Im suffering a similar bug but I use the webroot FTP option.

Manually hit the renew button and I see the certificate is renewed BUT it isnt applied on the HTTPS side of my pfSense.

2.4.4-RELEASE-p1

acme security 0.5.8

@kiokoman Yeah, you're right =) But anyway, I wasn't able to make some reasonable solution, so I've just created tiny VM guest with alpine linux, lighttpd and nfs-client, and I'm passing my .well-known challenge through "local webroot", but I'm putting there appropiate path for my NFS share + ballast ( </path/to/share>/.well-known/acme-challenge/ ). pfSense comes already preloaded with nfs, all I needed was just enable it through /etc/rc.d.local. HAProxy does rest of the job ( frontend for path match looks like that ---v )

HAProxy Frontend rules ( I've got it implemented with http->https redirect, except for .well-known =3 I was pretty suprised it came on my mind )

Spoiler

HAProxy Frontend rules

So that's my hotfix solution, but I'm curious for any other ideas ))

Let's Encrypt won't publish a list of possible sources as that would let someone game the system to obtain certs for domains they do not own from systems they have compromised in subtle ways (e.g. port forward all LE servers to fakeserver, but let other connections go through to realserver)

They could reach you from anywhere in the world, there is no way to predict the source. You have to allow connections from anywhere during that timeframe.

If that bugs you, then switch to a DNS-based method that does not require any inbound access whatsoever.

@raigh29 said in RE error: parentheses not balanced:

error: parentheses not balanced

Related to https://forum.netgate.com/topic/134704/script-error-in-dns-namesilo-method ?

@jimp said in ACME and admins group: not enough permission:

Did you select the "Deny Config Write" privilege for your custom group? Sounds like that's what you did.

Thanks yours point directly answered to my problem. Removing deny permission fixed my problem.
There is plans to add pfSense WebGUI exception for inform about not enough permissions?

@Gertjan thanks, very appriciated...

Hit the Renew button yourself right now. You'll see.
You are allowed to renew yourself, like 5 times a week.

@Gertjan I really did miss that!

@Peek said in Let's Encrypt & ACME:

_acme-challenge.pfsense.domain.com

What about asking for a wildcard cert for root "domain.com" ?
Using
domain.com
and
*.domain.com
(twice) as "Domainname".

You can use pfsense.domain.com, another.domain.com and something-else.domain.com, they will all 'work'.

edit : btw :
_acme-challenge.pfsense.domain.com
is a sub domain do shouldn't exist already. It's just a 'random' place holder, so the acme check server can test for a TXT filed in "_acme-challenge.pfsense.domain.com" - which should contain the "VTTcvhklvFWaDrbJc" phrase. This proves that you control the domain "domain.com", thus the certificate can be handed over to you.

If you update to the latest ACME package posted today, you will see the tabs with other users who have access to that package.

Upgrade to the latest ACME package.

I have the same issue. Any progress on this topic?

Thanks.
It works now with redirect of port 80 and I found "Restart Remote Service".

I spoke to the script author regarding this issue and it has now been resolved. There is also a pull request https://github.com/Neilpang/acme.sh/pull/1807

Issue resolved.

Works great now.

Thanks!

I fixed the text and added some links to the rate limit pages. Thanks!