FYI, pfsense doesn't work

[mrPsycho]

[2.2.6-RELEASE][root@gw.example.com]/root/le: bash ./le.sh issue /root/certs/ example.com o.example,e.example.com,s.example.com,j.example.com
Use default length 2048
Generating RSA private key, 2048 bit long modulus
................................+++
....+++
e is 65537 (0x10001)
Use default length 2048
Generating RSA private key, 2048 bit long modulus
.............................................+++
.........................................................................................+++
e is 65537 (0x10001)
Multi domain=DNS:o.example.com,DNS:e.example.com,DNS:s.example.com,DNS:j.example.com
error on line -1 of /dev/fd/63
675592508:error:02001002:system library:fopen:No such file or directory:/usr/pfSensesrc/src.RELENG_2_2/secure/lib/libcrypto/../../../crypto/openssl/crypto/bio/bss_file.c:169:fopen('/dev/fd/63','rb')
675592508:error:2006D080:BIO routines:BIO_new_file:no such file:/usr/pfSensesrc/src.RELENG_2_2/secure/lib/libcrypto/../../../crypto/openssl/crypto/bio/bss_file.c:172:
675592508:error:0E078072:configuration file routines:DEF_LOAD:no such file:/usr/pfSensesrc/src.RELENG_2_2/secure/lib/libcrypto/../../../crypto/openssl/crypto/conf/conf_def.c:197:
Create CSR error.

[Neilpang]

Sorry, what is pfsense? Can you please show your openssl version?

[lucasRolff]

pfSense is a firewall based on FreeBSD

[Neilpang]

Yes, I just googled it. Did you find an chance that we can test ?

[Neilpang]

Hi @mrPsycho ,

I just got a chance to run our test project https://github.com/Neilpang/letest in pfsence docker container.

It seems that eveything is ok.

Please check your openssl versions and configurations.

[mrPsycho]

@Neilpang docker is not good for testing such things... try virtual box with full installation of 2.2.6 x64 for example.

i have

[2.2.6-RELEASE][root@gw.example.com]/root: openssl version -v
OpenSSL 1.0.1l-freebsd 15 Jan 2015

[Neilpang]

I tried to install the pfsense iso in my virtual machine. but It's failed.

From the error message you pasted, it seems that your openssl is not installed correctly.

The error shows that we were trying to create the CSR by openssl, but openssl refuse to work.

Please check your openssl installation.

And if you can share me your pfsense vm somewhere, I'd like to have a try.

Thanks.

[Neilpang]

@mrPsycho

Please retry with our latest code, I guess it should work for you for now.

Thanks.

[richard-vd]

After running pkg install bash git curl the script runs on pfSense. Updating the DNS record with CloudFlare works well, however signing always fails with HTTP error 500.

[2.2.6-RELEASE][root@pfsense]/root: git clone https://github.com/Neilpang/le.git
Cloning into 'le'...
remote: Counting objects: 622, done.
remote: Compressing objects: 100% (60/60), done.
remote: Total 622 (delta 29), reused 0 (delta 0), pack-reused 562
Receiving objects: 100% (622/622), 142.07 KiB | 0 bytes/s, done.
Resolving deltas: 100% (225/225), done.
Checking connectivity... done.
[2.2.6-RELEASE][root@pfsense]/root: cd le
[2.2.6-RELEASE][root@pfsense]/root/le: ./le.sh install
Installing to /root/.le
Installed to /root/.le/le.sh
OK, Close and reopen your terminal to start using le
Installing cron job
0 0 * * * LE_WORKING_DIR="/root/.le" "/root/.le"/le.sh cron > /dev/null
OK
[2.2.6-RELEASE][root@pfsense]/root/le: cd ..
[2.2.6-RELEASE][root@pfsense]/root: rm -rf le
[2.2.6-RELEASE][root@pfsense]/root: cd .le
[2.2.6-RELEASE][root@pfsense]/root/.le: setenv CF_Key adfar2343qadfsdffadsf34343
[2.2.6-RELEASE][root@pfsense]/root/.le: setenv CF_Email me@mydomain.com
[2.2.6-RELEASE][root@pfsense]/root/.le: ./le.sh issue dns-cf xyz.mydomain.com
Using stage api:https://acme-staging.api.letsencrypt.org
Creating account key
Use default length 2048
Generating RSA private key, 2048 bit long modulus
......................................................+++
...................................................................................................................................................+++
e is 65537 (0x10001)
Creating domain key
Use length 2048
Creating csr
Single domain=xyz.mydomain.com
Registering account
Registered
Verify each domain
Getting token for domain=xyz.mydomain.com
Found domain api file: /root/.le/dnsapi/dns-cf.sh
dns-cf-add
...
Updating record
Updated, sleeping 10 seconds
Sleep 60 seconds for the txt records to take effect
Verifying:xyz.mydomain.com
Success
Skip for removelevel:
Verify finished, start to sign.
Sign failed: "detail":"Error creating new cert"

[Neilpang]

It seems that the error was returned from the letsencrypt server.

Please do not use STAGE, and try again. Sometimes, the staging server is not stable.

Thanks.

[richard-vd]

Hi Neil, I tried three times with the live server, and then switched to the staging server. I also tried Linux, and that was working correctly both in staging and live.

I have set up a freshly installed temporary pfSense VM for you to test it. You can access it by SSH (ssh root@pfsense.dijk.net), I added your GitHub public keys so no password required. Please take a look if you can.

This is what I have done after installing the pfSense ISO:

set hostname to pfsense.dijk.net set password open all ports in firewall set webserver to HTTP enable SSH server added your public keys disable password login

Then in SSH I did:

pkg install bash git curl git clone https://github.com/Neilpang/le.git cd le ./le.sh install cd .. rm -rf le cd .le vi account.conf (uncomment #STAGE=1) ./le.sh issue /usr/local/www pfsense.dijk.net

This is the output (using the webroot method):

[2.2.6-RELEASE][root@pfsense.dijk.net]/root/.le: ./le.sh issue /usr/local/www pfsense.dijk.net
Using stage api:https://acme-staging.api.letsencrypt.org
Creating account key
Use default length 2048
Generating RSA private key, 2048 bit long modulus
...................+++
.................+++
e is 65537 (0x10001)
Creating domain key
Use length 2048
Creating csr
Single domain=pfsense.dijk.net
Registering account
Registered
Verify each domain
Getting token for domain=pfsense.dijk.net
Verifying:pfsense.dijk.net
stat: illegal option -- c
usage: stat [-FLnq] [-f format | -l | -r | -s | -x] [-t timefmt] [file ...]
usage: chown [-fhvx] [-R [-H | -L | -P]] owner[:group] file ...
       chown [-fhvx] [-R [-H | -L | -P]] :group file ...
Success
Verify finished, start to sign.
Sign failed: "detail":"Error creating new cert"

[Neilpang]

which public key did you add?

[richard-vd]

The two public keys that you have registered with GitHub: https://api.github.com/users/neilpang/keys

[Neilpang]

Ok, I'm in.

Please wait.

[mrPsycho]

Hello!

i'like that you added DNS method. it seems much more applicable...

but:

[2.2.6-RELEASE]/root/le: /root/.le/le.sh issue dns sonar.e-legion.com
Creating account key
Use default length 2048
Account key exists, skip
Creating domain key
Use length 2048
Creating csr
Single domain=sonar.e-legion.com
Registering account
Already registered
Verify each domain
Getting token for domain=sonar.e-legion.com
Add the following TXT record:
Domain: _acme-challenge.sonar.e-legion.com
TXT value: PoCtewlX-GUPCZbNtSOlyVF25ahq1h5XanMnL6sT_64
Please be aware that you prepend _acme-challenge. before your domain
so the resulting subdomain will be: _acme-challenge.sonar.e-legion.com
Please add the TXT records to the domains, and retry again.
[2.2.6-RELEASE]/root/le: /root/.le/le.sh issue dns sonar.e-legion.com
Creating account key
Use default length 2048
Account key exists, skip
Creating domain key
Use length 2048
Domain key exists, do you want to overwrite the key?
Set FORCE=1, and try again.
Create domain key error.
[2.2.6-RELEASE]/root/le: /root/.le/le.sh renew sonar.e-legion.com
Creating account key
Use default length 2048
Account key exists, skip
Creating domain key
Use length 2048
Domain key exists, skip
Creating csr
CSR exists, skip
Registering account
Already registered
Verify each domain
Verifying:sonar.e-legion.com
Success
Skip for removelevel:
Verify finished, start to sign.
Sign failed: "detail":"Error creating new cert"
[2.2.6-RELEASE]/root/le: /root/.le/le.sh renew sonar.e-legion.com
Creating account key
Use default length 2048
Account key exists, skip
Creating domain key
Use length 2048
Domain key exists, skip
Creating csr
CSR exists, skip
Registering account
Already registered
Verify each domain
Verifying:sonar.e-legion.com
sonar.e-legion.com:Challenge error: 
Skip for removelevel:

where i can find certificates?

[Neilpang]

It seems that the generated CSR is not valid. I'm checking.

[Neilpang]

@richard-vd I know what is wrong there, and is fixing it. Wait a few minutes .

[Neilpang]

Hi, @richard-vd and @mrPsycho

Please try again. I think it's working for you now.

Thanks.

[richard-vd]

Yes I get a valid cert now in pfSense, thank you very much!

[mrPsycho]

@Neilpang THANK YOU SOOOO MUCH!!!!

[Neilpang]

Hi @mrPsycho ,

You can thank to @richard-vd . His vm helped me a lot.

[nl0pvm]

Thank you @richard-vd & @Neilpang

[Neilpang]

@nl0pvm I just fixed it compatible with sh, you don't need to install bash anymore.

Please with latest code, and tell me the result.

Thanks.

[nl0pvm]

Just tried and it did not go very well:

# curl https://raw.githubusercontent.com/Neilpang/acme.sh/master/acme.sh | INSTALLONLINE=1  sh
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
  0     0    0     0    0     0      0      0 --:--:-- --:--:-- --:--:--     0[[: not found
100 58665  100 58665    0     0   828k      0 --:--:-- --:--:-- --:--:--  842k
[[: not found
[[: not found

[Neilpang]

Please try

curl  -LO  https://raw.githubusercontent.com/Neilpang/acme.sh/master/acme.sh 
INSTALLONLINE=1  sh  ./acme.sh

And please open the acme.sh, find the line "1963" for function "_installOnline() "

You can add some echo there to detect which line cause the error then tell me.

[Neilpang]

@nl0pvm AT

[richard-vd]

Hi Neil, Since it worked out so well last time, I just set up a new temporary pfSense VM for you to test your script. I installed the latest version (pfSense 2.3) which already has curl preinstalled. Since you mentioned you no longer require bash, this means that no additional packages need to be installed.

Just like last time, you can access it by SSH (ssh root@pfsense.dijk.net) without password (I added your GitHub public keys).

This is the output of curl https://get.acme.sh | sh on a clean pfSense 2.3 installation:

[2.3-RELEASE][root@pfSense.dijk.net]/root: curl https://get.acme.sh | sh
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100   632  100   632    0     0    553      0  0:00:01  0:00:01 --:--:--   554
[[: not found
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
  0     0    0     0    0     0      0      0 --:--:-- --:--:-- --:--:--     0[[: not found
100 58665  100 58665    0     0  75270      0 --:--:-- --:--:-- --:--:-- 75308
[[: not found
[[: not found

[nl0pvm]

Hi @Neilpang I added an echo "i got here" at line 1964 however this is the output:

# INSTALLONLINE=1  sh  ./acme.sh
./acme.sh: [[: not found
./acme.sh: [[: not found
./acme.sh: [[: not found

Which means it never got there :)

then i added echo "got here first" at line 30 with the following result:

# INSTALLONLINE=1  sh  ./acme.sh
./acme.sh: [[: not found
got here first
./acme.sh: [[: not found
./acme.sh: [[: not found

That tells me that the [[ brackets are the issue

changing if [[ -z "$AGREEMENT" ]] ; then to if [ -z "$AGREEMENT" ] ; then resolved the first error.

# INSTALLONLINE=1  sh  ./acme.sh                    
got here first
./acme.sh: [[: not found
./acme.sh: [[: not found

[nl0pvm]

I tried to quickfix it by replacing both the [[ and the ]] for [ and ].

The local script worked but died immediately because of the same problems in the just downloaded script:

# INSTALLONLINE=1  sh  ./acme.sh
got here first
blaat
[Sat Apr 16 20:20:16 CEST 2016] Installing from online archive.
[Sat Apr 16 20:20:16 CEST 2016] Downloading https://github.com/Neilpang/acme.sh/archive/master.tar.gz
[Sat Apr 16 20:20:17 CEST 2016] Extracting master.tar.gz
./acme.sh: [[: not found
./acme.sh: [[: not found
./acme.sh: [[: not found
./acme.sh: [[: not found
./acme.sh: [[: not found
./acme.sh: [[: not found
./acme.sh: [[: not found
./acme.sh: [[: not found
./acme.sh: [[: not found
./acme.sh: [[: not found
./acme.sh: [[: not found
./acme.sh: [[: not found
./acme.sh: [[: not found
./acme.sh: [[: not found
./acme.sh: [[: not found
./acme.sh: [[: not found
./acme.sh: [[: not found
./acme.sh: [[: not found
./acme.sh: [[: not found
./acme.sh: [[: not found
./acme.sh: [[: not found
./acme.sh: [[: not found
./acme.sh: [[: not found
./acme.sh: [[: not found
./acme.sh: [[: not found
./acme.sh: [[: not found
./acme.sh: [[: not found
./acme.sh: [[: not found
./acme.sh: [[: not found
./acme.sh: [[: not found
./acme.sh: [[: not found
./acme.sh: [[: not found
./acme.sh: [[: not found
./acme.sh: [[: not found
./acme.sh: [[: not found
./acme.sh: [[: not found
[Sat Apr 16 20:20:17 CEST 2016] Installing to =''
mkdir: : No such file or directory
./acme.sh: [[: not found
[Sat Apr 16 20:20:17 CEST 2016] Can not craete working dir: =''

[Neilpang]

sorry guys. It reverted to bash now. 8663fb7e64e5e3a712c39f2d2cb7cf6bca7b5ef0

@richard-vd Thanks for your vm again. I logged in, and I found some other compatible issues that is not fixed yet, so, i just reverted the to use bash now. It should work with bash now, Can you please try again with bash?

And, can you please tell me how to setup a pfsense vm? I have Proxmox servers, and I tried to install a pfsense vm last time but failed. I'd like to set up a pfsense vm for our daily build tests.

[Neilpang]

Hi guys.

I just made a new branch sh, which was tested in busybox and in @richard-vd 's pfsense vm.

I works without bash.

if you have chance please have a try.

I may merge it to master soon.

Thanks again @richard-vd for your vm. you can destroy it now.

[richard-vd]

Thanks, I will destroy the temporary VM now. This was a VPS I rented from TransIP.

But pfSense can run in Proxmox as well. To prove it, I created a Proxmox VE 4.1 VM inside Parallels Desktop on OSX. Inside the Proxmox VM, I uploaded the pfSense 2.3 ISO and created a pfSense VM. I had to disable KVM hardware visualization because I'm already running Proxmox inside a VM, but if you're running Proxmox on a physical server then you should be able to get it up and running with just the default settings.

Here is the Screencast of me creating the pfSense VM inside Proxmox: http://www.screencast.com/t/NMyJmtKoY1ge

Can you tell me where it fails for you?

[nl0pvm]

Hi @Neilpang i tried and the installation succeeds

[Neilpang]

Thanks @richard-vd , I have to sleep now. I will try it again soon, and let you know the result.

[richard-vd]

Hi @Neilpang, I too can confirm that the sh branch works on pfSense 2.3. I installed and renewed using the CloudFlare DNS method.

[Neilpang]

Hi @richard-vd ,

Thanks for your guide, I installed the pfsense in my Proxmox vm now. Can you tell me how to enable sshd on the pfsense? it seems not enabled by default.

[tgoetten]

Hi @Neilpang,

enablind SSHd is simple: 1) Navigate to System > Advanced in the WebGUI. 2) Look for "Secure Shell" and active "Enable Secure Shell"

https://doc.pfsense.org/index.php/HOWTO_enable_SSH_access

But i have a far more simple question : Is there a tutorial what the steps are for pfSense? I don't know if i have to issue a cert in webroot, standalone or dns mode?

Thanks Thomas

[Neilpang]

@tgoetten

You have 2 options for now.

1. if you don't mind, you can install bash first. Then you can use acme.sh as normal in bash.
2. We have another sh branch, which is sh portable.
   https://github.com/Neilpang/acme.sh/tree/sh you can download sh code, and install from the source code.

[tgoetten]

thanks @Neilpang.

My question is, after i installed acme.sh - bash or sh - how do i proceed to issue a cert?

[Neilpang]

bash
cd ~/
cd .acme.sh
./acme.sh  --help

``