@uwscia said in HAPROXY + ACME (Standalone):

Question: DNS-NSUpdate / RFC 2136 vs Standalone which is better?

As you said, the latter is :
@uwscia said in HAPROXY + ACME (Standalone):

cumbersome

and not advised : see https://www.netgate.com/docs/pfsense/certificates/acme-validation.html#standalone

@uwscia said in HAPROXY + ACME (Standalone):

DNS-NSUpdate / RFC 2136

IMHO : the best ! I real set-it-and-forget-it method.
As you mentioned : it needs to be supported by "the other side", or to be more precise : the place where your domain name is registered, probably your registrar or, even better : on some (master) DNS server that serves the zone of your domain that you administer yourself - see here for an RFC 2136 example.

Most 'big' registrar support some procedure that is implemented by the acme package.
Just cross-check https://github.com/Neilpang/acme.sh/tree/master/dnsapi with what your regisrar offers you.
If not, no panic : read https://github.com/Neilpang/acme.sh/tree/master/dnsapi - scroll down to see what is possible.
If none : start thinking about moving your domain name - and/or read https://github.com/Neilpang/acme.sh/wiki/DNS-alias-mode

After dealing with ACME for quite some time now, I've come to accept that it can be... quirky :-)

There isn't a way to pass the zone info into the script yet. I haven't hooked that up in the GUI.

@gertjan said in DNS / namesilo validation method not working:

First of all : you saw what Google said about the subject ?

Yes, I saw that after starting this topic. I noticed the unbalanced parens errors in my case too, but that didn't seem to be the main trouble, or prevent the request process from running.

@gertjan said in DNS / namesilo validation method not working:

Your image is out of time sync : after 12:48:43 it goes back in time : 12:48:36 ... ?

Good catch. The pfSense install in question is a Hyper-V VM. I've experienced clock issues with virtual machines in the past but never on Hyper-V to my recollection. Not sure if that's the case here. Some services really don't like when time goes backward. 😮

@gertjan said in DNS / namesilo validation method not working:

I saw you use the 120 seconds delay : a typical delay so the master zone can signal the modification to it's DNS slaves.

It's the default delay in the ACME package. After your reply, I tried 300 seconds, then 960 seconds. After changing to 960 seconds, I attempted twice to acquire a certificate. The second attempt succeeded. The process didn't take anywhere near 16 minutes, or even 5 for that matter. So the validation delay setting didn't work as expected. Maybe it's a clock/timing problem. If the VM frequently adjusts its time backward to compensate for drift, that might very well precipitate trouble for timing/delays...

@gertjan said in DNS / namesilo validation method not working:

edit : you are using acme pfSEnse package version 0.3.2_4 right ?

Yup

I had not synced up the code with acme.sh upstream in a while. I just pulled in a bunch of new things and pushed pkg version 0.4 to 2.4.5 snapshots. If it tests out OK there I'll make it available for 2.4.4.

That's the only method I use, and all of them are working perfectly here.

Ok, now I've got it. Thanks for your help!

Thank you Jim! I know the limitations still hold true but luckily they don't affect me!

Would you mind to share your solution ?

Thank you all. Very helpful. I'm going to try to install x64 version (I think in the past I tried and it failed).

Great. Thanks to everyone for your help.

You are login with the user "admin" ?

That's already shown under System > Cert Manager where the certificates are held. The ACME package doesn't track renewal times. Though it's not terribly hard to calculate (last renew +90d).

If you are worried about expiring certificates, add your e-mail address under the account key when making a new cert, then LE will e-mail you if anything gets close to expiring.

dns_cf is the DNS-Cloudflare selection in the ACME certificate settings.

When you choose that, there is still a box for Enable DNS alias mode to do what you want.

Im all set. I was able to create wild card certs (since Sept 27)

0_1538850080460_Screenshot_2018-10-06 bill lab jimp pw - Services Acme Certificate options Edit.png

Ok, got it (0.3.2_3). Guess I gonna line up for 2.4.4 now ☺

yes I found.
Looks like this tag></tag>