great work as always :)

@apundir said in Certificate with multiple SAN from two different DNS accounts result in failure: Can I contribute to nsupdate script as patch? I do understand we'll have to store different key/secret under different keys and use them contextually in every DNS operation. I did look into Submitting a Pull Request via Github page and did browse pfSense/FreeBSD-ports on github but couldn't find acme there. Looks like I am looking into wrong place. Can you please point me in right direction so that I am able to contribute back in case I am able to fix it? Not sure I follow what you are saying about nsupdate. The changes to nsupdate work fine, but they are specific to how the pfSense ACME package calls nsupdate and thus aren't a good candidate to submit upstream back into acme.sh. If you are talking about changing the GoDaddy script in a similar way, then you can submit a PR to us for that. The files are under https://github.com/pfsense/FreeBSD-ports/tree/devel/security/pfSense-pkg-acme and the GoDaddy script specifically is at https://github.com/pfsense/FreeBSD-ports/blob/devel/security/pfSense-pkg-acme/files/usr/local/pkg/acme/dnsapi/dns_gd.sh

@jimp said in Feature Idea: scheduled rule for acme.sh certificate process: I'm sure there is a way but it hasn't been something directly on my todo list for ACME yet. If you already have port 80 forwarded somehwere, the easiest thing to do is let ACME glom onto that and use sftp to push the ACME challenge/response files on that web server. HAProxy may also help here. If you must do standalone mode, one tactic you can do is to bind standalone mode to a weird port on localhost that nothing else will use. Then setup a NAT rule on WAN without an automatic firewall rule to forward WAN:80 to localhost:yourport. Then setup a schedule to activate a firewall rule for the 15 minute block around when the check will happen. In an ideal world, everyone would use DNS validation instead, but... It would be really helpful to consider a feature when Acme is listening to an odd port and NAT/WF Rule is enabled/disabled only when Acme needs this check (for standalone). Could be a check box on general tab something like "auto enable NAT on port: xxx"

I checked Disable DNS Rebinding Checks and added the host name to Alternate Hostnames and it ... worked ! As @jimp suggested here https://forum.netgate.com/topic/38870/how-to-get-rid-of-potential-dns-rebind-attack-detected/3

@luisenrique said in ACME and Bind dns Server on pfsense in the same server: after trying several times I notice that the txt record of each attempt is not eliminated Your TXT records confirm what you saw. The logs say the very same thing : @luisenrique said in ACME and Bind dns Server on pfsense in the same server: [Tue Jan 15 08:46:04 CST 2019] Error rm webroot api for domain:dns_nsupdate rm (or "remove") means "delete file". The Letencrypt "test server" can't find (==resolve) the record " _acme-challenge.enlinea.bicsa.cu" which means the DNS name server (s !! - there should be least 2 of them) of the domain "bicsa.cu" didn't have the subdomain "_acme-challenge.enlinea". This can happens when synchronisation is functioning well.The TXT subdomain was set on the master DNS server, but wasn't synced in 120 seconds with the slave dns server). Check : Your name servers : dig bicsa.cu any +short .... ns2.bicsa.cu. ns1.bicsa.cu. .... root@ns311465:~# dig @ns2.bicsa.cu _acme-challenge.enlinea.bicsa.cu TXT +short "s1ChQK6dg8tvuYY1Nb05W5i9zQc1S1iqMtevjiw1uCs" "DDzVdoZ6o2T_YqRZ2o5uybK4GjXAZ6jU3DaYXAhfnV4" "F6LjsjDmIwWPrw6K6EFthVUxaocmusRApXRPnRbkyCo" root@ns311465:~# dig @ns1.bicsa.cu _acme-challenge.enlinea.bicsa.cu TXT +short .... nothing = no good; Btw : you have serious DNSSEC troubles ..... DNSSEC should be perfect .... or your site will not be found on the net. Use http://dnsviz.net/ to check .(you"re good for some nights without sleep). It is feasible thought : http://dnsviz.net/d/test-domaine.fr/XD5boA/dnssec/ (one of my domains). If the LE test server used the NS1 (your) name server (not synced) it will error out (it says : NXDOMAIN looking up TXT for _acme-challenge.enlinea.bicsa.cu). Like : see here https://zonemaster.iis.se/?resultid=e3f70901711cfd8f .... which looks .... not good. Btw : @luisenrique said in ACME and Bind dns Server on pfsense in the same server: dig _acme-challenge.enlinea.bicsa.cu txt When I run dig _acme-challenge.enlinea.bicsa.cu TXT +short from a server server I own (some where in France) I see .... nothing - no result. What I see is what the LE test servers see : nothing (answer also known as 'NXDOMAIN'). Check your DNS setup.

@chudak said in ACME method for ddns.net or freemyip.com: Am I understanding correctly that I would need to enable sftp or ftps on my pfsense router in order to use this ? Well ... I never used the webroot method but pfSense has all on board to handle the file transfer. I guess it will ask your for credentials needed, so it can login on the the remote (on a pfSense LAN or OPTx interface) (web) server so it can place the files in the web server root.

@uwscia said in HAPROXY + ACME (Standalone): Question: DNS-NSUpdate / RFC 2136 vs Standalone which is better? As you said, the latter is : @uwscia said in HAPROXY + ACME (Standalone): cumbersome and not advised : see https://www.netgate.com/docs/pfsense/certificates/acme-validation.html#standalone @uwscia said in HAPROXY + ACME (Standalone): DNS-NSUpdate / RFC 2136 IMHO : the best ! I real set-it-and-forget-it method. As you mentioned : it needs to be supported by "the other side", or to be more precise : the place where your domain name is registered, probably your registrar or, even better : on some (master) DNS server that serves the zone of your domain that you administer yourself - see here for an RFC 2136 example. Most 'big' registrar support some procedure that is implemented by the acme package. Just cross-check https://github.com/Neilpang/acme.sh/tree/master/dnsapi with what your regisrar offers you. If not, no panic : read https://github.com/Neilpang/acme.sh/tree/master/dnsapi - scroll down to see what is possible. If none : start thinking about moving your domain name - and/or read https://github.com/Neilpang/acme.sh/wiki/DNS-alias-mode

After dealing with ACME for quite some time now, I've come to accept that it can be... quirky :-)

There isn't a way to pass the zone info into the script yet. I haven't hooked that up in the GUI.

@gertjan said in DNS / namesilo validation method not working: First of all : you saw what Google said about the subject ? Yes, I saw that after starting this topic. I noticed the unbalanced parens errors in my case too, but that didn't seem to be the main trouble, or prevent the request process from running. @gertjan said in DNS / namesilo validation method not working: Your image is out of time sync : after 12:48:43 it goes back in time : 12:48:36 ... ? Good catch. The pfSense install in question is a Hyper-V VM. I've experienced clock issues with virtual machines in the past but never on Hyper-V to my recollection. Not sure if that's the case here. Some services really don't like when time goes backward. @gertjan said in DNS / namesilo validation method not working: I saw you use the 120 seconds delay : a typical delay so the master zone can signal the modification to it's DNS slaves. It's the default delay in the ACME package. After your reply, I tried 300 seconds, then 960 seconds. After changing to 960 seconds, I attempted twice to acquire a certificate. The second attempt succeeded. The process didn't take anywhere near 16 minutes, or even 5 for that matter. So the validation delay setting didn't work as expected. Maybe it's a clock/timing problem. If the VM frequently adjusts its time backward to compensate for drift, that might very well precipitate trouble for timing/delays... @gertjan said in DNS / namesilo validation method not working: edit : you are using acme pfSEnse package version 0.3.2_4 right ? Yup

I had not synced up the code with acme.sh upstream in a while. I just pulled in a bunch of new things and pushed pkg version 0.4 to 2.4.5 snapshots. If it tests out OK there I'll make it available for 2.4.4.

That's the only method I use, and all of them are working perfectly here.

Ok, now I've got it. Thanks for your help!

Thank you Jim! I know the limitations still hold true but luckily they don't affect me!

Would you mind to share your solution ?

Thank you all. Very helpful. I'm going to try to install x64 version (I think in the past I tried and it failed).

Great. Thanks to everyone for your help.