Thank you very much for this valuable information. Following these suggestions worked out well for me.

Regards.

@ak4 said in Possible ACME bug in 23.09.1:

ended up being related to pfBlocker

pfBlocker, by itself, when you install it, does 'nothing'.
I'll advise you strongly to fact check this and not just believe me ^^

So, yes, it's actually easy : you install 'some DNSBL' or IP list and suddenly you can't, from your LANs, reach some destinations on the internet.
And also the other way around : suddenly, you block sources that needs to contact your pfSense, like the Letenscrypt verification service, as you've picked a list that contains these sources (IP, etc).
I presume you manged to do just that.

Remember : you use these DNSBL lists and IP lists 'as is'. But shouldn't you check them before using them ?
It has happened : a list conatins all the Amazon WS IPs. Right after you use this list, suddenly, pfBlockerng can't update any list anymore, as most lists are hosted on Amazon WS.
Or : also pure fun : some IP list managed to include all RFC1918 and suddenly pfBlocker start to block all your LAN devices and it's "Internet & pfSense is broken again" time, or its actually the "the admin didn't do it's job" time.

What I normally do if I use a new list : I use this package :
371e39b4-7595-4edb-831e-8ce6f15e4b34-image.png

and I make notes, like : installed on 2024-04-04 IP list Xyz, and then I see what happens. if somethings strange happens, I undo what I've done last, and often the issue is solved. Then I go through the 'why' phase.

But before testing : don't you want de latest acme version (with the latest correction etc) ?

I'm using : 23.09.1 (actually 24.03-BETA since a week as it is rock solid) and :

1c15cdd0-5d1c-4542-a495-088e0328c77a-image.png

which came out .... weeks ago.
Why wait ?

@DominikHoffmann said in Is the reason for renewal failure my use of dynamic DNS?:

the dynamic DNS name of my router locally

That is the DDNS name as it is known to the 'outside' world, also known as the Internet ?
Easy : don't.
Use :

6efb80c0-ab1f-420e-b2a1-08d389b9e282-image.png

It's this domain name that you have to 'own' (actually : rent) and it's this domain name that you have to use with ACME to get a certificate from Letsencrypt that includes the "Subject Alt Names" like "pfSense.your-local-domain.name"

You can also ask for a wildcard certificate like "Subject Alt Names" :

and now you can export the certificate and use it also for your NAS :
NAS.your-local-domain.name
and your printer :
printer.your-local-domain.name

That is : both the NAS and 'printer' need to have some sort of GUI that permits you to import the certificate you've exported from pfSense.

@DominikHoffmann said in Is the reason for renewal failure my use of dynamic DNS?:

Starting with my own I am now notified that my certificate cannot be renewed

And the reason was ?
The acme package logs a lot, full with details mentioning everything that goes well, and also what doesn't go well. The latter will interest you.
It's here : /tmp/acme/[domain account]/ and look for the file that has the log extension.

@phantom99 just glad you got it sorted.. I could talk for hours and hours about dns ;)

@Flemmingss
https://forum.netgate.com/topic/161052/let-s-encrypt-certificate-authority-expiring-soon/7

@frankz
Sorry, I don't know what haproxy is - not using it.
Doesn't seem to be discussed in this sub forum as here it's "ACME" only.

@frankz

This : http://xxxxxxx.ddns.net/, or actually this "xxxxxxx.ddns.net" should resolve to an A record (or AAAA).
"DNS" (mine, your, and the one ACME (Letsencrypt) uses should resolve "xxxxxxx.ddns.net" to an IP address, an IP address whicg has port "80" open, so a (mini) web server replies, and will answer when arequest comes in asking for this file :
.well-known/acme-challenge/xxxxxxxxxxxxxxxxxx
If Letsencryot gets this file, it will load it - and check if the content matches with what it has given to ACME.

The thing is : Letsencrypt was 'asking' on "xxxxxxx.ddns.net", the IP address, but found the door closed.

Normally, the "xxxxxxx.ddns.net" points to your WAN IP, so you need to have a firewall rule on your WAN that permits TCP traffic on port 80 to come so it can reach the ACME web server instance, that receives the request, and answers it.
Keep in mind that ACME will fire up a mini web server, but will do handle any firewall stuff for you.

If you have a ISP router in front of your pfSense : you will have to "NAT" that router also.

You also have to deal with the fact that pfSense uses itself the port 80 for the GUI access, so you will have to move that, as the GUI listens on all interfaces, WAN included ( ! ).

By now, you will probably think : "hey, this (stand alone) ACME web server method isn't that good at all". And that's correct. It's a method that you really don't want to use, as you need to manually prepare the renewal every time. You don't want to leave your port 80 TCP open to the net all the time.

@AudioDave said in Failure updating ACME certificate:

However, my original question is simply how to resolve the fact that the automatic renewal is failing

I did point out your problem several days ago and what you needed to do.

The question is:

how to let the ACME-package run the http-challenge on the Virtual IPs?

But I worked around this already (customer wanted traefik for the additional services).

Did you ever get this sorted? I have a similar issue.

@Boab

You have a wild card, so you can probably delete de start dot domain.tld as it is going out of businesses anyway.

@johnpoz @Gertjan thanks to both of you

@Gertjan

Hope this is descriptive and short enough:
https://redmine.pfsense.org/issues/15229

I found actually another bug in the way the password special characters are added into the URL.
Next to the UI changes it is also required to enable some URL encoding to change for example the '#' letter to '%23'.

@johnpoz said in Unable to generate ACME Certificate:

re you trying to write this dns entry, lost-sierra.blog isn't a valid domain on the public internet.. I show nxdomain for that domain,

Thanks John. I had a lame typo in my dns entry. Should not have included the '-' between lost and sierra. Looks like I'm all set now. You get a gold star!
Jeff

Thanks for the advice! I guess I'll uninstall my packages and then upgrade. I've already backed up my config.

@KelvinU said in New cert Invalid response:

it's not listed

yeah prob not - hhehehe

Move your domain to some sort of global dns provider..