@strongthany said in Not able to renew ACME certificate:
They looked to be the same.
Look again. The're not the same. The 'source' @github is more recent.
@strongthany said in Not able to renew ACME certificate:
while the ACME script on pfsense was using a TTL of 60
There is a explanation for this.
The typical default value is '60 seconds'.
But, this value can not be assumed as "ok".
IMHO : this is the story :
acme.sh - using a API script, signals the registrar, to add a ".well-known.acme-challenge" subdomain to your domain name - and a TXT record with a 'secret' value like "NYDVT9Yjt-dCW8dPQIaMW57sjRQqR7s-w-I7g2CDPh".
So far, so good.
No rocket science here, as we all added ones something like www. or mail. or pop. or smtp.
This time it's a script adding a sub domain.
The registrar will update the master domain name server.
And, as we all know, there are always at least TWO domain name servers, the master and one or more slave.
Typically, when the master gets updated, the master signals the slave(s) that an update is available.
And now the important part : the slave will contact the master back, to sync with it when it sees fit (the domain info XFER). Anything between 'right now' or "later" is possible.
Take note : the master domain server and the slave(s) probably do not only handle your domains, but also several (thousands of) other domain names.
Now you understand that, when you start to the acme.sh package, you need some time and play with the "dig" command ** to find the worst case scenario : the maximum DNS-sleep delay between the start, and when the (all the) slave(s) gets updated.
In the good old days, when Letenscrypt started, and automation tools like acme.sh showed up, the DNS-sleep time was less critical, because Letenscypt only verified the master domain server.
These days, it checks all listed domain server : the master and all the slaves.
Now you understand why the "DNS-sleep" value really matters.
** playing with dig : I didn't test all this, so see what follows as a guide line :
First, get a list off all your domain name servers.
dig test-domaine.fr NS +short
ns2.test-domaine.fr.
ns1.test-domaine.fr.
ns3.test-domaine.fr.
Get the master domain server :
dig test-domaine.fr SOA +short
ns1.test-domaine.fr. postmaster.test-domaine.fr. 2021032645 14400 7200 1209600 43200
So it's "ns1.test-domaine.fr".
Start the acme.sh cert renewal.
Spam :
dig @.well-known/acme-challenge .well-known/acme-challenge/test-domaine.fr TXT
As soon as you get a value back like
dig @ns1.test-domaine.fr .well-known.acme-challenge.test-domaine.fr TXT +short
"NYDVT9Yjt-dCW8dPQIaMW57sjRQqR7s-w-I7g2CDPh"
You know that the API acme.sh part used worked : the registrar was contacted and updated the master DNS.
Now, start spamming :
dig @ns2.test-domaine.fr .well-known.acme-challenge.test-domaine.fr TXT +short
dig @ns3.test-domaine.fr .well-known.acme-challenge.test-domaine.fr TXT +short
(remember : I have two DNS slave servers).
As soon as both return
"NYDVT9Yjt-dCW8dPQIaMW57sjRQqR7s-w-I7g2CDPh"
you can stop de clock : you have your "DNS-sleep".
Add some spare time, as no one can guarantee that you'll find the same value ?! ;)
Btw : I guess that you understood by now that when you want to use certificates, you need to know 'something' about what is called 'DNS' 😊
Also : The DNS-sleep values isn't really needed as some active polling could be used - the commands I executed above. "acme.sh" script would find the right moment to signal the 'Go check" to Letensrypt every time itself .....