This morning, while creating a new Let’s Encrypt certificate using the Automated Certificate Management Environment (ACME) package in pfSense, I encountered the following error:
Could not get nonce, let’s try again.
Actually, I encountered 20 of these errors:
Figure 1: Errors creating ACME (Let’s Encrypt) certificate
While investigating the issue, I stepped through the shell script that is executed when you click the Renew button for a certificate – starting with running the following command (in an SSH session on the firewall):
curl https://acme-v02.api.letsencrypt.org/directory -L --silent \
--dump-header /tmp/acme/k8s-01.corp.technologytoolbox.com/http.header
This produced the following:
[Mon May 10 11:26:47 MDT 2021] response='{
"type": "urn:acme:error:serverInternal",
"detail": "The service is down for maintenance or had an internal error. Check https://letsencrypt.status.io/ for more details."
}'
Sure enough, when I checked the Let’s Encrypt status page, I noticed the API was down for planned maintenance – which was also reflected in their Twitter account:
Our apologies for trouble this extended maintenance may be causing. We're revising the completion time out to 18:30 UTC out of an abundance of caution. https://t.co/jWLjqvZ7V4
— Let's Encrypt Ops (@letsencrypt_ops) May 10, 2021
If you are using Let’s Encrypt certificates, I recommend following that Twitter account – or at least checking the status page whenever you encounter an error issuing or renewing certificates. Apparently the shell script used by pfSense is somewhat lacking when it comes to handling planned maintenance on the API.