I checked Disable DNS Rebinding Checks and added the host name to Alternate Hostnames and it ... worked !

As @jimp suggested here https://forum.netgate.com/topic/38870/how-to-get-rid-of-potential-dns-rebind-attack-detected/3

@luisenrique said in ACME and Bind dns Server on pfsense in the same server:

after trying several times I notice that the txt record of each attempt is not eliminated

Your TXT records confirm what you saw.

The logs say the very same thing :

@luisenrique said in ACME and Bind dns Server on pfsense in the same server:

[Tue Jan 15 08:46:04 CST 2019] Error rm webroot api for domain:dns_nsupdate

rm (or "remove") means "delete file".
The Letencrypt "test server" can't find (==resolve) the record " _acme-challenge.enlinea.bicsa.cu" which means the DNS name server (s !! - there should be least 2 of them) of the domain "bicsa.cu" didn't have the subdomain "_acme-challenge.enlinea".
This can happens when synchronisation is functioning well.The TXT subdomain was set on the master DNS server, but wasn't synced in 120 seconds with the slave dns server).

Check :
Your name servers :
dig bicsa.cu any +short
....
ns2.bicsa.cu.
ns1.bicsa.cu.
....

root@ns311465:~# dig @ns2.bicsa.cu _acme-challenge.enlinea.bicsa.cu TXT +short
"s1ChQK6dg8tvuYY1Nb05W5i9zQc1S1iqMtevjiw1uCs"
"DDzVdoZ6o2T_YqRZ2o5uybK4GjXAZ6jU3DaYXAhfnV4"
"F6LjsjDmIwWPrw6K6EFthVUxaocmusRApXRPnRbkyCo"

root@ns311465:~# dig @ns1.bicsa.cu _acme-challenge.enlinea.bicsa.cu TXT +short

.... nothing = no good;

Btw : you have serious DNSSEC troubles .....
DNSSEC should be perfect .... or your site will not be found on the net.
Use http://dnsviz.net/ to check .(you"re good for some nights without sleep).
It is feasible thought : http://dnsviz.net/d/test-domaine.fr/XD5boA/dnssec/ (one of my domains).

If the LE test server used the NS1 (your) name server (not synced) it will error out (it says : NXDOMAIN looking up TXT for _acme-challenge.enlinea.bicsa.cu).
Like : see here https://zonemaster.iis.se/?resultid=e3f70901711cfd8f .... which looks .... not good.

Btw :
@luisenrique said in ACME and Bind dns Server on pfsense in the same server:

dig _acme-challenge.enlinea.bicsa.cu txt

When I run

dig _acme-challenge.enlinea.bicsa.cu TXT +short

from a server server I own (some where in France) I see .... nothing - no result.
What I see is what the LE test servers see : nothing (answer also known as 'NXDOMAIN').
Check your DNS setup.

@chudak said in ACME method for ddns.net or freemyip.com:

Am I understanding correctly that I would need to enable sftp or ftps on my pfsense router in order to use this ?

Well ... I never used the webroot method but pfSense has all on board to handle the file transfer.
I guess it will ask your for credentials needed, so it can login on the the remote (on a pfSense LAN or OPTx interface) (web) server so it can place the files in the web server root.

@uwscia said in HAPROXY + ACME (Standalone):

Question: DNS-NSUpdate / RFC 2136 vs Standalone which is better?

As you said, the latter is :
@uwscia said in HAPROXY + ACME (Standalone):

cumbersome

and not advised : see https://www.netgate.com/docs/pfsense/certificates/acme-validation.html#standalone

@uwscia said in HAPROXY + ACME (Standalone):

DNS-NSUpdate / RFC 2136

IMHO : the best ! I real set-it-and-forget-it method.
As you mentioned : it needs to be supported by "the other side", or to be more precise : the place where your domain name is registered, probably your registrar or, even better : on some (master) DNS server that serves the zone of your domain that you administer yourself - see here for an RFC 2136 example.

Most 'big' registrar support some procedure that is implemented by the acme package.
Just cross-check https://github.com/Neilpang/acme.sh/tree/master/dnsapi with what your regisrar offers you.
If not, no panic : read https://github.com/Neilpang/acme.sh/tree/master/dnsapi - scroll down to see what is possible.
If none : start thinking about moving your domain name - and/or read https://github.com/Neilpang/acme.sh/wiki/DNS-alias-mode

After dealing with ACME for quite some time now, I've come to accept that it can be... quirky :-)

There isn't a way to pass the zone info into the script yet. I haven't hooked that up in the GUI.

@gertjan said in DNS / namesilo validation method not working:

First of all : you saw what Google said about the subject ?

Yes, I saw that after starting this topic. I noticed the unbalanced parens errors in my case too, but that didn't seem to be the main trouble, or prevent the request process from running.

@gertjan said in DNS / namesilo validation method not working:

Your image is out of time sync : after 12:48:43 it goes back in time : 12:48:36 ... ?

Good catch. The pfSense install in question is a Hyper-V VM. I've experienced clock issues with virtual machines in the past but never on Hyper-V to my recollection. Not sure if that's the case here. Some services really don't like when time goes backward. 😮

@gertjan said in DNS / namesilo validation method not working:

I saw you use the 120 seconds delay : a typical delay so the master zone can signal the modification to it's DNS slaves.

It's the default delay in the ACME package. After your reply, I tried 300 seconds, then 960 seconds. After changing to 960 seconds, I attempted twice to acquire a certificate. The second attempt succeeded. The process didn't take anywhere near 16 minutes, or even 5 for that matter. So the validation delay setting didn't work as expected. Maybe it's a clock/timing problem. If the VM frequently adjusts its time backward to compensate for drift, that might very well precipitate trouble for timing/delays...

@gertjan said in DNS / namesilo validation method not working:

edit : you are using acme pfSEnse package version 0.3.2_4 right ?

Yup

I had not synced up the code with acme.sh upstream in a while. I just pulled in a bunch of new things and pushed pkg version 0.4 to 2.4.5 snapshots. If it tests out OK there I'll make it available for 2.4.4.

That's the only method I use, and all of them are working perfectly here.

Ok, now I've got it. Thanks for your help!

Thank you Jim! I know the limitations still hold true but luckily they don't affect me!

Would you mind to share your solution ?

Thank you all. Very helpful. I'm going to try to install x64 version (I think in the past I tried and it failed).

Great. Thanks to everyone for your help.

You are login with the user "admin" ?

That's already shown under System > Cert Manager where the certificates are held. The ACME package doesn't track renewal times. Though it's not terribly hard to calculate (last renew +90d).

If you are worried about expiring certificates, add your e-mail address under the account key when making a new cert, then LE will e-mail you if anything gets close to expiring.

dns_cf is the DNS-Cloudflare selection in the ACME certificate settings.

When you choose that, there is still a box for Enable DNS alias mode to do what you want.