ACME

Do not manage to generate Certificate (using ^Webroot local folder^)

Gertjan — Tue, 17 Feb 2026 13:51:59 GMT

@louis2 said in Do not manage to generate Certificate (using ^Webroot local folder^): put token at: /usr/local/www/.well-known/acme-challenge// Exact. This : https://forum.netgate.com/topic/90643/let-s-encypt-support/31?_gl=1nky1q2_gcl_auMTc4MjAwMjExMS4xNzY0Njc1Mzk3_gaNTE5MDMxNzA4LjE3NjQ2NzUzOTc._ga_TM99KBGXCB*czE3NzE0MTc4MTIkbzQ0JGcxJHQxNzcxNDE4NDIxJGoyNCRsMCRoMTIwNjE4Nzg is that "token" file name - and it's content. Generated by Letsencrypt, give by Letsencryped to "acme;sh" who creates the token file here /usr/local/www/.acme-challenge/TOKEN with the given content. Then Letsencrypt accesses this file http://sftp.famvanbreda.nl/.well-known/acme-challenge/TOKEN which has to exist, and the content has to match. This is, in short, the test where you prove you are the owner of "sftp.famvanbreda.nl" because only you (as the owner admin of the domain name) can make this work. @louis2 said in Do not manage to generate Certificate (using ^Webroot local folder^): haproxy ... adds another layer of complexity ^^ [image: 1771430516395-79afc7a3-4ddb-4254-9ed5-3a47d561c6fa-image.png] doesn't seem correct to me. That path is not valid. acme.sh is a shell script, and has no notion of 'web root', so I really presume it has to be the rezal local filesysem path = /usr/local/www/.well-known-challenge/. But take my words as a 'thought' because I never used the 'http' method.

ACME 1.1_1 RuntimeException: Couldn't create directory

louis2 — Tue, 17 Feb 2026 12:57:36 GMT

@jimp Up to now I install the certificates on the (web/mail/sftp)server(s) them selves. However since that is becoming more and more complex and certificate lifetimes as becoming shorter and shorter. I do seriously consider to use LetsEncrypt certificates generated on pfSense. And preferable without the help of additional systems. Note however that I am using HA-proxy. So I am trying two routes: completely on pfSense on pfSense with the help of a dedicated webserver on a VM, handling all LetsEncrypt requests. Routed via HA-proxy based on ^path starts /.well-known/acme-challenge/^ For method 1) I implemented the ^acme-http01-webroot.lua^ option I did not yet implement method 2) Of course I do not want to expose the pfSense GUI to the internet. I changed the GUI port number and do not allow access to pfSense from the internet at all (at least I home so) Also have a look at my other thread 'Do not manage to generate Certificate (using ^Webroot local folder^)' My intention is of course that the token is stored and read on pfSense itself without using the GUI webserver / the possibility to access the GUI.

ACME v1.1_1 25.11.1 Release Cloudflare letsencrypt issue

Gertjan — Sat, 14 Feb 2026 22:41:27 GMT

@tinfoilmatt Thanks. With your Selecting any 'sleep' time value will disable the local TXT query/'poll' completely. I dived into acme.sh to understand what it was doing if DNS Sleep is set to zero. If DNS Sleep is set to zero ... then there will be a 20 seconds delay. After that, acme.sh does the checking itself. See _check_dns_entries(). Here is the acme.sh DNS Check Wiki page. The acme.sh will use DOH** and picks DOH CLOUDFLARE, DOH_GOOGLE, or DOH_ALI. From here, it starts looping around up until the moment all DNS NS server reproduce the same correct result = a TXT record with the correct name and correct content. This DNS test run can last for 1200 seconds or 10 minutes max. As soon as a total match is found : good TXT value and good TXT content, then the process continues : the actual certificate renewal. Humm. This is actually a smarter way of doing things ** but : If you've blocked DOH with for example pfBlockerng, or blocked Google and or Cloudflare DNS IPS, then you've reached the typical 'shoot in the foot' situation. I do block all DOH with pfBLockerng, so that explains for me why : [image: 1775630503531-5f5f3b1b-cb1d-433e-b1d1-607df0468a4c-image.png] never worked for me. The default behavior is to automatically poll public DNS servers for records until ACME finds them, rather than waiting a set amount of time. The reality : The default behavior is to automatically poll public DOH DNS servers for records until ACME finds them, rather than waiting a set amount of time. Furthermore, the public DOH DNS servers, and ordinary DNS servers are known and listed. If pfBlocker blocks these, then DNS Sleep = 0 will probably fail. Thanks, @tinfoilmatt , I now (better) understand what DNS Sleep '0' does. edit Further investigation : we can't set up our own DOH server to be used by acme.sh. acme.sh has 4 build in (hardcoded) DOH servers, and you have to pick one and if you don't, Cloudflare is used by default. The "DNS Sleep" setting is "0" by default, and for good reasons it is exposed in the pfSense GUI. Read for example this acme.sh 'issue', and everything is now clear. I could activate DOH on my own DNS domain name servers, but that means I have to patch acme.sh. My own DOH wouldn't be blacklisted (DNSBL) by pfBlockerng ^^ I do understand why acmes.sh default to use DOH : the challenge code, created by Letsencrypt, and put in place at the DNS master domain name server by acme.sh, has to be protected 'at all costs'. After all, the one who possesses (intercepts) this challenge code could obtain a certificate for that (your) domain name. That would be a huge disaster.

Acme 1.1 on pfSense 2.81 - Issue/Renew Cert fails to pickup URL for letsencypt.

Gertjan — Thu, 29 Jan 2026 21:35:45 GMT

Saw 1.1_1 and installed it. Case closed

When you have a new wild card certicate ....

Gertjan — Thu, 29 Jan 2026 11:50:35 GMT

... and you use this certificate for your pfSense, all the need to been done is :

As I asked for a wildcard certificate, I could also use it for my other 'https' aware 'LAN' devices.

I have a Synology disk station. A DS218j using DSM DSM 7.2.2-72803. Wouldn't it be nice if I didn't have to export the certificate from the pfSense GUI, and import it into to the Syno NAS every 60 days or so ?

Create a 'script' file on your pfSense and call it : /root/deploy-diskstation :
( and don't forget to chmod +x root/deploy-diskstation )

#!/bin/sh
#
# Copy certificate files to temporary directory on Synology NAS:
scp -i /root/.ssh/diskstation2-openssh-private -O -P 22 /conf/acme/YOUR_WILDCARD_CERTIFICATE.crt root@diskstation2.YOUR_WILDCARD_CERTIFICATE:/usr/syno/etc/certificate/_archive/certs/YOUR_WILDCARD_CERTIFICATE/cert.pem
scp -i /root/.ssh/diskstation2-openssh-private -O -P 22 /conf/acme/YOUR_WILDCARD_CERTIFICATE.key root@diskstation2.YOUR_WILDCARD_CERTIFICATE:/usr/syno/etc/certificate/_archive/certs/YOUR_WILDCARD_CERTIFICATE/privkey.pem
scp -i /root/.ssh/diskstation2-openssh-private -O -P 22 /conf/acme/YOUR_WILDCARD_CERTIFICATE.fullchain root@diskstation2.YOUR_WILDCARD_CERTIFICATE:/usr/syno/etc/certificate/_archive/certs/YOUR_WILDCARD_CERTIFICATE/fullchain.pem
#
# Update certificate on Synology NAS remotely:
ssh -i /root/.ssh/diskstation2-openssh-private -p 22 root@diskstation2.YOUR_WILDCARD_CERTIFICATE "sudo /usr/syno/etc/certificate/_archive/update-cert.sh 'YOUR_WILDCARD_CERTIFICATE'"
#
# Delete temporary certificate files:
ssh -i /root/.ssh/diskstation2-openssh-private -p 22 root@diskstation2.YOUR_WILDCARD_CERTIFICATE "rm -rf /usr/syno/etc/certificate/_archive/certs/YOUR_WILDCARD_CERTIFICATE/*"
#
# Reboot Synology NAS:
## ssh -i /root/.ssh/diskstation2-openssh-private -p 22 root@diskstation2.YOUR_WILDCARD_CERTIFICATE "sudo reboot now"
# Restart the Syno nginx boot Synology 
ssh -i /root/.ssh/diskstation2-openssh-private -p 22 root@diskstation2.YOUR_WILDCARD_CERTIFICATE "/usr/syno/bin/synosystemctl restart nginx"

As this script needs to be executed unattended, you have to create ssh certicates. The one used by pfSense shoiuld be placed here :

/root/.ssh/diskstation2-openssh-private

This means that pfSense can now root login into your Syno NAS .... just be ware of this.

This should drop you as root into your NAS :

[25.11.1-RELEASE][root@pfSense.bhf.tld]/root: ssh -i /root/.ssh/diskstation2-openssh-private root@diskstation2.bhf.tld

Using terminal commands to modify system configs, execute external binary
files, add files, or install unauthorized third-party apps may lead to system
damages or unexpected behavior, or cause data loss. Make sure you are aware of
the consequences of each command and proceed at your own risk.

Warning: Data should only be stored in shared folders. Data stored elsewhere
may be deleted when the system is updated/restarted.

root@DiskStation2:~#

Now, all that needs to be done is :

and from now on, when your acme.sh (for example : Letsencrypt) certificate renews, it will put in in place into your NAS.
No more manual exports / import.

Soon, I'll post a like wise procedure for your Unifi hardware Cloud key :

ACME pkg v1.1_1

jimp — Wed, 28 Jan 2026 15:21:43 GMT

@zimnysbrain This thread is not for reporting issues, it's to announce the release and for awareness. Every issue really belongs in its own thread so the discussions can be focused on single issues.

Pfsense error renew cert on duckdns

frankz — Fri, 23 Jan 2026 19:57:16 GMT

Ciao a tutti , ormai da 2 anni uso duck dns per ip dinamico e certificato ACME . oggi non riesco a rinnovare il certificato .mi segnala questo :

[Fri Jan 23 20:50:18 CET 2026] fwgate.duckdns.org: Invalid status. 
Verification error details: While processing CAA for fwgate.duckdns.org: 
DNS problem: query timed out looking up CAA for fwgate.duckdns.org

Credo che il problema sia il solito dei dns oppure no ?
![alt text]( image url)

Screenshot 2026-01-23 alle 20.56.25

Acme Account Key interface shows 4-digit codes

jimp — Fri, 16 Jan 2026 14:24:28 GMT

At some point after that version there were changes made to Font Awesome which required adjustments to the format used to display icons like that. It's possible your system has a package that is using the new format which the base OS isn't compatible with. Updating to a current supported version would almost certainly fix it.

Hostup DNSAPI needed

jimp — Wed, 24 Dec 2025 20:01:43 GMT

https://forum.netgate.com/topic/200015/acme-pkg-v1.1

IPSec and upcoming Letsencrypt changes (introducing profiles)

shpokas — Tue, 16 Dec 2025 16:33:16 GMT

Hi,
please be gentle and pardon my ignorance.

I am using Letsencrypt sertificates in IPSec server configurations.
In the light of announced ongoing changes, which introduce profiles - should pfSense ACME package take this into consideration and offer a choice of profiles?
Or nothing has to be done and nothing will break?

I did read @jimp's post, but it did not clarify for me if server should use certificate generated with tlsserver profile.

Thanks.

ACME Server - Google Production no EAB Key ID or HMAC key

jimp — Sat, 13 Dec 2025 21:05:23 GMT

It's not really a bug, but a missing feature. The ACME package itself has no support for EAB registration, though some of the CAs now require it or offer it as an option. https://redmine.pfsense.org/issues/16623

Restarting captive portals through Action List does not work as intended

marcosm — Tue, 09 Dec 2025 12:22:10 GMT

Likely the same root issue as https://redmine.pfsense.org/issues/16030. Update to the latest pfSense version and it should work if so.

no-ip

Gertjan — Sun, 07 Dec 2025 23:57:36 GMT

@techpro2004 See here (2020 so yeah, old) : Acme Package with No-IP. As said, this is probably old info now. maybe no-ip is supported, but if you chose them, you have to support them : with your wallet (!) but check first if no-ip can be used with acme.sh. If you want to have a registrar or DDNS supported, add requests here : the source : https://github.com/acmesh-official/acme.sh/pulls as pfSense pulls in the latest acme.sh from there.

Action list not executed after acme-webgui timeout

matthijs — Fri, 31 Oct 2025 13:55:17 GMT

I am using the DNS-Update method
I have to use a DNS-Sleep of 5 minutes to let the letsencrypt txt dns record update propagate. During this 5 minutes the acme-webgui times out. when the acme-webgui times out the Action list is NOT executed.
How can I solve this ?

Would it maybe be an idea to let the acme.sh script execute the actions in the action list as a post-hook instead of the web-gui?
Or maybe add an option to add post-hooks in the webUI ?

BUG: ACME, Method "Hetzner DNS"

jimp — Fri, 17 Oct 2025 10:46:33 GMT

https://github.com/pfsense/FreeBSD-ports/commit/5ee0e4d0d57f67684563c485d1b5a6e9198fe9af It's in the latest version of the ACME package, which should be up now for Plus 25.07.1 and CE 2.8.1, Plus 25.11 should be up shortly but there's some work that needs to be done on 25.11 package builds which should be resolved before long. (Ignore the "1.1" bit in the commit message, it should be 1.0.3 for Plus 25.07.1 and CE 2.8.1, and1.0.6 for Plus 25.11)

ACME renew cert fail after update from v24.11 to v25.07.01

alexleehkg — Sun, 07 Sep 2025 12:27:59 GMT

Hi, Please help to forward / report the bugs in ACME 1.0 package. Thanks.

Let's Encrypt Cert via ACME ask for oathtool (PFSende 2.8)

gorkrul — Mon, 01 Sep 2025 13:55:26 GMT

@Gertjan well..... finally i created a new user for inwx and just gave him dns_management role only AND without 2FA. So now all is fine, my PFSense has the LE Cert as it should be. Thanks and kr Mike

How do I fix this expiring ACME Certificate?

guardian — Thu, 28 Aug 2025 07:27:03 GMT

Thanks @Popolou @Gertjan for the reply. TLDR; I just want to confirm that this isn't a pfSense/ACME bug. I'm just going to delete the deprecated cert and consider this matter closed unless this is a bug. FULL REPLY: Thanks @Popolou @Gertjan for the reply. Thanks for the info. I now understand what is going on with these certificates which is a win. I was expecting that pfSense would manage these certificates and clear out the ones that are no longer needed. No big deal as long as I know I can safely delete them. @Popolou said in How do I fix this expiring ACME Certificate?: @guardian Just check to see which certificates have been issued with the now defunct/expiring CA and if it is zero (which is highly likely), then you can delete it. Any new cert renewals will still take place and the appropriate CA chain will be downloaded and installed if required. You may find you have R10 and R11 (or newer) installed through this route. @Gertjan said in How do I fix this expiring ACME Certificate?: @guardian said in How do I fix this expiring ACME Certificate?: CN=R3 Euh, that one has been depreciated long time ago. Read : Thanks.... I actually found this and read it. @guardian said in How do I fix this expiring ACME Certificate?: Is there a place I can download a new CA certificate? Normally, you don't need to. If your pfSense is recent enough, you has them already. Not under "System > Certificates > Authorities" but in the FreeBSD Certificate storage folder, here /usr/share/certs/trusted/ Thanks for this info. It looks like the certs that I have in play have been downloaded, so I guess I will just delete the old cert and be done.

updated package, php error when accessing certificates tab

Burn3r — Thu, 28 Aug 2025 04:59:45 GMT

@Gertjan oh. It's all working fine now. Once I did restore to previous, everything worked. I was able to request new certs via ACME and the OpenVPN service came up and I was able to navigate all the tabs. With my certs down (and just expired) it broke a lot of things. Lol.

SSL Cert Failing

wlp94611 — Wed, 27 Aug 2025 15:33:02 GMT

Problem solved. Fat fingers at work!

HEADS UP: Buypass is shutting down their ACME service

jimp — Mon, 18 Aug 2025 12:16:56 GMT

Buypass is shutting down their free ACME service: https://community.buypass.com/t/y4y130p

Not sure how many (if any) users may be getting their ACME certificates from Buypass, but it is supported in the package, so that number may be non-zero.

If you are getting your certificates from Buypass, now is the time to switch to another CA.

updating to acme 1.0 breaks system beyond repair: need to restore from backup

JeGr — Wed, 13 Aug 2025 14:08:23 GMT

@raidflex said in updating to acme 1.0 breaks system beyond repair: need to restore from backup: In fact after restoring from a backup after the ACME update, Crowdsec reinstalled just fine, and this was before the recent release a couple days ago that contained a fix. Yeah, that may be, but if you install packages with dependencies on the console rather then the package manager, those may have (old) dependencies for specific versions. So if that crowdsec package has a dependency on an older pfsense base package or something like that and you install any other package (like Acme) which may collide with that, the package manager makes a decision to solve the conflict. Not always the most sane one - sure - but that's like any other distro out there. Manually installing packages on the console always may get you into dependency hell :) Just saying, because now it was acme, next time it could easily be some other package triggering such an effect. Cheers

ACME pkg v1.0

Gertjan — Tue, 12 Aug 2025 17:06:36 GMT

@jimp Done. I was on acme.sh 1.0 (25.07.1) and a downgrade was proposed. Now, the issue is gone.

ZeroSSL - How to revoke/remove existing certificates

johnpoz — Thu, 17 Jul 2025 20:47:05 GMT

@MacUsers https://help.zerossl.com/hc/en-us/articles/360060119933-Certificate-Revocation edit: oh you prob out of luck You can revoke any certificate issued via the ZeroSSL portal. Currently, certificates issued via ACME can not be revoked from inside the portal - please follow the instructions of your ACME client for revoking those certificates. the gui in pfsense does not have the ability to revoke - you prob have to move the certs to something you have certbot installed to and revoke that way.

ACME Gandi.net renewal

ITSGS_ — Sun, 22 Jun 2025 13:37:26 GMT

Redmine Issue has been closed. fixed - Gandi LiveDNS method in acme 1.0 has both PAT and API key fields. tested on: 25.11-DEVELOPMENT (amd64) built on Sat Aug 16 6:00:00 UTC 2025 FreeBSD 15.0-CURRENT Edit: Just tested it and it works. Thank you guys!