all ok! after copy all works! 👍

@jimp , thank you for the copy tip.

Please note that I chose to revert to 2.4.5 for stability because of 2.5.1 dual wan issue or unbound crashes issues (unbound on 2.5.2 is still crashing).

I though that the 2.4.5 released in 2020 would support the ISRG Root X1 certificate since it was released in 2015 but I also had the issue with Ubuntu 16.04.6 (upgrading to 16.04.7 fixed it).

@sshami said in ACME certificates not syncing with backup node:

The solution is in the HA mode, you have to install ACME package only on Master node not on the backup node.

@mrpete said in ACME certificates not syncing with backup node:

Maybe having ACME installed on Secondary causes trouble for Cert manager sync???

That literally IS what @sshami already wrote ;)
If you have ACME stuff that you want replicated, only install ACME package on the primary node, NOT on the secondary one and let the certs sync normally via HA instead of having two packages battle it out :)

@talisker said in Renewed certificate was not imported into Cert Manager:

One strange thing is that the certificate isn't removed from the /tmp.

Nothing is removed from /tmp when exectuing "acme_command.sh importcert" - neither the sub folders and their content.
The /tmp folder is only emptied when you reboot pfSense.

The "acme_command.sh importcert CERTNAME DOMAIN KEY_PATH CERT_PATH CA_CERT_PATH CERT_FULLCHAIN_PATH" takes old the files created by the acme package (files are stored in /tmp/acme/domain/....) and imports them intp the pfSense "cert Manager".
It doesn't wipe them - there is no need to do so.

@talisker said in Renewed certificate was not imported into Cert Manager:

The certificates from cloudflare (other domain) is removed

Test for yourself :
Wait a week or so.
Now force renew all certs you have.
You will find as many /tmp/acme/domain sub folders as you have certs requested.
"domain' will be the base domain name;
These "domain" folders will stay there.
Until you reboot.

If you don't reboot after 60 days or so, the content of the certs will get renewed and overwritten.

OK Realy stupid
I have two ssh shortcuts to two pfsense servers and was looking at the wrong one.
I owe you a beer for waisting your time.

@jimp thank you for your help, much appreciated.

Regards,
Mauro

That makes sense, since the firewall GUI wouldn't involve CloudFlare. The fact that you were seeing that means it must not have been resolving to something local. A DNS host override is the right thing to do there.

@gertjan thank you for your help. I will take a look very soon.

Solved: A silly error on my part while creating certs in ACME. I deleted the unused ACME cert from within ACME and the issue was resolved.

@strongthany said in Not able to renew ACME certificate:

They looked to be the same.

Look again. The're not the same. The 'source' @github is more recent.

@strongthany said in Not able to renew ACME certificate:

while the ACME script on pfsense was using a TTL of 60

There is a explanation for this.
The typical default value is '60 seconds'.
But, this value can not be assumed as "ok".

IMHO : this is the story :

acme.sh - using a API script, signals the registrar, to add a ".well-known.acme-challenge" subdomain to your domain name - and a TXT record with a 'secret' value like "NYDVT9Yjt-dCW8dPQIaMW57sjRQqR7s-w-I7g2CDPh".
So far, so good.
No rocket science here, as we all added ones something like www. or mail. or pop. or smtp.
This time it's a script adding a sub domain.
The registrar will update the master domain name server.
And, as we all know, there are always at least TWO domain name servers, the master and one or more slave.
Typically, when the master gets updated, the master signals the slave(s) that an update is available.

And now the important part : the slave will contact the master back, to sync with it when it sees fit (the domain info XFER). Anything between 'right now' or "later" is possible.
Take note : the master domain server and the slave(s) probably do not only handle your domains, but also several (thousands of) other domain names.

Now you understand that, when you start to the acme.sh package, you need some time and play with the "dig" command ** to find the worst case scenario : the maximum DNS-sleep delay between the start, and when the (all the) slave(s) gets updated.

In the good old days, when Letenscrypt started, and automation tools like acme.sh showed up, the DNS-sleep time was less critical, because Letenscypt only verified the master domain server.
These days, it checks all listed domain server : the master and all the slaves.

Now you understand why the "DNS-sleep" value really matters.

** playing with dig : I didn't test all this, so see what follows as a guide line :

First, get a list off all your domain name servers.

dig test-domaine.fr NS +short ns2.test-domaine.fr. ns1.test-domaine.fr. ns3.test-domaine.fr.

Get the master domain server :

dig test-domaine.fr SOA +short ns1.test-domaine.fr. postmaster.test-domaine.fr. 2021032645 14400 7200 1209600 43200

So it's "ns1.test-domaine.fr".

Start the acme.sh cert renewal.

Spam :

dig @.well-known/acme-challenge .well-known/acme-challenge/test-domaine.fr TXT

As soon as you get a value back like

dig @ns1.test-domaine.fr .well-known.acme-challenge.test-domaine.fr TXT +short "NYDVT9Yjt-dCW8dPQIaMW57sjRQqR7s-w-I7g2CDPh"

You know that the API acme.sh part used worked : the registrar was contacted and updated the master DNS.

Now, start spamming :

dig @ns2.test-domaine.fr .well-known.acme-challenge.test-domaine.fr TXT +short dig @ns3.test-domaine.fr .well-known.acme-challenge.test-domaine.fr TXT +short

(remember : I have two DNS slave servers).
As soon as both return

"NYDVT9Yjt-dCW8dPQIaMW57sjRQqR7s-w-I7g2CDPh"

you can stop de clock : you have your "DNS-sleep".
Add some spare time, as no one can guarantee that you'll find the same value ?! ;)

Btw : I guess that you understood by now that when you want to use certificates, you need to know 'something' about what is called 'DNS' 😊

Also : The DNS-sleep values isn't really needed as some active polling could be used - the commands I executed above. "acme.sh" script would find the right moment to signal the 'Go check" to Letensrypt every time itself .....