@flemmingss

Hi Flemmings,

I do the same and worked.
After you can change again to cname *.duckdns.org and renew certificate again.
now is working fine.

thanks to all

@mbentley said in Let's Encrypt Certificate Authority Expiring soon:

It doesn't have anything to do with a pfSense version or a plugin version - the timing is just a coincidence.

The only strange thing is that on 2.5.0 this causes a notification, but on 2.4.5 not.
Maybe is something that they added in the new version and that i haven't read yet in the changelog.

@gertjan said in Let's Encrypt Certificate Authority Expiring soon:

https://letsencrypt.org/certificates/

I literally just finished reading it!

So the "old" one is safe to delete it, that's the important thing!

Thanks to everyone!

@foolish86 :)Who gave me that tip was @Gertjan, thanks to him we both got our certificates.

Just to revisit this thread.... I was having problems renewing my Namecheap Let's Encrypt certificate using the manual method so figured I would give this a try. It was all quite easy - the request in namecheap for API key was instant so seemingly automatic.
You do have to whitelist the IP of the pfSense machine though... without having that IP in the whitelisted section of the namecheap API page results in an error when trying to issue the certificate. Other than that... all seems to work well - Thanks.

The HAProxy hint did the trick. For others searching, here is what I did on HAProxy config:

Defined a specific backend pointing on 127.0.0.1 with the port defined on ACME config On the frontend added an ACL to forward the requests for which path starts with /.well-know/... onto the previous backend

Seems to work fine.
Don't hesitate to suggest any improvement though.
In another hand I saw that it could be a small security breach, but I don't see the issue, I'd be interested to know.

Thanks for the help.

@tlex forget it I found it :P
2c8dc80d-eb3a-429c-8b8a-fecf788629d8-image.png

0f3482cf-3a71-4a17-82d4-5da3ab20a12b-image.png

You would want to raise that issue with the acme.sh project directly, since we do not maintain the code which interacts with DNS providers, they do.

https://github.com/acmesh-official/acme.sh/issues

@kiokoman Thank you!

The problem was that in my backend I wrote "localhost" instead of "127.0.0.1" as you. Fixing that it works!

@johnpoz yes it works well now, although the UI is well hidden. I had to click another tiny button to show the full settings for this DNS-Infomaniak, as you said it's not so intuitive but now that it works I won't touch it ever again so...
Thanks for your help!

@amarand said in ACME with Siteground:

Is that not a feature that Let's Encrypt supports?

Your quiet close.
It's :
@gertjan said in ACME with Siteground:

The TXT filed will contain a challenge code to be put into the TXT field. This code is give to the acme script by Letsensrypt. For example : 'bmDWOCHFZRtOOCr_vU-mEfTIqA6i9ib0R3V6-RMF3FE'.

This bmD....................RMF3FE thing is generated randomly, and will be unique for every certificate request.
This proofs that you control right now - and not some time X in the past.
Note that, ones this test passed, it stays valid for one week.

@Gertjan thanks a lot!

The last paragraph about the '/etc/hosts' workaround in pfSense was incorrect; I forgot that '/etc/hosts' gets wiped periodically by pfSense. The real workaround is below:

If you have set the pfSense system-wide DNS servers to use OpenDNS/NextDNS/etc. and don't wish to change these in each individual DHCP range assignment, you can simply add 'Allowlist' entries for dns.google and cloudflare-dns.com in the web console for your DNS provider ('Allowlist' may be called something else but that is what NextDNS calls it). This will allow DNS validation to succeed for ACME. If you are concerned about clients circumventing your DNS provider due to whitelisting the Google and Cloudflare DNS names, you can always redirect all DNS traffic on your LAN to make sure it goes through your DNS provider:
https://docs.netgate.com/pfsense/en/latest/recipes/dns-redirect.html

@jimp Indeed, the SAN addition works now. However, I'm still hoping to figure out why my second server doesn't create correct certificates. I have now removed the certificates and CA, but I ran into the LE rate limiting, so I'll try again later.

The last line shows the issue :

@fmohcine26 said in I did not pass Renewing certificate:

Error creating new order :: too many failed authorizations recently: see https://letsencrypt.org/docs/rate-limits/

Click and read the link.