears to complete as expectedhere are the last few line which I hope will get thru the spam filter:-
-----END CERTIFICATE-----
[Sat Feb 17 19:14:14 GMT 2024] Your cert is in: /tmp/acme/example.com/example.com/example.com.cer
[Sat Feb 17 19:14:14 GMT 2024] Your cert key is in: /tmp/acme/example.com/example.com/example.com.key
[Sat Feb 17 19:14:14 GMT 2024] The intermediate CA cert is in: /tmp/acme/example.com/example.com/ca.cer
[Sat Feb 17 19:14:14 GMT 2024] And the full chain certs is there: /tmp/acme/example.com/example.com/fullchain.cer
[Sat Feb 17 19:14:14 GMT 2024] Your pre-generated next key for future cert key change is in: /tmp/acme/example.com/example.com/example.com.key.next
[Sat Feb 17 19:14:14 GMT 2024] Run reload cmd: /tmp/acme/example.com/reloadcmd.shIMPORT CERT example.com, /tmp/acme/example.com/example.com/example.com.key, /tmp/acme/example.com/example.com/example.com.cer
update cert![Sat Feb 17 19:14:14 GMT 2024] Reload success -
@Boab first attempt at pastebin...
https://pastebin.com/WgkpgNTR -
@Boab said in Wildcard domain renewal fails:
-----END CERTIFICATE-----
[Sat Feb 17 19:14:14 GMT 2024] Your cert is in: /tmp/acme/example.com/example.com/example.com.cer
[Sat Feb 17 19:14:14 GMT 2024] Your cert key is in: /tmp/acme/example.com/example.com/example.com.key
[Sat Feb 17 19:14:14 GMT 2024] The intermediate CA cert is in: /tmp/acme/example.com/example.com/ca.cer
[Sat Feb 17 19:14:14 GMT 2024] And the full chain certs is there: /tmp/acme/example.com/example.com/fullchain.cer
[Sat Feb 17 19:14:14 GMT 2024] Your pre-generated next key for future cert key change is in: /tmp/acme/example.com/example.com/example.com.key.next
[Sat Feb 17 19:14:14 GMT 2024] Run reload cmd: /tmp/acme/example.com/reloadcmd.shIMPORT CERT example.com, /tmp/acme/example.com/example.com/example.com.key, /tmp/acme/example.com/example.com/example.com.cer
update cert![Sat Feb 17 19:14:14 GMT 2024] Reload successLooks fine to me.
You have this :
so the web server instances on pfSense restart with the new certificate ?
Did you check the certificate under System > Certificates > Certificates ?
It should have a Valid from date on last February 17. -
I think i may have spotted it.
The top entry, when you look at the info covers my domain and * my domain.
The bottom entry looks a bit strange and probably should be deleted, it may have been hanging around since i was initially setting up acme!Sins coming back to bite you...
Thank you Gertjan for guiding me to it - I spent many hours struggling with this before asking on the forum.
-
You have a wild card, so you can probably delete de start dot domain.tld as it is going out of businesses anyway.