The staging server is for testing and is not publicly trusted. You need to edit the account key and set it to use the production server instead, then renew the certificate.

It turned out that, after digging deeply into the issue, my domain registrar does not support DNS_NSupdate RFC2136. So, I switched name server to Cloudflare and after a few stumble, got my certificate...wipe off sweat for lots of reading, swearing, and more reading.

[Fri Feb 18 13:04:37 CST 2022] Your cert is in /tmp/acme/nollivoipserver_cert//nollivoipserver.nollicomm.net/nollivoipserver.nollicomm.net.cer
[Fri Feb 18 13:04:37 CST 2022] Your cert key is in /tmp/acme/nollivoipserver_cert//nollivoipserver.nollicomm.net/nollivoipserver.nollicomm.net.key
[Fri Feb 18 13:04:37 CST 2022] The intermediate CA cert is in /tmp/acme/nollivoipserver_cert//nollivoipserver.nollicomm.net/ca.cer
[Fri Feb 18 13:04:37 CST 2022] And the full chain certs is there: /tmp/acme/nollivoipserver_cert//nollivoipserver.nollicomm.net/fullchain.cer
[Fri Feb 18 13:04:37 CST 2022] Run reload cmd: /tmp/acme/nollivoipserver_cert/reloadcmd.sh

@gertjan said in Renew Certificate Downstream:

I never used something like HAproxy ; but, from what I make of it, if HAproxy is doing the TLS (https) front end, unpacking the TLS an sending plain http (NON TLS) to the back end, your PBX, then yes, no certs needed on the PBX.

@johnpoz said in Renew Certificate Downstream:

This is correct, if you do the ssl offload on haproxy - you don't need any sort of ssl on the backend your sending the traffic too if your sending it has just normal http traffic.

Thank you all for the good sound of music...that's what I thought and is much better than leaving port 80 opens for Lets Encrypt on FreePBX to renew the certificate. This is just a cleaner method and basically creates a secure tunnel to the PBX.

@gertjan Well thats the thing... I used to do it that way but what I'm trying to do is to automate the new cert propagation on the network to avoid having to go manually everywhere every 90 days when acme update the certs with letsencrypt...

@gertjan thanks for the info. Needed that on another system right now.

@johnpoz I finally graduated from the University of Slow Learners after three years of repeating webGUI certificate class...wipe of sweat.

Screen Shot 2022-02-12 at 8.55.53 PM.png

Screen Shot 2022-02-12 at 8.58.37 PM.png

@gertjan Here is my thread on Let's Encrypt forum. Someone mentioned the curl POST was failing.
I have the full log posted there.

Nevermind! I had the IP address entered wrong in my RP config! It worked now!

@johnpoz OMG, I just understood what you mean 😳
Sorry, it just took me few days ...

I didn't knew we could do that, it's amazing !

Well, I will keep my first solution on that project as the person I'm working with also need to use domain from his clients which want keep managing their own zone.

But dame, I keep that for later !
Thanks a lot !

@gertjan
I was able to get it working thanks in part for your suggestion of checking the option “Enable DNS domain alias mode”.

The other part of the problem was that I typed the wrong CNAME information in my DNS provider.

I had:

_acme-challenge.cloud.MYDOMAIN.com --> MYDDNS.duckdns.org

The acme challenge Alias needs this CNAME to be

_acme-challenge.cloud.MYDOMAIN.com --> _acme-challenge.MYDDNS.duckdns.org

CNAME-corrected.jpg

After making these corrections ACME was able to issue a certificate for my domain as expected.

Thank you so much for the help.

@gertjan

Correct

So checking Firewall -> pfBlockerNG -> Alerts:
Reports: Alerts:

DNSBL Block

acme-v02.api.letsencrypt.org [ TLD ] DNSBL-HTTPS Abuse_urlhaus DNSBL_Phishing

This Feed/group is the culprit.

I'm having this error now renewing certs using ACME on GoDaddy via API keys. Anyone else having this issue?

[Thu Dec 16 15:33:20 PST 2021] Adding txt value: [REDACTED] for domain: _acme-challenge.[REDACTED] [Thu Dec 16 15:33:21 PST 2021] invalid domain [Thu Dec 16 15:33:21 PST 2021] Error add txt for domain:_acme-challenge.[REDACTED] [Thu Dec 16 15:33:21 PST 2021] Please check log file for more details: /tmp/acme/ACME-[REDACTED]-COM-CERTS-Test/acme_issuecert.log

Useful feature as Android clients no longer connect to unbound's DNS over TLS with the Letsencrypt default settings in pfSense. They will only work with Buypass certs or Letsencrypt certs with --preferred-chain 'ISRG Root X1'

@viktor_g I've added a comment to the feature request showing my interest in this. Any idea on getting this added. It really is a game changer for admins responsible for managing certs.

@gertjan
my bad! i never has see thats option!
Thanks!