Hi, I had LetEncrypt certificates loaded using the Luci ACME Certificates UI. The certs expired and I can't see a way of registering for new or renewed certs. I have deleted the cert example and don't know what to put in the Cert Config 'add' box- when I input the domain I get invalid returned. Any help appreciated. Thanks, Eamon
If the certficates expired and you cannot create new, it means that something is wrong with the communication to the letsencrypt servers or with your cron.
For a start please post the letsencrypt configuration as well as firewall and httpd.
/etc/config/acme
/etc/config/firewall
/etc/config/uhttpd
1 Like
LetsEncrypt deprecated the TLS-01 authentication method and just disabled it. This may be the root cause of issues.
HTTP-01 is on port 80, a change from TLS-01, if that is a change you need to make.
(I get my certs on a different OS using certbot so I don’t know the resolution for OpenWrt)
Edit:
Checking my email, the date for EOL has not yet occurred, so this is a potential future concern, but perhaps not the cause of the symptoms observed. From the email I received from Let's Encrypt:
TLS-SNI-01 validation is reaching end-of-life. It will stop working
temporarily on February 13th, 2019, and permanently on March 13th, 2019.
Any certificates issued before then will continue to work for 90 days
after their issuance date.
You need to update your ACME client to use an alternative validation
method (HTTP-01, DNS-01 or TLS-ALPN-01) before this date or your
certificate renewals will break and existing certificates will start to
expire.
Our staging environment already has TLS-SNI-01 disabled, so if you'd like
to test whether your system will work after February 13, you can run
against staging: https://letsencrypt.org/docs/staging-environment/
If you're a Certbot user, you can find more information here:
https://community.letsencrypt.org/t/how-to-stop-using-tls-sni-01-with-certbot/83210
Our forum has many threads on this topic. Please search to see if your
question has been answered, then open a new thread if it has not:
https://community.letsencrypt.org/
For more information about the TLS-SNI-01 end-of-life please see our API
announcement:
https://community.letsencrypt.org/t/february-13-2019-end-of-life-for-all-tls-sni-01-validation-support/74209
Thank you,
Let's Encrypt Staff
1 Like
Hi, thanks for prompt response. I didn't get anything to indicate that there was a problem with comms. I can't recall any issues when I got certs 3 months ago. Here's the configs that you requested. Note that I have deleted the config that I had for the certs- I had to force the deletion as openwrt threw up an error when saving the deletion.
- etc/config/acme
config acme
option state_dir '/etc/acme'
option debug '1'
option account_email '<my.email>'
- etc/config/firewall
config defaults
option syn_flood '1'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'REJECT'
option drop_invalid '1'
config zone
option name 'lan'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
option network 'lan'
config zone
option name 'wan'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option masq '1'
option mtu_fix '1'
option network 'wan wan6 wan2'
config forwarding
option src 'lan'
option dest 'wan'
config rule
option name 'Allow-DHCP-Renew'
option src 'wan'
option proto 'udp'
option dest_port '68'
option target 'ACCEPT'
option family 'ipv4'
config rule
option name 'Allow-Ping'
option src 'wan'
option proto 'icmp'
option icmp_type 'echo-request'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-IGMP'
option src 'wan'
option proto 'igmp'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-DHCPv6'
option src 'wan'
option proto 'udp'
option src_ip 'fe80::/10'
option src_port '547'
option dest_ip 'fe80::/10'
option dest_port '546'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-MLD'
option src 'wan'
option proto 'icmp'
option src_ip 'fe80::/10'
list icmp_type '130/0'
list icmp_type '131/0'
list icmp_type '132/0'
list icmp_type '143/0'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Input'
option src 'wan'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
list icmp_type 'router-solicitation'
list icmp_type 'neighbour-solicitation'
list icmp_type 'router-advertisement'
list icmp_type 'neighbour-advertisement'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Forward'
option src 'wan'
option dest '*'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config include
option path '/etc/firewall.user'
config rule
option src 'wan'
option dest 'lan'
option proto 'esp'
option target 'ACCEPT'
config rule
option src 'wan'
option dest 'lan'
option dest_port '500'
option proto 'udp'
option target 'ACCEPT'
config zone
option name 'dmz'
option network 'dmz'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'REJECT'
config forwarding
option dest 'wan'
option src 'dmz'
config forwarding
option dest 'dmz'
option src 'lan'
config redirect
option target 'DNAT'
option src 'wan'
option dest 'dmz'
option proto 'tcp'
option dest_port '22'
option name 'HTTP_SSH_Pi'
option src_dport '80'
option enabled '0'
option dest_ip '192.168.3.0/24'
config zone
option name 'newzone'
option input 'ACCEPT'
option forward 'REJECT'
option network ' '
option output 'ACCEPT'
config rule
option target 'ACCEPT'
option name 'DMZ-LAN-SSH'
option family 'ipv4'
option proto 'tcp'
option src 'dmz'
option src_ip '192.168.3.160'
option dest 'lan'
option dest_ip '192.168.1.249'
option dest_port '22'
config rule
option target 'ACCEPT'
option name 'DMZ-LAN-RDP'
option family 'ipv4'
option proto 'tcp'
option src 'dmz'
option src_ip '192.168.3.160'
option dest_ip '192.168.1.249'
option dest_port '3389'
option dest 'lan'
config rule
option target 'ACCEPT'
option name 'DMZ-LAN-VNC'
option family 'ipv4'
option proto 'tcp'
option src 'dmz'
option src_ip '192.168.3.160'
option dest 'lan'
option dest_ip '192.168.1.249'
option dest_port '5900'
config redirect
option target 'DNAT'
option src 'wan'
option dest 'lan'
option proto 'tcp'
option src_dport '4322'
option dest_port '22'
option name 'SSH_Laptop'
option dest_ip '192.168.1.10'
config redirect
option target 'DNAT'
option src 'wan'
option dest 'dmz'
option proto 'tcp'
option src_dport '4422'
option dest_port '22'
option name 'SSH_Pi_3'
option dest_ip '192.168.3.10'
config redirect
option target 'DNAT'
option src 'wan'
option dest 'lan'
option proto 'tcp'
option dest_ip '192.168.1.1'
option name 'SSH_openwrt'
option src_dport '2022'
option dest_port '2022'
option enabled '0'
config rule
option target 'ACCEPT'
option src 'wan'
option name 'SSH_openwrt'
option family 'ipv4'
option proto 'tcp'
option src_port '2022'
option dest 'lan'
option dest_ip '192.168.1.1'
option dest_port '2022'
option enabled '0'
config rule
option target 'ACCEPT'
option src 'wan'
option proto 'tcp'
option dest_port '2022'
option name 'Allow_SSH_WAN'
- etc/config/uhttpd
config uhttpd 'main'
list listen_http '0.0.0.0:80'
list listen_http '[::]:80'
option home '/www'
option rfc1918_filter '1'
option max_requests '3'
option max_connections '100'
option cgi_prefix '/cgi-bin'
option script_timeout '60'
option network_timeout '30'
option http_keepalive '20'
option tcp_keepalive '1'
option redirect_https '0'
option cert '/etc/acme/<mydomain>/fullchain.cer'
option key '/etc/acme/<mydomain>/<mydomain>.key'
list listen_https '0.0.0.0:443'
config cert 'defaults'
option days '730'
option bits '2048'
option country 'UK'
option location 'London'
option commonname 'LEDE'
option state 'Unknown'
I only "found" 443 once in your post (list listen_https '0.0.0.0:443')
Since it looks like you're sharing acme validation with LuCI, did you temporarily open TCP 443 for WAN input during the transaction, then close it thereafter?
To begin with, there is no config cert section in the acme config.
config cert 'main'
option use_staging '0'
option enabled '1'
option keylength '2048'
option update_uhttpd '1'
list domains 'your.domain.com'
That is an example from mine, customize it to your needs.
If I remember well, the script creates the ALLOW firewall rules and it is not conflicting with uhttpd.
Also I noticed 2 WAN interfaces. In case they are both operational, make sure that the communication is sourcing from the correct one.
Lastly, not so important but keep it in mind, you have a disabled DNAT rule for port 80 to some device in DMZ. Enabling that could create problems.
1 Like
Hi, thanks for your reply. Understand the command line section- thanks. However, does the config need to have:
- some info for domain verification (DNS API)
- Webroot directory
The Luci UI asks for this info?
Also, do you know how this can be done from the Luci UI- as mentioned, to renew the cert I deleted the cert config example that I had and then was presented with a box below the ACME global config. When I tried to add the domain it returned invalid- what info needs to go into this box?
Do you have an example of a cron/scheduled task to auto renew?
Thanks, E
Mine doesn't have these and I didn't create it in Luci. So I am not sure if they are needed or if something has changed.
For more information on the cron you can read the author's page.
1 Like