@EChondo

What's your pfSense version ?
The instructions are shown here :

1acdc586-cb29-4148-9e36-81ade4e5e60c-image.png

A restart of a service will start by re creating their config files. If a certificate changed, it will get included. When the process starts, it will use the new certificate.

@EChondo said in Issue with ACME Certificates Refresh & Restarting HAProxy:

I haven't been able to confirm if the above works(mine just renewed, don't feel like doing it again just to test), so we'll see in 60 days I guess.

No need to wait x days.
You can re test / renew right away, as you are 'allowed' to renew a couple (5 max ?) of times per week.

@MacUsers

https://help.zerossl.com/hc/en-us/articles/360060119933-Certificate-Revocation

edit: oh you prob out of luck

You can revoke any certificate issued via the ZeroSSL portal. Currently, certificates issued via ACME can not be revoked from inside the portal - please follow the instructions of your ACME client for revoking those certificates.

the gui in pfsense does not have the ability to revoke - you prob have to move the certs to something you have certbot installed to and revoke that way.

@Gertjan Good point. I linked this thread in the Redmine issue. Possible a UI selection could fix this. Still, I'm no dev and I do not know where everything comes from. I'm also not using Git.

@jimp I know it's a nn ols thread but very similar to what I'm trying to find out, so piggy backing..........

I understabd it will expire in 90 days, but what if I really need to revoke the cert? This is one of the issue with ZeroSSL free offering, which only gives you four certifictes and until one os revoked, it wil use of one of the number from the quota - any idea how to actually revoke an external ACME certificate?

5yrs. later, I sill don't see any option to do that

-S

@luxor84

Why editing the pork_burn.sh file ?
You started with a more clean solution : a patch. Why not including a patch for pork burn file ?

@Gertjan said in ACME using dynv6:

but I can't see the usefulness of publishing my "pfSense LAN-ipv6-address".

You don't publish it, you use it, to update only the prefix part of a given dns-record.

I for example changed to only use ULAs in my LANs. But also I have some "unused" VLANs set to "Track Interface" to get the daily changing prefixes to then use them with NPt for my ULA-LANs. I would benefit from what I have described before.
If you, as an expert user, found a solution, that works for you, that is great. I still wait for pfSense to bring a better solution to this for the rest of us.

@SteveITS Feature request created: https://redmine.pfsense.org/issues/16150

I ended up signing up for duckdns and users still use my old no-ip.com ddns. apparently lets encrypt certs work on multiple domains

Thanks for the insight, that resolved the issue

@Gertjan Yes it is but the GUI still laggs so at least now I know I can use the cert without waiting for GUI to update.

@Gertjan Thank you so much for the help. I've removed all of the child nodes of <acme>, reinstalled the package and it completed.

Thanks again!

@michmoor said in Unable to delete TXT record:

My domain expired

😊

@Gertjan

Oh you helped solve the problem!

Thank you!

The PHP error is a symptom of the configuration file being corrupted in some way. If I remember correctly, the corrupted configuration file is kept either in /tmp or /conf. If it exists, you can do a diff of the good and bad configuration file and post that here for review.

@tinfoilmatt it looks like I have finally gotten the certificate to pop up but now I am dealing with getting 503 Service Unavailable error. Do you know if this is an HAProxy issue or on the cloudflare side?

Screenshot 2024-12-05 at 12.51.02 PM.png