Similary happens to me time ago with duckdns and wildcar certificate, i really no worry any more about it... i receive the certificate so all is well.. i will check on the next and last renew...

Do it even easier:

Run acme package on FW1 (I assume it's a CARP cluster with syncing?) and let it create a certificate for both names (fw1.xxx AND fw2.xxx). When it's done, select the cert for the webui. Then login to FW2 and select it, too, as certificates get synchronized automatically (if selected) to the secondary. There choose the same certificate as WebUI cert and be done :)

Just check that you configure the acme service on fw1 to restart its own webserver after renewal AND via remote the service on fw2 (see the help for this)!

Greets

If you update to the latest version of the ACME package, the patch is included. You will no longer need that max_input_vars workaround.

Hi guys

Apologies, it appears to have been a transient error. Put all of the information in the same fields later in the day and it generated the certificates fine.

0_1550629984785_acme Config.png

Well we all have our own opinions.
For me it is simpler:

I don`t need special settings I don`t need any scripts I can do it out of the box Didn`t fail once (except long times because of acme.sh bug)

If netgate can include that script and integrate it, that would be cool :)

HAProxy wouldn't have anything to do with DNS-Manual. Maybe you mean standalone mode? Nothing else would conflict with HAProxy.

If you want to use ACME and HAProxy there are much better ways to integrate them, like https://forum.netgate.com/post/677786 -- that uses webroot instead of standalone and requires no special actions once it's setup.

@gertjan
Yes, I know the requirement to demand a wild car certificate domaine.tld

.domaine.tld, but I am detecting many errors, on the other hand, I am not planning using my base domain at this time to publish and protect some services using my base domain name.
I read about the alias mode, added to my dns _acme-challenge IN CNAME _acme-challenge.b1c54cu.duckdns.org.

bicsa.co.cu
_acme-challenge IN CNAME _acme-challenge.b1c54c0cu.duckdns.org.

ibicsa.co.cu
_acme-challenge IN CNAME _acme-challenge.ib1c54c0cu.duckdns.org.
these domains under duckdns.org exist ... but I am detecting these errors, when I request a wildcard certificate for domaine.tld, * .domaine.tld / *. domaine.tld, so if a certificate for * .domaine.tld covers My hosts under * .domaine.tld alone (no base domain) they are fine, it works for me,
but in this case I get the certificate for * .domaine.tld fine! hurra! but in the end I see the error:
@gertjan
Yes, I know the requirement to demand a wild car certificate domaine.tld

.domaine.tld, but I am detecting many errors, on the other hand, I am not planning using my base domain at this time to publish and protect some services using my base domain name.
I read about the alias mode, added to my dns _acme-challenge IN CNAME _acme-challenge.b1c54cu.duckdns.org.

bicsa.co.cu
_acme-challenge IN CNAME _acme-challenge.b1c54c0cu.duckdns.org.

ibicsa.co.cu
_acme-challenge IN CNAME _acme-challenge.ib1c54c0cu.duckdns.org.
these domains under duckdns.org exist ... but I am detecting these errors, when I request a wildcard certificate for domaine.tld, * .domaine.tld / *. domaine.tld, so if a certificate for * .domaine.tld covers My hosts under * .domaine.tld alone (no base domain) they are fine, it works for me,
but in this case I get the certificate for * .domaine.tld fine! hurra! but in the end I see the error:
[Thu, 7 February 10:58:35 CST 2019] Failed to extract the domain.
[Thu, 7 February 10:58:35 CST 2019] Error rm webroot api for the domain: dns_duckdns
related in the other post
https://forum.netgate.com/topic/140381/error-rm-webroot-api-for-domain-dns_duckdns
You tell me that the error is an error or error in aceme.sh?
the error described for you, I see that error before in some test "netnsupdate.key is illegible"
related in the other post
https: //forum.netgate.com/topic/140381/error-rm-webroot-api-for-domain-dns_duckdns.
You tell me that the error is an error or error in aceme.sh? si u or some developer most repair the problem.
I've seen the error described for you, many times read read change, compare etc but nothing, by now get a *.mydomain.net without base domain is my solution.
What I can do?
thanks

@luisenrique said in /usr/local/pkg/acme/acme_command.sh importcert:

thus removing headaches using third-party scripts

The acme package could be considered as a third party script
Ok, true, it has been developed by someone who happens to know pfSense pretty well.

The thing is : the acme package is build own the existent acme freebsd package, and a boatload of GUI and other glue ware. If @jimp decides to remodel the package, your 'solution' will be broken.

I advise you to use parts of the present (acme) code to make your own "insert cert" script.

Btw : check out the code (acme.inc) : the cert should exists already :

($cert['descr'] == $certificatename)

thus the cert description / name should already exists, and then it's updated.

@netgate-james said in Strange things happening in ACME standalone server validation:

/tmp/acme/ACME-HUPER-STAGE/acme_issuecert.log

[Sat Feb 2 23:26:34 +08 2019] response='{"type":"urn:ietf:params:acme:error:malformed","detail":"Unable to update challenge :: authorization must be pending","status": 400}' [Sat Feb 2 23:26:34 +08 2019] code='400'

@chudak said in Last time updated?:

Everything worked perfectly, CA renewed.

So you're good !

The acme package is not related to the firewall (rules) what so ever. That's up to you.

great work as always :)

@apundir said in Certificate with multiple SAN from two different DNS accounts result in failure:

Can I contribute to nsupdate script as patch? I do understand we'll have to store different key/secret under different keys and use them contextually in every DNS operation. I did look into Submitting a Pull Request via Github page and did browse pfSense/FreeBSD-ports on github but couldn't find acme there. Looks like I am looking into wrong place. Can you please point me in right direction so that I am able to contribute back in case I am able to fix it?

Not sure I follow what you are saying about nsupdate. The changes to nsupdate work fine, but they are specific to how the pfSense ACME package calls nsupdate and thus aren't a good candidate to submit upstream back into acme.sh.

If you are talking about changing the GoDaddy script in a similar way, then you can submit a PR to us for that. The files are under https://github.com/pfsense/FreeBSD-ports/tree/devel/security/pfSense-pkg-acme and the GoDaddy script specifically is at https://github.com/pfsense/FreeBSD-ports/blob/devel/security/pfSense-pkg-acme/files/usr/local/pkg/acme/dnsapi/dns_gd.sh

@jimp said in Feature Idea: scheduled rule for acme.sh certificate process:

I'm sure there is a way but it hasn't been something directly on my todo list for ACME yet.

If you already have port 80 forwarded somehwere, the easiest thing to do is let ACME glom onto that and use sftp to push the ACME challenge/response files on that web server. HAProxy may also help here.

If you must do standalone mode, one tactic you can do is to bind standalone mode to a weird port on localhost that nothing else will use. Then setup a NAT rule on WAN without an automatic firewall rule to forward WAN:80 to localhost:yourport. Then setup a schedule to activate a firewall rule for the 15 minute block around when the check will happen.

In an ideal world, everyone would use DNS validation instead, but...

It would be really helpful to consider a feature when Acme is listening to an odd port and NAT/WF Rule is enabled/disabled only when Acme needs this check (for standalone).

Could be a check box on general tab something like "auto enable NAT on port: xxx"

I checked Disable DNS Rebinding Checks and added the host name to Alternate Hostnames and it ... worked !

As @jimp suggested here https://forum.netgate.com/topic/38870/how-to-get-rid-of-potential-dns-rebind-attack-detected/3

@luisenrique said in ACME and Bind dns Server on pfsense in the same server:

after trying several times I notice that the txt record of each attempt is not eliminated

Your TXT records confirm what you saw.

The logs say the very same thing :

@luisenrique said in ACME and Bind dns Server on pfsense in the same server:

[Tue Jan 15 08:46:04 CST 2019] Error rm webroot api for domain:dns_nsupdate

rm (or "remove") means "delete file".
The Letencrypt "test server" can't find (==resolve) the record " _acme-challenge.enlinea.bicsa.cu" which means the DNS name server (s !! - there should be least 2 of them) of the domain "bicsa.cu" didn't have the subdomain "_acme-challenge.enlinea".
This can happens when synchronisation is functioning well.The TXT subdomain was set on the master DNS server, but wasn't synced in 120 seconds with the slave dns server).

Check :
Your name servers :
dig bicsa.cu any +short
....
ns2.bicsa.cu.
ns1.bicsa.cu.
....

root@ns311465:~# dig @ns2.bicsa.cu _acme-challenge.enlinea.bicsa.cu TXT +short
"s1ChQK6dg8tvuYY1Nb05W5i9zQc1S1iqMtevjiw1uCs"
"DDzVdoZ6o2T_YqRZ2o5uybK4GjXAZ6jU3DaYXAhfnV4"
"F6LjsjDmIwWPrw6K6EFthVUxaocmusRApXRPnRbkyCo"

root@ns311465:~# dig @ns1.bicsa.cu _acme-challenge.enlinea.bicsa.cu TXT +short

.... nothing = no good;

Btw : you have serious DNSSEC troubles .....
DNSSEC should be perfect .... or your site will not be found on the net.
Use http://dnsviz.net/ to check .(you"re good for some nights without sleep).
It is feasible thought : http://dnsviz.net/d/test-domaine.fr/XD5boA/dnssec/ (one of my domains).

If the LE test server used the NS1 (your) name server (not synced) it will error out (it says : NXDOMAIN looking up TXT for _acme-challenge.enlinea.bicsa.cu).
Like : see here https://zonemaster.iis.se/?resultid=e3f70901711cfd8f .... which looks .... not good.

Btw :
@luisenrique said in ACME and Bind dns Server on pfsense in the same server:

dig _acme-challenge.enlinea.bicsa.cu txt

When I run

dig _acme-challenge.enlinea.bicsa.cu TXT +short

from a server server I own (some where in France) I see .... nothing - no result.
What I see is what the LE test servers see : nothing (answer also known as 'NXDOMAIN').
Check your DNS setup.

@chudak said in ACME method for ddns.net or freemyip.com:

Am I understanding correctly that I would need to enable sftp or ftps on my pfsense router in order to use this ?

Well ... I never used the webroot method but pfSense has all on board to handle the file transfer.
I guess it will ask your for credentials needed, so it can login on the the remote (on a pfSense LAN or OPTx interface) (web) server so it can place the files in the web server root.