@flo-0 said in Dynv6.com, how?:

I wasn't complaining about the specific tools. I get along. The concern is rather: Do I remember what I changed in the system if it comes to the next upgrade and does it survive such an upgrade? Probably not. And are all people who I think should be enabled to have certificates created (think of the spirit of letsencrypt) capable of doing this in good confidence in the process and the results? I think not. As I said: I see not a pfSense fail, rather the DNS providers'

Your setting will get saved and used for the eternity.
But true, every 'gadget' you activate has to be maintained. In this case : you have to make sure you can use your domain name, check settings on the host site, and if you change them, sync with the pfSense (acme) settings.
Like an emal : when you change the password on the email supplier side, you have to use the new password on your side, or inform all (!) your email clients.

What Letsencrypt does, why it only works well when you automate it, what certificates are etc etc etc, you need (imho) to understand the why and what. Don't worry, Youtube exists, and you can understand everything pretty fast, you have to go through it.

@flo-0 said in Dynv6.com, how?:

I used Putty, WinSCP, Notepad++ in my time

When you use pfSEnse, or whatever other device with SSH, a GUI etc, you probably use these tools up until the day you retire from live ;)

vi ?

pkg install nano

!

@jkiel

A general pfSEnse question ? Looks like a pfSense ACME package question to me 😊
Overthere yo will find suggestions and/or even find the same questions, and answers.

What have you set as a DNS Sleep delay ?

285ea2dc-a220-4784-baa3-936135fb3b4d-image.png

20 ? Or left empty ?

Make it at least '120' or so. And even bigger, like 300 (seconds) so you can check manually (use dig) if the slave DNS servers did sync up with the master.
Be aware : the nsupdate method (RFC2136) only inserts the TXT zone info into the master domain DNS server. When nsupdate finishes, the master DNS signals the slaves (at least 1, could be more) that a zone update is available. From then on, it's the domain DNS slave server will sync up with the master when it sees fit == this could be right away, or seconds or even minutes later.
The DNS sleep settings must be big enough, to be sure all your domain DNS are in sync.
After all, if some one, like Letsencrypt ^^ wants to check something in your domain name zone, like the TXT records it is looking for, it can use any DNS server : the slave(s), or the master (Letsencryopt probably checks all of them).

Your master domain server uses 10.x.x.x is RCF1918 is locally hosted - is this correct ?
As soon as nsupdate finished, did you saw, after xx seconds, the (all of the) slave domain server contacting the DNS master to sync up ? (check dns server logs).
Did you dig your master DNS server to check if the added TXT record was present in the master domain DNS zone ? And after the master salve sync, same thing for your slave(s) ?

@lifeboy

The staging / test LE servers have no rate limiting - see documentation, LE for this.

@lifeboy said in New certificates not installed in pfSense GUI:

However, using the testing / staging servers (which I am doing now) doesn't create actual certificates, correct?

I'm not sure - I think they do.
Staging uses the same process, only the certs created are signed by a CA that is "unknown" so not trusted.
Afaik, the results are still treated the same as the 'real' certificates.
The last time I used the staging process, I was using "acme.sh" on the command line, on a debian CLI-only server, so not on pfSense. And that's nearly a decade ago.

@lifeboy said in New certificates not installed in pfSense GUI:

I simply replaced acme.sh ....

Better double check if jimp (the author of he package) didn't apply changes to the original acme.sh after pulling it from github.
Or maybe he uses the official acme.sh FreeBSD package as a basis, and changed 'things'.

A file like "dnsapi/dns_miab.sh" only contains two exported functions, for the add and the remove, and can be copied without much risk.

@Gertjan Not only it worked, I had the DNS sleep time as an option in pfsense ACME gui, doh! Also, very nice explanation of why it's failing. checks out.

Thank you so much.
For all of you ADHDs there, this WORKS, hehehe.

@seism0saurus said in ACME with a private CA (step-ca):

Certificate Revocation Lists are basically broken.

Which has really ZERO to do with the cert you have on your local printer or switch, or some software your running gui like the unifi controller or your nas..

nas.jpg

What is the scenario where I would need to revoke this cert? It is accessed by me, on my local network. To be honest I could just use http for this but the browser complains.

@chudak said in Expired Authorities update:

But how do you what certificates it's associated with?

Keep in mind that the pfSense cert store isn't the only one that exists 😊
Every Pad, Phone, PC, etc every device that makes TLS connections uses a system wide certificate file, here /usr/local/share/certs/ca-root-nss.crt - see also here /etc/ssl/certs/*

You've noticed that the pfSense Certificate store doesn't list all the certs found in /usr/local/share/certs/ca-root-nss.crt and that's good. If people start to mess with that list, thing will go downhill fast.

These are all 'auto signed' and are all the CAs that are 'trusted' out of the box. These lists are updated often as new trust chaines are signed (agreed upon) among the wold's ruling CA authorities.
These two folders are used when pfSense connects (as a client) to the (example) upgrade.netgate.com update/upgrade package server.

The pfSense Certificate store is a convenient place were the admin can keep the system's local certificates and intermediate certificates for the local server processes.

@mwebb said in How to Install Certificates from PFsense to other servers?:

Suggest to test if .ssh subfolders are persistent after reboot

at pfsense they are persistent

@jimp Thank you! It worked for me :)

It turns out that when I did manual API calls to the MIAB DNS server I also got error 500's. So I reran the MIAB setup and let it update and viola! the problem was solved.

I have learned a lot about how to debug a shell script in the process though!

@jrey its doesn't need cas you don't have off of... My point was just delete them if they are expired.. And CAs that acme needs to renew your certs will just get added back anyway.

@johnpoz Yes indeed!!! Love to listen/watch the moments when they're picking the next song in the set...in this case a quick word between Jer & Bob, but then Jer's smile as the drummers take off, good stuff! These days I keep hearing Throwing Stones.

--Larry

@accidentallyadmin Looking at posts here and Reddit looks like simply deleting ISRG Root X1 and the renewing certificates works fine.

@LarryFahnoe yep. I’ve switched away from Haproxy and acme on pfsense due to needing more power under the hood and security reasons.

BIND9 with 2 Nginx Reverse Proxy and RFC2136 works well.

Regards.

@PierreFrench

Like this : How do I renew this Certificate Athority ?

UPDATE: Yes, updating to 24.03 and Acme 0.8_1 seems to have resolved this problem. I didn't try upgrading Acme on its own first.