Saw 1.1_1 and installed it. Case closed

https://forum.netgate.com/topic/200015/acme-pkg-v1.1

At some point after that version there were changes made to Font Awesome which required adjustments to the format used to display icons like that. It's possible your system has a package that is using the new format which the base OS isn't compatible with. Updating to a current supported version would almost certainly fix it.

It's not really a bug, but a missing feature. The ACME package itself has no support for EAB registration, though some of the CAs now require it or offer it as an option. https://redmine.pfsense.org/issues/16623

Likely the same root issue as https://redmine.pfsense.org/issues/16030. Update to the latest pfSense version and it should work if so.

https://github.com/pfsense/FreeBSD-ports/commit/5ee0e4d0d57f67684563c485d1b5a6e9198fe9af It's in the latest version of the ACME package, which should be up now for Plus 25.07.1 and CE 2.8.1, Plus 25.11 should be up shortly but there's some work that needs to be done on 25.11 package builds which should be resolved before long. (Ignore the "1.1" bit in the commit message, it should be 1.0.3 for Plus 25.07.1 and CE 2.8.1, and1.0.6 for Plus 25.11)

@techpro2004 See here (2020 so yeah, old) : Acme Package with No-IP. As said, this is probably old info now. maybe no-ip is supported, but if you chose them, you have to support them : with your wallet (!) but check first if no-ip can be used with acme.sh. If you want to have a registrar or DDNS supported, add requests here : the source : https://github.com/acmesh-official/acme.sh/pulls as pfSense pulls in the latest acme.sh from there.

@agitelzon I have no issue connecting to LE servers from pf shell. The issue is cloudflare security setting is configured as a whitelist for api zone record changes. The whitelist includes my ipv4 address only, as a /32. As I mentioned, I could add the ipv6 prefix as a /64. Given that pf is configured to prefer ipv4, I thought that would carry over to acme as well.

@acaronmd Updating tends to solve issues. A more recent pfSense version gives you also a newer acme version.

Hi, Please help to forward / report the bugs in ACME 1.0 package. Thanks.

@Gertjan well..... finally i created a new user for inwx and just gave him dns_management role only AND without 2FA. So now all is fine, my PFSense has the LE Cert as it should be. Thanks and kr Mike

Hello, I am also trying to use DNS-NSupdate / RFC 2136 with dynv6.com. I have used all the information in this and the other related thread, but acme.sh blocks when trying to read the key from the disk. The logs show that the key file is expected in /tmp/acme/home-mydomain-tld-test-dynv6/home.mydomain.tldnsupdatealias-mydomain-tld.dynv6.net.key but is actually in /tmp/acme/home-mydomain-tld-test-dynv6/home.mydomain.tldnsupdate_acme-challenge.alias-mydomain-tld.dynv6.net.key Did I mess up the parameters or is there a bug in the call to acme.sh? Thanks for your help, Atanis

Problem solved. Fat fingers at work!

Thanks @Popolou @Gertjan for the reply. TLDR; I just want to confirm that this isn't a pfSense/ACME bug. I'm just going to delete the deprecated cert and consider this matter closed unless this is a bug. FULL REPLY: Thanks @Popolou @Gertjan for the reply. Thanks for the info. I now understand what is going on with these certificates which is a win. I was expecting that pfSense would manage these certificates and clear out the ones that are no longer needed. No big deal as long as I know I can safely delete them. @Popolou said in How do I fix this expiring ACME Certificate?: @guardian Just check to see which certificates have been issued with the now defunct/expiring CA and if it is zero (which is highly likely), then you can delete it. Any new cert renewals will still take place and the appropriate CA chain will be downloaded and installed if required. You may find you have R10 and R11 (or newer) installed through this route. @Gertjan said in How do I fix this expiring ACME Certificate?: @guardian said in How do I fix this expiring ACME Certificate?: CN=R3 Euh, that one has been depreciated long time ago. Read : Thanks.... I actually found this and read it. @guardian said in How do I fix this expiring ACME Certificate?: Is there a place I can download a new CA certificate? Normally, you don't need to. If your pfSense is recent enough, you has them already. Not under "System > Certificates > Authorities" but in the FreeBSD Certificate storage folder, here /usr/share/certs/trusted/ Thanks for this info. It looks like the certs that I have in play have been downloaded, so I guess I will just delete the old cert and be done.

@Gertjan oh. It's all working fine now. Once I did restore to previous, everything worked. I was able to request new certs via ACME and the OpenVPN service came up and I was able to navigate all the tabs. With my certs down (and just expired) it broke a lot of things. Lol.