@pwallace, thanks, I just opened a support ticket and I have messaged you with the case number. Thanks for following up for me. ... View more

Below is the link to the bug I encountered.   https://kb.pulsesecure.net/articles/Pulse_Secure_Article/KB44238/?l=en_US&fs=RelatedArticle ... View more

@pwallace When will LetsEncrypt feature be built into Pulse Secure vTM. This would benefit a lot of vTM customers. ... View more

@metaschemer perhaps /usr/local/zeus/zxtm/log/errors might help. Assuming you used the default path during the install. If I recall correctly, that log will show you the command the load balancer runs when the trigger occurs. I would suggest you use that command and run it on the command line to troubleshoot   Its been a while but I believe when it triggers, it doesn't run ./letsencryptforvtm.sh --issue c_www.domain.com_rsa  The load balancer uses a different command during renewal. Hope this helps. ... View more

@Alan.Braggins That implementation worked. Thanks for pointing me to that resource. ... View more

@Alan.Braggins, so the rate limit for the domain that I was trying to request ssl cert for reset over the weekend so was able to finally renew the certs but was getting this error in the logs: Failed to update SSL Certificate for 'c_domain.com_rsa': Certificate/private key pre-check failed: private key and certificate are not a pair [different 'n'] and A certificate called 'c_domain.com_rsa' already exists so I renamed the cert name in vTM and as soon as I did that, the renewal certs appeared in the vTM catalog. Would you by any chance know why it wasn't able to update the cert untill I went in to manually rename the cert in the vTM for the new cert to show up?    Also, --home=${ACMEHOME} or --config-home=${ACMEHOME} would doesn't work (it gives you Unknown parameter : --config-home=/path/to/certs/directory) as it will give you errors when the alert it triggered. Instead this is what it's supposed to be --home ${ACMEHOME} or --config-home ${ACMEHOME} with no equal sign ... View more

@Alan.Braggins, its a software install and I believe it was installed as root. I am running vTM 17.4 and acme.sh version v2.7.4   I did figureout what the problem was and the fix I implemented was similar to adding ""--home=${ACMEHOME}". Our vTM is running in a cluster so when i configured our setup, I used a shared storage for the vTM. When I initially set it up and requested the ssl cert, it did use the parameter that I set for ACMEHOME but when its time to renew and the vTM alert triggers, acme.sh doesn't use the parameter that is set for ACMEHOME but instead it creates a directory called (/.acme.sh locally on the vTM) and installs the certs there. With this happening and since the alert triggers on all the cluster vTMs they all create the /.acme.sh locally with thier own private keys and when its done requesting the certs, all the cluster then tries to upload thier own version of private and public keys so there is a conflict during the ssl cert update which gives you an error message saying the cert and private key is not a match. Obviously, if the vTM is not in a cluster, then it would work great.   Below is what I implemented to kinda fix it (unfortunately, when I figured out this was what was happening, it was already too late and I had already hit the rate limit for duplicate certs.)   I added a new parameter in letsencryptforvtm.sh called ACME_CONFIG="--config-home '"/root/.acme.sh/" and then also added it to $ACMEHOME/acme.sh $TEST $ACME_CONFIG $ACMEOPTIONS $ACMEACTION -d ${CERTFILE} $ACMEKEY after that, I manually run the trigger and that seemed to have gone through all the vlaidation process successfully but again, I couldn't get a new cert because I had already hit the rate limit. Should i submit a pull request for these changes?    Note: in order to see what is going on when the alert is triggered, you would have to set the alert mapping to verbose to get the full log entries in zxtm/logs/errors. If you don't set it to verbose, all you will see in the logs would be an alert about the certificates expiring. ... View more

So, two of my letsencrypt certs are due for renewal on Feb 1 but the alert trigger doesn't seem to be doing anything. When I look at the zxtm/logs/errors, i just see messages about the certs expiring. These messages repeat every hour. Why isn't the alert script for letsencrypt triggering to auto renew the certs? Update: So I set the logging to verbose and from that, I have been able to determine that the renewal is been processed successfully and the cert files are been generated with no issues but its not automatically uploading the cert into vtm after its been renewed.    @ubabiak did you end up figuring out why it wasn't working for you? I have checked the persmission of the .acme directory and both the user and owner have write permissions.   @bastos Any luck figuring out a solution for your situation without having to manually run it on the command line?   @PaulWallace @Alan.Braggins @Baptiste Assmann any thoughts on these issues? Are any Pulsers monitoring this support forum trend to providing help to customers with these issues? Any assistance with these issues would be greatly appreciated. ... View more

Is there a reason why a pool listening on 127.0.0.1:88 needs to be created? and the below rule is used to route the traffic $path = http.getPath(); if( string.containsI( $path, "acme-challenge" ) ) { pool.use("p_letsencrypt"); } I know the the acme standalone uses port 88. When I don't have the rule above or pool in place, everything still works. I want to make sure I fully understand the process. If someone can share some light on this, that would be much appreciated ... View more

@Alan.Braggins, Thanks for your response. If i understand you correctly, you can't have one cert with multiple alternate domain names in that one cert file? I want to make sure I am not missing anything. When I say multiple domain names, I don't mean different domain certs. ... View more

 So for the letsencryptforvtm script, I am trying to make it take domains that have alternate names (example: domain.com and www.domain.com). I have tried changing CERTNAME="${2}" to CERTNAME="[email protected]" and CERTNAME=$(echo "${2}" | sed -n "s/.*'\([^']\+\)'.*/\1/p") to CERTNAME=$(echo "[email protected]" | sed -n "s/.*'\([^']\+\)'.*/\1/p") but it keeps getting stuck at echo "error: wrong CERTTYPE". I am running it like this:  ./letsencryptforvtm.sh --issue c_domain.com_rsa c_www.domain.com_rsa  What I'm i doing wrong? I want to be able to request an ssl cert for a domain that has multiple aliases.  ... View more

@ubabiak, what permissions was sufficient that worked for you? I am also waiting for the automatic renewal to trigger so it would be nice to fix this before that time comes. Also, once the persmisson is changed, does it need to be reinstalled? ... View more

@Baptiste Assmann, If I wanted to generate a cert for a domain that had an alias (example: example.com and alias www.example.com), how would I accomplish this using your script for letsencrypt ? ... View more

Regarding my previous comment on the error about "Broken installation: missing components". I figured out what was causing it. I forgot to delete the brocade VTM installer after I installed VTM so the find command in the script to locate zcli was finding both the zcli from the installer and the zcli tool on the system and couldn't figureout which zcli tool to use. After I deleted the VTM installer, the error went away. ... View more

Regarding my previous comment on the error about "Broken installation: missing components". I figured out what was causing it. I forgot to delete the brocade VTM installer after I installed VTM so the find command in the script to locate zcli was finding both the zcli from the installer and the zcli tool on the system and couldn't figureout which zcli tool to use. After I deleted the VTM installer, the error went away. ... View more

@PaulWallace, when I run the script "./letsencryptforvtm.sh --issue c_example.com_rsa" Its able to request for the cert and everything is successful but I am getting the errors below: Broken installation: missing components. Broken installation: missing components.   As a result, the cert is not uploading into the VTM catalog. What I'm I missing? I am running VTM version 17.3 ... View more

@Baptiste Assmann, when I run the script "./letsencryptforvtm.sh --issue c_example.com_rsa" Its able to request for the cert and everything is successful but I am getting the errors below: Broken installation: missing components. Broken installation: missing components. As a result the cert is not uploading in the VTM catalog. What I'm I missing? ... View more

@lbasp assuming you are running ubuntu, you can install socat by using command: "sudo apt-get update && sudo apt-get install socat" ... View more

If I wanted to generate a cert for a domain that had an alias (example: example.com and alias www.example.com), how would I accomplish this?  ... View more