Hi, Please help to forward / report the bugs in ACME 1.0 package. Thanks.

@Gertjan well..... finally i created a new user for inwx and just gave him dns_management role only AND without 2FA. So now all is fine, my PFSense has the LE Cert as it should be. Thanks and kr Mike

Hello, I am also trying to use DNS-NSupdate / RFC 2136 with dynv6.com. I have used all the information in this and the other related thread, but acme.sh blocks when trying to read the key from the disk. The logs show that the key file is expected in /tmp/acme/home-mydomain-tld-test-dynv6/home.mydomain.tldnsupdatealias-mydomain-tld.dynv6.net.key but is actually in /tmp/acme/home-mydomain-tld-test-dynv6/home.mydomain.tldnsupdate_acme-challenge.alias-mydomain-tld.dynv6.net.key Did I mess up the parameters or is there a bug in the call to acme.sh? Thanks for your help, Atanis

Problem solved. Fat fingers at work!

Thanks @Popolou @Gertjan for the reply. TLDR; I just want to confirm that this isn't a pfSense/ACME bug. I'm just going to delete the deprecated cert and consider this matter closed unless this is a bug. FULL REPLY: Thanks @Popolou @Gertjan for the reply. Thanks for the info. I now understand what is going on with these certificates which is a win. I was expecting that pfSense would manage these certificates and clear out the ones that are no longer needed. No big deal as long as I know I can safely delete them. @Popolou said in How do I fix this expiring ACME Certificate?: @guardian Just check to see which certificates have been issued with the now defunct/expiring CA and if it is zero (which is highly likely), then you can delete it. Any new cert renewals will still take place and the appropriate CA chain will be downloaded and installed if required. You may find you have R10 and R11 (or newer) installed through this route. @Gertjan said in How do I fix this expiring ACME Certificate?: @guardian said in How do I fix this expiring ACME Certificate?: CN=R3 Euh, that one has been depreciated long time ago. Read : Thanks.... I actually found this and read it. @guardian said in How do I fix this expiring ACME Certificate?: Is there a place I can download a new CA certificate? Normally, you don't need to. If your pfSense is recent enough, you has them already. Not under "System > Certificates > Authorities" but in the FreeBSD Certificate storage folder, here /usr/share/certs/trusted/ Thanks for this info. It looks like the certs that I have in play have been downloaded, so I guess I will just delete the old cert and be done.

@Gertjan oh. It's all working fine now. Once I did restore to previous, everything worked. I was able to request new certs via ACME and the OpenVPN service came up and I was able to navigate all the tabs. With my certs down (and just expired) it broke a lot of things. Lol.

@raidflex said in updating to acme 1.0 breaks system beyond repair: need to restore from backup: In fact after restoring from a backup after the ACME update, Crowdsec reinstalled just fine, and this was before the recent release a couple days ago that contained a fix. Yeah, that may be, but if you install packages with dependencies on the console rather then the package manager, those may have (old) dependencies for specific versions. So if that crowdsec package has a dependency on an older pfsense base package or something like that and you install any other package (like Acme) which may collide with that, the package manager makes a decision to solve the conflict. Not always the most sane one - sure - but that's like any other distro out there. Manually installing packages on the console always may get you into dependency hell :) Just saying, because now it was acme, next time it could easily be some other package triggering such an effect. Cheers

Redmine Issue has been closed. fixed - Gandi LiveDNS method in acme 1.0 has both PAT and API key fields. tested on: 25.11-DEVELOPMENT (amd64) built on Sat Aug 16 6:00:00 UTC 2025 FreeBSD 15.0-CURRENT Edit: Just tested it and it works. Thank you guys!

@EChondo What's your pfSense version ? The instructions are shown here : [image: 1753262126227-1acdc586-cb29-4148-9e36-81ade4e5e60c-image.png] A restart of a service will start by re creating their config files. If a certificate changed, it will get included. When the process starts, it will use the new certificate. @EChondo said in Issue with ACME Certificates Refresh & Restarting HAProxy: I haven't been able to confirm if the above works(mine just renewed, don't feel like doing it again just to test), so we'll see in 60 days I guess. No need to wait x days. You can re test / renew right away, as you are 'allowed' to renew a couple (5 max ?) of times per week.

@MacUsers https://help.zerossl.com/hc/en-us/articles/360060119933-Certificate-Revocation edit: oh you prob out of luck You can revoke any certificate issued via the ZeroSSL portal. Currently, certificates issued via ACME can not be revoked from inside the portal - please follow the instructions of your ACME client for revoking those certificates. the gui in pfsense does not have the ability to revoke - you prob have to move the certs to something you have certbot installed to and revoke that way.

@jimp I know it's a nn ols thread but very similar to what I'm trying to find out, so piggy backing.......... I understabd it will expire in 90 days, but what if I really need to revoke the cert? This is one of the issue with ZeroSSL free offering, which only gives you four certifictes and until one os revoked, it wil use of one of the number from the quota - any idea how to actually revoke an external ACME certificate? 5yrs. later, I sill don't see any option to do that -S

@luxor84 Why editing the pork_burn.sh file ? You started with a more clean solution : a patch. Why not including a patch for pork burn file ?

@SteveITS Feature request created: https://redmine.pfsense.org/issues/16150

I ended up signing up for duckdns and users still use my old no-ip.com ddns. apparently lets encrypt certs work on multiple domains

Thanks for the insight, that resolved the issue

@Gertjan Yes it is but the GUI still laggs so at least now I know I can use the cert without waiting for GUI to update.