@gertjan Correct So checking Firewall -> pfBlockerNG -> Alerts: Reports: Alerts: DNSBL Block acme-v02.api.letsencrypt.org [ TLD ] DNSBL-HTTPS Abuse_urlhaus DNSBL_Phishing This Feed/group is the culprit.

I'm having this error now renewing certs using ACME on GoDaddy via API keys. Anyone else having this issue? [Thu Dec 16 15:33:20 PST 2021] Adding txt value: [REDACTED] for domain: _acme-challenge.[REDACTED] [Thu Dec 16 15:33:21 PST 2021] invalid domain [Thu Dec 16 15:33:21 PST 2021] Error add txt for domain:_acme-challenge.[REDACTED] [Thu Dec 16 15:33:21 PST 2021] Please check log file for more details: /tmp/acme/ACME-[REDACTED]-COM-CERTS-Test/acme_issuecert.log

Useful feature as Android clients no longer connect to unbound's DNS over TLS with the Letsencrypt default settings in pfSense. They will only work with Buypass certs or Letsencrypt certs with --preferred-chain 'ISRG Root X1'

@viktor_g I've added a comment to the feature request showing my interest in this. Any idea on getting this added. It really is a game changer for admins responsible for managing certs.

@gertjan my bad! i never has see thats option! Thanks!

@splodge said in ISRG Root X1 CA keeps re-appearing in Cert Manager when renewing in acme: Followed the advice at https://forum.netgate.com/topic/166269/heads-up-dst-root-ca-x3-expiration-september-2021/1, deleted the old "ISRG Root X1" CA, then .... then the expired root certifcate doesn't exist any more on your system. @splodge said in ISRG Root X1 CA keeps re-appearing in Cert Manager when renewing in acme: renew the certificate through acme, the expired "ISRG Root X1" CA gets re-added to the CAs list in Certificate Manager, Your saying : it wasn't there but some one else ( = Letenscrypt ) gives you back the certificate that no one trusts ? Really Check this : Locate the file /tmp/acme/YOURACCOUNTNAMIE_IN_ACME/TOUR.DOMAINE.TLD/fullchain.cer In this file you find 3 blocks : -----BEGIN CERTIFICATE----- ...... -----END CERTIFICATE----- -----BEGIN CERTIFICATE----- ....... -----END CERTIFICATE----- and root certificate : -----BEGIN CERTIFICATE----- MIIFYDCCBEigAwIBAgIQQAF3ITfU6UK47naqPGQKtzANBgkqhkiG9w0BAQsFADA/ ...... Dfvp7OOGAN6dEOM4+qR9sdjoSYKEBpsr6GtPAQw4dy753ec5 -----END CERTIFICATE----- Go here : https://letsencrypt.org/certificates/ and load this file : [image: 1635949617539-ac8ca021-413b-4280-a99b-932bd8e63f9b-image.png] and compare the first line and last line - ar, why not, the entire block : they are the same !!! This root certificate is valid up until Not After : Sep 30 18:14:03 2024 GMT You issue is probably : The front end that is tested doesn't use the certificate (chain) that you renewed. @splodge said in ISRG Root X1 CA keeps re-appearing in Cert Manager when renewing in acme: which then results in warnings from our scans. Using a public 'scanner' (what do you mean by "scanning" ?) ? What front-ned tool are you using ? => HA-proxy. Check the HA-proxy settings : what certs it is using. edit : SSLLabs and Nessus scans showed that everything went well Wondering if anyone has seen what I'm seeing with acme and the LetsEncrypt Have to ask :: what are you seeing ?

@gertjan again, thanks for your ongoing help. I think I have worked out the issue. Further reading of the log file shows that the API call that is being made is; [Mon Nov 1 15:20:35 GMT 2021] body='<packet><customer><get-domain-list><filter/></get-domain-list></customer></packet>' And that this call returns; [Mon Nov 1 15:05:39 GMT 2021] The responses from the Plesk XML server were: [Mon Nov 1 15:05:39 GMT 2021] retcode=0. Literal response: [Mon Nov 1 15:05:39 GMT 2021] '<?xml version="1.0" encoding="UTF-8"?> <packet version="1.6.9.1"> <customer> <get-domain-list> <result> <status>ok</status> </result> </get-domain-list> </customer> </packet>' Again, I am making an assumption here that this should have returned a list of domains in the result section but it isn't and that's a problem. I then spotted that the API that's being called is a Customer related API, asking for a list of domains that a customer owns... So, I tried creating a customer (I don't use customers on this server), moved the required subscription over, changed the username and password in pfsense to the "customer" ones and we are in business. So, to summarise. When pfsense asks for a username and password it needs to be the details for a plesk customer and the customer needs to own the subscription containing the domain you want to work with. Using and Admin account or a reseller account does not work.

all ok! after copy all works!

@jimp , thank you for the copy tip. Please note that I chose to revert to 2.4.5 for stability because of 2.5.1 dual wan issue or unbound crashes issues (unbound on 2.5.2 is still crashing). I though that the 2.4.5 released in 2020 would support the ISRG Root X1 certificate since it was released in 2015 but I also had the issue with Ubuntu 16.04.6 (upgrading to 16.04.7 fixed it).

@sshami said in ACME certificates not syncing with backup node: The solution is in the HA mode, you have to install ACME package only on Master node not on the backup node. @mrpete said in ACME certificates not syncing with backup node: Maybe having ACME installed on Secondary causes trouble for Cert manager sync??? That literally IS what @sshami already wrote ;) If you have ACME stuff that you want replicated, only install ACME package on the primary node, NOT on the secondary one and let the certs sync normally via HA instead of having two packages battle it out :)