• ACME pkg v0.8

    2
    5 Votes
    2 Posts
    558 Views
    No one has replied
  • 0 Votes
    4 Posts
    1k Views
    P

    Thank you very much for this valuable information. Following these suggestions worked out well for me.

    Regards.

  • Possible ACME bug in 23.09.1

    2
    0 Votes
    2 Posts
    549 Views
    GertjanG

    @ak4 said in Possible ACME bug in 23.09.1:

    ended up being related to pfBlocker

    pfBlocker, by itself, when you install it, does 'nothing'.
    I'll advise you strongly to fact check this and not just believe me ^^

    So, yes, it's actually easy : you install 'some DNSBL' or IP list and suddenly you can't, from your LANs, reach some destinations on the internet.
    And also the other way around : suddenly, you block sources that needs to contact your pfSense, like the Letenscrypt verification service, as you've picked a list that contains these sources (IP, etc).
    I presume you manged to do just that.

    Remember : you use these DNSBL lists and IP lists 'as is'. But shouldn't you check them before using them ?
    It has happened : a list conatins all the Amazon WS IPs. Right after you use this list, suddenly, pfBlockerng can't update any list anymore, as most lists are hosted on Amazon WS.
    Or : also pure fun : some IP list managed to include all RFC1918 and suddenly pfBlocker start to block all your LAN devices and it's "Internet & pfSense is broken again" time, or its actually the "the admin didn't do it's job" time.

    What I normally do if I use a new list : I use this package :
    371e39b4-7595-4edb-831e-8ce6f15e4b34-image.png

    and I make notes, like : installed on 2024-04-04 IP list Xyz, and then I see what happens. if somethings strange happens, I undo what I've done last, and often the issue is solved. Then I go through the 'why' phase.

    But before testing : don't you want de latest acme version (with the latest correction etc) ?

    I'm using : 23.09.1 (actually 24.03-BETA since a week as it is rock solid) and :

    1c15cdd0-5d1c-4542-a495-088e0328c77a-image.png

    which came out .... weeks ago.
    Why wait ?

  • Is the reason for renewal failure my use of dynamic DNS?

    2
    0 Votes
    2 Posts
    415 Views
    GertjanG

    @DominikHoffmann said in Is the reason for renewal failure my use of dynamic DNS?:

    the dynamic DNS name of my router locally

    That is the DDNS name as it is known to the 'outside' world, also known as the Internet ?
    Easy : don't.
    Use :

    6efb80c0-ab1f-420e-b2a1-08d389b9e282-image.png

    It's this domain name that you have to 'own' (actually : rent) and it's this domain name that you have to use with ACME to get a certificate from Letsencrypt that includes the "Subject Alt Names" like "pfSense.your-local-domain.name"

    You can also ask for a wildcard certificate like "Subject Alt Names" :

    *.your-local-domain.name your-local-domain.name

    and now you can export the certificate and use it also for your NAS :
    NAS.your-local-domain.name
    and your printer :
    printer.your-local-domain.name

    That is : both the NAS and 'printer' need to have some sort of GUI that permits you to import the certificate you've exported from pfSense.

    @DominikHoffmann said in Is the reason for renewal failure my use of dynamic DNS?:

    Starting with my own I am now notified that my certificate cannot be renewed

    And the reason was ?
    The acme package logs a lot, full with details mentioning everything that goes well, and also what doesn't go well. The latter will interest you.
    It's here : /tmp/acme/[domain account]/ and look for the file that has the log extension.

  • Acme and duckdns

    1
    0 Votes
    1 Posts
    401 Views
    No one has replied
  • 0 Votes
    23 Posts
    7k Views
    johnpozJ

    @phantom99 just glad you got it sorted.. I could talk for hours and hours about dns ;)

  • Why do I get these Certificate entries are expiring notifications?

    6
    0 Votes
    6 Posts
    892 Views
    T

    @Flemmingss
    https://forum.netgate.com/topic/161052/let-s-encrypt-certificate-authority-expiring-soon/7

  • Duckdns cert

    8
    0 Votes
    8 Posts
    1k Views
    GertjanG

    @frankz
    Sorry, I don't know what haproxy is - not using it.
    Doesn't seem to be discussed in this sub forum as here it's "ACME" only.

  • Timeout during connect (likely firewall problem)

    2
    0 Votes
    2 Posts
    756 Views
    GertjanG

    @frankz

    This : http://xxxxxxx.ddns.net/, or actually this "xxxxxxx.ddns.net" should resolve to an A record (or AAAA).
    "DNS" (mine, your, and the one ACME (Letsencrypt) uses should resolve "xxxxxxx.ddns.net" to an IP address, an IP address whicg has port "80" open, so a (mini) web server replies, and will answer when arequest comes in asking for this file :
    .well-known/acme-challenge/xxxxxxxxxxxxxxxxxx
    If Letsencryot gets this file, it will load it - and check if the content matches with what it has given to ACME.

    The thing is : Letsencrypt was 'asking' on "xxxxxxx.ddns.net", the IP address, but found the door closed.

    Normally, the "xxxxxxx.ddns.net" points to your WAN IP, so you need to have a firewall rule on your WAN that permits TCP traffic on port 80 to come so it can reach the ACME web server instance, that receives the request, and answers it.
    Keep in mind that ACME will fire up a mini web server, but will do handle any firewall stuff for you.

    If you have a ISP router in front of your pfSense : you will have to "NAT" that router also.

    You also have to deal with the fact that pfSense uses itself the port 80 for the GUI access, so you will have to move that, as the GUI listens on all interfaces, WAN included ( ! ).

    By now, you will probably think : "hey, this (stand alone) ACME web server method isn't that good at all". And that's correct. It's a method that you really don't want to use, as you need to manually prepare the renewal every time. You don't want to leave your port 80 TCP open to the net all the time.

  • Failure updating ACME certificate

    23
    0 Votes
    23 Posts
    4k Views
    P

    @AudioDave said in Failure updating ACME certificate:

    However, my original question is simply how to resolve the fact that the automatic renewal is failing

    I did point out your problem several days ago and what you needed to do.

  • ACME certs on Virtual IPs?

    3
    0 Votes
    3 Posts
    442 Views
    S

    The question is:

    how to let the ACME-package run the http-challenge on the Virtual IPs?

    But I worked around this already (customer wanted traefik for the additional services).

  • echo: write error on stdout

    2
    0 Votes
    2 Posts
    607 Views
    TigerFox57T

    Did you ever get this sorted? I have a similar issue.

  • ACME Account silently switched in UI

    1
    0 Votes
    1 Posts
    232 Views
    No one has replied
  • Wildcard domain renewal fails

    7
    0 Votes
    7 Posts
    637 Views
    GertjanG

    @Boab

    You have a wild card, so you can probably delete de start dot domain.tld as it is going out of businesses anyway.

  • ACME for CNAMEs

    4
    0 Votes
    4 Posts
    922 Views
    S

    @johnpoz @Gertjan thanks to both of you

  • DNS-selfhost.de verification - help required

    10
    0 Votes
    10 Posts
    732 Views
    L

    @Gertjan

    Hope this is descriptive and short enough:
    https://redmine.pfsense.org/issues/15229

    I found actually another bug in the way the password special characters are added into the URL.
    Next to the UI changes it is also required to enable some URL encoding to change for example the '#' letter to '%23'.

  • webroot FTP with local chrooted user?

    1
    0 Votes
    1 Posts
    351 Views
    No one has replied
  • Unable to generate ACME Certificate

    3
    1 Votes
    3 Posts
    669 Views
    J

    @johnpoz said in Unable to generate ACME Certificate:

    re you trying to write this dns entry, lost-sierra.blog isn't a valid domain on the public internet.. I show nxdomain for that domain,

    Thanks John. I had a lame typo in my dns entry. Should not have included the '-' between lost and sierra. Looks like I'm all set now. You get a gold star!
    Jeff

  • Uninstalling ACME during pfsense CE 2.6-to-2.7 update?

    4
    0 Votes
    4 Posts
    569 Views
    C

    Thanks for the advice! I guess I'll uninstall my packages and then upgrade. I've already backed up my config.

  • New cert Invalid response

    6
    0 Votes
    6 Posts
    1k Views
    johnpozJ

    @KelvinU said in New cert Invalid response:

    it's not listed

    yeah prob not - hhehehe

    Move your domain to some sort of global dns provider..

Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.