I would recommend to use DigitalOcean through Cloudways platform as Cloudways takes care of this hassle through their excellent support team and you don't have to worry about any server related issues

@jimp I completely missed that setting! Thank you!

@jimp yeah my concern was I was sending the pfSense logs to a syslog server. I just unticked the system part going to the syslog.

ACME 0.6.4 still has no push for update in PF 2.5 now.

See, for example, this forum, first post.
Also, check out the https://letsencrypt.org/fr/ site.

CodenSnap, (I now this is an old thread but in case this might help others)

I'm working on a similar setup (domain registered with Google and hosting DNS with either CloudFlare or AWS Route53). In domain.google.com there is an option to switch your DNS to "manual". Once switched to manual you have the option to entered to DNS servers for for your domain. I can enter either Route53 or ClouldFlare. In either service I then add my DNS instance and create my Zone. From there I was able to use Dynamic DNS, add A, AAAA, & TXT, records ,etc, with either DNS provider. Have not yet got the ACME client to work. But best-I-can-tell there is no negative with registering a domain with Google and then hosting your DNS with another provider.

Best Regards,
RKGraves

@Derelict
Yes, working to use DNS Validation w/CloudFlare for ACME client.

Thanks for the linked Video - Very Helpful (I've worked through it twice) and I believe I am close to getting ACME to work with CloudFlare. In the Video he uses a different DNS host for validation.

Appreciate the link and your reply.

RKGraves

...meanwhile someone integrated schlundtech into acme.sh and the upstream found it's way into the pfsense acme plug in...

@La6er said in loop error while issuing a cert:

poblacionqxxxxxxtaro.gob.mx

DNSSEC is not working for your domain : check http://dnsviz.net/d/poblacionqueretaro.gob.mx/dnssec/ or https://dnssec-analyzer.verisignlabs.com/

Example http://dnsviz.net/d/papy-team.org/dnssec/

Btw : you are updating against Cloudfare, and using "bind" locally. Why ? Is bind a master name server for your zone ? Slave name server ? I don't understand the relation.

edit : I looked at your message again.
You 'bind' is set up as a master for your domain .... but you disallow zone transfers. Wtf ??
How can a slave sync then ? Do you have just one name server for your domain ? That can't be true, you break everything then, 2 is the minimum.

Dear All,

This is resolved. The cause was a DNS configuration error outside the scope of Acme - sorry. I have had difficulties setting up dnssec. In so doing, I did modify the SOA entry. As a consequence, my slave DNS servers did not track master DNS server changes. Hence, Acme verification had no chance to work.

Regards,

Michael Schefczyk

We have a few changes that I doubt they'd want or accept. It's not a big deal really. Things rarely conflict. I just merge from upstream, copy the files over, and test.

@Napsterbater So I confirmed via packet caps it was a broken PMTUD issue on the Broken box, seems related to NPt, but that is another story.

Thanks for the help.

@Gertjan said in Template variables for ACME actions?:

On a firewall ??

at least not in my case ;-) This pfsense box works as server in my network and not as router/firewall. But fully agree that Cert/Key handling should not take place on a firewall.
I use acme.sh on my servers for quite a while now. Works like charm, but I like the GUI to manage the LE stuff ;-)

You could write up a feature request https://redmine.pfsense.org/projects/pfsense/issues?set_filter=1&tracker_id=2

I opened a feature request: https://redmine.pfsense.org/issues/9725

I've completed my small php script and it seems to work well.
This is the result in case anyone needs it:

// -- CONFIG $certname = 'lan.domain.com'; //a registered FQDN in cPanel with acme let's encrypt enabled (wildcard cert) $pfsense_cert_id = 1; // certificate id in pfsense to overwrite. (The correct ID can be found by hovering over an icon in the cert manager or by looking in the config file. $ftp_server = 'ftp.domain.com'; //ftps location to your domain (cpanel). $ftp_user_name = ''; $ftp_user_pass = ''; $server_file = '/.cpanel/nvdata/letsencrypt-cpanel'; //download file used by cPanel holding every certificate (in JSON format). // -- PROGRAM $conn_id = ftp_ssl_connect($ftp_server); $login_result = ftp_login($conn_id, $ftp_user_name, $ftp_user_pass); ftp_pasv($conn_id, true); if (!$login_result) die("can't login"); ob_start(); $dataLoaded = ftp_get($conn_id, "php://output", $server_file, FTP_BINARY); $data = ob_get_contents(); ob_end_clean(); ftp_close($conn_id); if (!$dataLoaded) die("There was a problem downloading the json data from $ftp_server"); $jsonData = json_decode($data, true); $cert = $jsonData['certs'][$certname]; if(empty($cert)) die("Certificate with name $certname not found"); $config['cert'][$pfsense_cert_id ]['prv'] = base64_encode($cert['key']); $config['cert'][$pfsense_cert_id ]['crt'] = base64_encode($cert['cert']); write_config(); exec('/etc/rc.restart_webgui'); //echo 'Certificate:', PHP_EOL, $cert['cert'], PHP_EOL; //echo 'Key:', PHP_EOL, $cert['key'], PHP_EOL; echo 'New certificate for ', $certname, ' is valid untill ', gmdate('r',$cert['cert_expiry']), PHP_EOL; exit;

I've uploaded the file (named sslupdate) to the /etc/phpshellsessions directory in pfsense and I added the following cron job (through the cron package):

0 0 1 1/3 * : /usr/local/sbin/pfSsh.php playback sslupdate

Great! It must have been solved upstream in acme.sh

I just reverted back from Version "2.5.0.a.20190806.1707 i" to the snapshot using 2.4.4-RELEASE-p3 (amd64) version. I upgraded the acme to version 0.6_1 and tried to issue a certificate with the staging servers of letsencript. Everything works well without no problem at all !!!

Then i tired a copy of some file to the tmp of PfSense i.e.

scp test1.txt root@192.168.87.1:/tmp/

the file got copies and its content to tmp. All good there.

Now i need to upgrade to 2.5.0.a.20190806.1707 again and see if i will be able to replicate the problem with the file copy.