I read here in the forum that someone had a similar problem and it suddenly solved itself without intervention. Here the same. PFSense was running all the time and I tried again yesterday to create the account key which didn't work as described. The system wasn't changed all the time because I think the settings are correct. I have just tried it again and see there it is created. So (probably) done but strange I find it already.

Hi, And how should we know what changed, went wrong - what method you are using, etc ?

Update: When I try to setup Dynmaic DNS RFC 2136 updates (just to test) I noticed this error: /services_rfc2136_edit.php: The command '/usr/local/bin/nsupdate -k /var/etc/nsupdatekey0 /var/etc/nsupdatecmds0' returned exit code '1', the output was 'check-names failed: bad owner '_acme-challenge.<doamin.com>' syntax error' I briefly looked up solutions but then mentioned puny-code and I still don't quite understand. Going to keep looking into this.

I would recommend to use DigitalOcean through Cloudways platform as Cloudways takes care of this hassle through their excellent support team and you don't have to worry about any server related issues

@jimp I completely missed that setting! Thank you!

@jimp yeah my concern was I was sending the pfSense logs to a syslog server. I just unticked the system part going to the syslog.

ACME 0.6.4 still has no push for update in PF 2.5 now.

See, for example, this forum, first post. Also, check out the https://letsencrypt.org/fr/ site.

CodenSnap, (I now this is an old thread but in case this might help others) I'm working on a similar setup (domain registered with Google and hosting DNS with either CloudFlare or AWS Route53). In domain.google.com there is an option to switch your DNS to "manual". Once switched to manual you have the option to entered to DNS servers for for your domain. I can enter either Route53 or ClouldFlare. In either service I then add my DNS instance and create my Zone. From there I was able to use Dynamic DNS, add A, AAAA, & TXT, records ,etc, with either DNS provider. Have not yet got the ACME client to work. But best-I-can-tell there is no negative with registering a domain with Google and then hosting your DNS with another provider. Best Regards, RKGraves

@Derelict Yes, working to use DNS Validation w/CloudFlare for ACME client. Thanks for the linked Video - Very Helpful (I've worked through it twice) and I believe I am close to getting ACME to work with CloudFlare. In the Video he uses a different DNS host for validation. Appreciate the link and your reply. RKGraves

...meanwhile someone integrated schlundtech into acme.sh and the upstream found it's way into the pfsense acme plug in...

@La6er said in loop error while issuing a cert: poblacionqxxxxxxtaro.gob.mx DNSSEC is not working for your domain : check http://dnsviz.net/d/poblacionqueretaro.gob.mx/dnssec/ or https://dnssec-analyzer.verisignlabs.com/ Example http://dnsviz.net/d/papy-team.org/dnssec/ Btw : you are updating against Cloudfare, and using "bind" locally. Why ? Is bind a master name server for your zone ? Slave name server ? I don't understand the relation. edit : I looked at your message again. You 'bind' is set up as a master for your domain .... but you disallow zone transfers. Wtf ?? How can a slave sync then ? Do you have just one name server for your domain ? That can't be true, you break everything then, 2 is the minimum.

Dear All, This is resolved. The cause was a DNS configuration error outside the scope of Acme - sorry. I have had difficulties setting up dnssec. In so doing, I did modify the SOA entry. As a consequence, my slave DNS servers did not track master DNS server changes. Hence, Acme verification had no chance to work. Regards, Michael Schefczyk

We have a few changes that I doubt they'd want or accept. It's not a big deal really. Things rarely conflict. I just merge from upstream, copy the files over, and test.

@Napsterbater So I confirmed via packet caps it was a broken PMTUD issue on the Broken box, seems related to NPt, but that is another story. Thanks for the help.

@Gertjan said in Template variables for ACME actions?: On a firewall ?? at least not in my case ;-) This pfsense box works as server in my network and not as router/firewall. But fully agree that Cert/Key handling should not take place on a firewall. I use acme.sh on my servers for quite a while now. Works like charm, but I like the GUI to manage the LE stuff ;-) You could write up a feature request https://redmine.pfsense.org/projects/pfsense/issues?set_filter=1&tracker_id=2 I opened a feature request: https://redmine.pfsense.org/issues/9725