security/acme-client: "Domain name contains an invalid character" on previously working (and unchanged) certificates configuration

[theoisadoor]

I acknowledge the following:

• [X] I have read the contributing guide lines at https://github.com/opnsense/plugins/blob/master/CONTRIBUTING.md
• [X] I have searched the existing issues, open and closed, and I'm convinced that mine is new.
• [X] The title contains the plugin to which this issue belongs

Describe the bug Existing configuration for acme-client has been working absolutely fine, but I noticed that my Proxmox certificate had expired and not auto renewed. I checked the automation and that is working fine (credentials correct, pushing certificate to host), but when I checked the certificates it showed "validation failed" under 'Last ACME Status'. No credentials have been rolled in Cloudflare dashboard, API access is still valid. Upon checking logs the following is displayed:

2024-06-14T00:08:50 | acme.sh | [Fri Jun 14 00:08:50 BST 2024] Create new order error. Le_OrderFinalize not found. {
"type": "urn:ietf:params:acme:error:rejectedIdentifier",
"detail":  "Invalid identifiers requested :: Cannot issue for  \"HL1-MGT-{REDACTED}.{REDACTED}.xyz\": Domain name contains an invalid character",
"status": 400
}

I notice in those logs that there is a \ after the domain within the quotations, this may be the cause. There has not been an issue before ordering and auto-replacing these certificates, and there is no mistyping in the configuration to have a \ in the domain name, so I believe this is being created somewhere and therefore preventing renewal. Any certificates attempted after 14/05/2024 has failed, and this aligns with opnsense v24.1.7 which was released 16/05/2024, which updated os-acme-client from 4.2 > 4.3, so this may have been introduced in os-acme-client 4.3.

OPNsense 24.1.8-amd64 FreeBSD 13.2-RELEASE-p11 OpenSSL 3.0.13 Intel(R) Core(TM) i7-6700T Chelsio T520-CR

[theoisadoor]

Looks like it may not be the os-acme-client plugin that is causing the issue, as renewals were still happening perfectly fine post upgrade on the 18/05/2024, which means there were 2 successful renewals after that point. However, something is definitely amiss between 24/05/2024 & 14/06/2024 that is causing the issue as above. To reiterate, there has been no configuration change related to acme. Unfortunately I do not have configuration backups (System>Configuration>Backups) which span that far back to see if there is anything else that has changed between those two points. This has now been updated to help with issue diagnosis in future.

[theoisadoor]

As can be seen above, the command being run does not include that \ character that it complains about being otherwise present. I have redacted sections of the hostname but these are just alphanumerical, .xyz has been kept to show that \ is not (should not be) being passed as part of my own configuration, which is shown below.

[fraenki]

Unfortunately, I cannot reproduce this. I've checked multiple OPNsense boxes and ACME is still working fine.

I notice in those logs that there is a \ after the domain within the quotations, this may be the cause.

I don't think this is something to worry about. This seems to be normal for ACME API replies. I've checked my logs and found that the ACME API seems to quote (and escape) values in replies:

  "type": "urn:ietf:params:acme:error:orderNotReady",
  "detail": "Order's status (\"pending\") is not acceptable for finalization",
  "status": 403

You may want to double-check the ACME config file... try to find it by using grep:

root@opnsense: # grep -R CERT_NAME /var/etc/acme-client/cert-home/

And then check if there are any special characters in this config file. Pretty unlikely, though... (Please do not modify this file, this will cause issues in the long run.)