Error when initializing new certificate

[kenperkins]

[Fri Mar 17 08:16:56 PDT 2017] The nc doesn't support '-4', '-6' or local-address, please install 'netcat-openbsd' and try again.
[Fri Mar 17 08:16:56 PDT 2017] See https://github.com/Neilpang/acme.sh/wiki/Install-preparations

My certificate initialization fails further down but I think that's because my firewall rules are blocking, but I don't know if this nc issue is related.

[j-c-m]

The nc included in the base image does not support those options. However, once everything else is configured it seems to not require use of those options.

I noticed I missed this from the instructions, but is subdomain.example.com resolving to the public IP address of your router?

[kenperkins]

Yes, I've got my WAN IP properly mapped to a dns name.

I was wondering about the config for the WebUI, from the readme:

Does not ever expose the admin GUI to the internet

set service gui listen-address 192.168.1.1

How can the LE process work when the webUI is not exposed publically?

[j-c-m]

Acme.sh runs the most minimalist of web servers using netcat (nc) to respond to the challenge directly. The configuration of the gui listen-address is to get out of the way of this, it seems the most common default of an Edgerouter configuration is to have the gui listen on all addresses, firewalled on all but LAN.

[kenperkins]

OK. So you're spinning up a transient server though acme as opposed to adding a route in the existing edgerouter lighttpd config. Got it. So then the question is how to enable that traffic through my firewall. Let me do some testing.

[kenperkins]

I've put these two rules on my WAN-LOCAL firewall rule set:

         rule 15 {
            action accept
            description "Allow LetsEncrypt Traffic TCP 443"
            destination {
                port 443
            }
            log disable
            protocol tcp
        }
        rule 16 {
            action accept
            description "Allow LetsEncrypt Traffic TCP 80"
            destination {
                port 80
            }
            log disable
            protocol tcp
        }

...

     ethernet eth0 {
        address dhcp
        description Internet
        duplex auto
        firewall {
            in {
                name WAN-IN
            }
            local {
                name WAN-LOCAL
            }
        }
        speed auto
    }

Just getting router.mydomain.com: Verify error:Could not connect to router.mydomain.com

[kenperkins]

I'm guessing there's some interaction that is blocking the acme service from receiving requests but I don't know how to test/debug it.

[kenperkins]

Commenting out the return statement when checking for the -4 option in acme.sh did indeed unblock me.

[j-c-m]

Glad to hear you got it working. Others have had issues with netcat like this that I haven't been able to reproduce, I think I am going to alter the script to not rely on netcat. Plan to spin up a bespoke instance of lighttpd and use webroot.

[kenperkins]

I didn't realize you were manually allowing http through iptables directly in your wrapper so that was a bit of a red herring.

[j-c-m]

Yep a quick temporary rule. In any case I've updated renew.acme.sh (e6cd9d6ccc10029511d5331cf16f409365f351e5) to use webroot behind a temporary lighttpd webserver. This should more robust than relying on netcat.