The last paragraph about the '/etc/hosts' workaround in pfSense was incorrect; I forgot that '/etc/hosts' gets wiped periodically by pfSense. The real workaround is below:

If you have set the pfSense system-wide DNS servers to use OpenDNS/NextDNS/etc. and don't wish to change these in each individual DHCP range assignment, you can simply add 'Allowlist' entries for dns.google and cloudflare-dns.com in the web console for your DNS provider ('Allowlist' may be called something else but that is what NextDNS calls it). This will allow DNS validation to succeed for ACME. If you are concerned about clients circumventing your DNS provider due to whitelisting the Google and Cloudflare DNS names, you can always redirect all DNS traffic on your LAN to make sure it goes through your DNS provider:
https://docs.netgate.com/pfsense/en/latest/recipes/dns-redirect.html

@jimp Indeed, the SAN addition works now. However, I'm still hoping to figure out why my second server doesn't create correct certificates. I have now removed the certificates and CA, but I ran into the LE rate limiting, so I'll try again later.

The last line shows the issue :

@fmohcine26 said in I did not pass Renewing certificate:

Error creating new order :: too many failed authorizations recently: see https://letsencrypt.org/docs/rate-limits/

Click and read the link.

0.6.9_2 Fixed my problem! Thanks for such a fast turn around!

@MarcinSempek said in ACME 0.6.9_1 DNS ISPConfig Record ID: 'false}':

Can someone verify

That some one should actually use acme.sh AND the "ISPConfig API".
Even the thread at github => acme doesn't show many people with the issue.
Still, try posting there to revive the subject.

@cjbujold said in DNS-MadeEasy update option not working:

[Wed Oct 28 10:24:50 ADT 2020] accra.ca is already verified, skip dns-01.
[Wed Oct 28 10:24:50 ADT 2020] protector.accra.ca is already verified, skip dns-01.
[Wed Oct 28 10:24:50 ADT 2020] geneabujold.accra.ca is already verified, skip dns-01.
[Wed Oct 28 10:24:50 ADT 2020] famille.accra.ca is already verified, skip dns-01.
[Wed Oct 28 10:24:50 ADT 2020] remotehelp.accra.ca is already verified, skip dns-01.
[Wed Oct 28 10:24:50 ADT 2020] ftpweb.accra.ca is already verified, skip dns-01.
[Wed Oct 28 10:24:50 ADT 2020] securebackup.accra.ca is already verified, skip dns-01.
[Wed Oct 28 10:24:50 ADT 2020] support.accra.ca is already verified, skip dns-01.

The cert was already renewed recently, so it skipped the DNS check since it was still verified. The verification lasts a while, I think it's a week. So if you created or renewed the certificate in the last few days then it won't need to make the TXT records again yet.

@Gertjan

That worked. I created a new certificate and switched the pfsense to use that one.

@jimp Thanks, figured it was something like that. I will give it a try again later this morning. Thanks again for the fast response.

@viktor_g @trigg3r , It seems the acmesh's owner does not want to merge it , but I do not understand why. I asked him many times, but no answers.

Woudl you help me in doing this?

On whatever is actually using the certificate. Typically a web server but there are other uses for them (mail servers, VPNs, etc)

@RyanM said in Sharing wildcard cert internally:

Or is there something more automated?

It is possible to SSH into pfSense from 'where ever' using 'what ever' doing 'what ever'.

Concrete example : I have a desktop PC executing a program that logs in, retrieves the config, and saves it on the PC every day - I found this program on this forum, I didn't make it myself.

See the acme package (the manual => the script itself) for details how to retrieve cert details.

Typically, the script you write for reach device should run ones a day.
It should get the validity date/time of the cert being used on that device.
Then it should do a TLS connection to pfSense, port 443. retrieve the cert details, extract the validity date/time.
Compare the two, and if the latter is more recent, execute a "files copy" and restart locally the services that are using the newly installed cert.

Btw : automating is only possible for those who know how it all 'works'. For those who don't or don't want to know : the manual way : exporting from pfSense and importing else where works also very well.
Btw : I copy my acme/pfSense wildcard cert to a couple of local printers on my Syno diskstation every 60 days. Not really needed, I admit.

@viktor_g I will update it as soon as possible.

Also, I gave it 2700 seconds to sleep, albeit the "spinning gear" stops before that and updates the renewal button to a broken link with "issue/renew" ---- Could the system time out before the sleep time is completed?

UPDATE:
I have run some tests and by creating symlinks:

ln -s ./\*.ImportantDomain1.comnsupdate_acme-challenge._1.OnlyAcmeUpdateDomain.com.key ./\*.ImportantDomain1.comnsupdate_1.OnlyAcmeUpdateDomain.com.key ln -s ./\*.ImportantDomain1.comnsupdate_acme-challenge._1.OnlyAcmeUpdateDomain.com.server ./\*.ImportantDomain1.comnsupdate_1.OnlyAcmeUpdateDomain.com.server ln -s ./ImportantDomain1.comnsupdate_acme-challenge._1.OnlyAcmeUpdateDomain.com.key ./ImportantDomain1.comnsupdate_1.OnlyAcmeUpdateDomain.com.key ln -s ./ImportantDomain1.comnsupdate_acme-challenge._1.OnlyAcmeUpdateDomain.com.server ./ImportantDomain1.comnsupdate_1.OnlyAcmeUpdateDomain.com.server

I can successfully receive certificates.
Therefore there is a bug in scripts.
Could you please let me know where should I report this BUG to be corrected in next version of package?

What is interesting - I can setup and issue a certificate for a new DDNS name, but re-issue for the existing fails ...

Hi there,
unfortunately I was not able to resolve the issue and switched to "Standalone HTTP server" method. This works, I would like to use the domain method, but all that I tried, failed.
It seams strange to me that only we have this issue, or only we are trying to use this method with FreeDNS.
I have another site for example that I can't open the necessary ports for the "Standalone HTTP server" to work. In that case I have to use the domain method. I'm still interested in this working but as nobody else reported an issue I doubt that it will be looked at soon. I hope I'm wrong though.

@karlisp said in Copy certificate to remote server:

but cant seem to find how to generate private and public ssh key that will be used to communication between firewall and server

Strange 😀
Because that one is also needed to access pfSense using it's SSH access.
The ssh password method is meant to be used only ones, to be forbidden afterwards, with :

371e3693-64a5-4bc7-8f69-0c7905ea0b6d-image.png

See the pfsense manual, or about a million other sources on the net about how to create them, where what to place what etc.

This info is valid for everything that is accessible with "ssh".

Use a tool of your choice to create a (the) key(s) and cut and pasted it here :

a751ab92-5a7a-4a3f-afcc-2002aaa12d16-image.png

( the admin user settings of pfSense, at the bottom of the page )

About the scripts : many have already made something up, using some shell script.
So many OS's exists, like the desktop ones, and OS's for devises likes printers, NAS's etc etc etc.
It boils down as copying a file often the network - putting the file 'on the right place' - and signalling / restarting the services that uses these files == the new certs.

For myself : when acme did it's job, every 60 days, I receive a mail.
I added to the bottom of the mail :
"As an admin, do your jobs, and extract these 2 files from pfSense, to put them in the 2 NAS's et 2 network printers."
Not a bad thing, actually, as it takes 5 minutes, and I'm paid to do ^^

I have a "root" access for my Syno NAS's, but I do not have such a ssh access for the printers, so the GUI way is the only way anyway.

I have narrowed down the problem. I switched to a staging certificate and renewed one domain and it worked. I added a second domain and it won't work. I removed the first domain, left the second, and it worked. Seems to be a problem with multi-domain certificates.

Edit: All domains renew with the staging account, but won't renew on the production account. Possible I may have to wait a few days or a week for my rate limit to clear