Cannot delete unused ACME Client issued cert after switching from Let's Encrypt Staging to Production #4401
Comments
I cannot reproduce this step. In my test the Staging certificate was just replaced with the Production certificate (as expected, because Acme Client keeps track of the Trust Storage IDs).
Unfortunately also not reproducable. Please try again and verify that all required steps are documented. It seems like there is something missing from the documented steps. |
|
I think this is a permissions issue for new certificates requested via acme client plugin. In /var/etc/acme-client/certs I found that the new acme certificates are stored with different permissions compared to the existing ones. The older certificates folders have drwxr-x---, but the new ones drwx------ and the keys inside: from -rwxr-x--- to -rw-------. So with that permissions I can't view or delete the new certificates in System -> Trust -> Certificates. Renewing the existing certificates with right permissions aren't affected, just new requested ones. Manually fixing the permissions in the :
for the new certificates to match the permissions of the older ones and reboot the system fixed the issue for me and I was able to view and delete that certificates in System -> Trust -> Certificates. Regards! |
This assumption is wrong. The System Trust Storage will never access this directory. Instead it only works with the system configuration (config.xml), which is stored elsewhere.
I've just created a new certificate and it works perfectly fine; it was flawslessly imported to |
I'm only saying that when I fixed that permissions fixes the certificate showing and deleting. And I wonder why this permissions are changed for the new certificates?
Yes it's imported but nothing happens when I press (i) button ->Show certificate info. Also when I mark it and press (Delete) nothing happens again and the certificate was not deleted. |
Thanks, this is reproducible for me. I'll look into it. |
Important notices
Before you add a new report, we ask you kindly to acknowledge the following:
Describe the bug
I'm getting a 200
{"result": "not found"}response when trying to delete an unused certificate that was created via the ACME Client. The certificate continues to exist in the Web GUI.This certificate was created with the ACME client configured to use the Let's Encrypt Staging server. After the cert was successfully issued, I edited the account under https://opnsense/ui/acmeclient/accounts to use the Let's Encrypt production CA instead and issued a new certificate. I then configured the Web GUI to use the production certificate.
To Reproduce
Steps to reproduce the behavior:
Expected behavior
The unused staging cert is deleted.
Describe alternatives you considered
Given the similarities between this bug and #1528, I'll bet that if I created a new account under the acme client instead of editing the existing one, that I would be able to delete the staging cert.
Screenshots
Relevant log files
I checked the log files and don't see any new log entries after attempting to delete the cert, even at the debug level.
Additional context
I'm not sure whether the root issue is in the trust store or the ACME client. If it turns out to be a bug in the certificate trust store I can move this issue to the core repo.
Environment
OPNsense 24.7.10_2-amd64
The text was updated successfully, but these errors were encountered: