@sandie

looks like you have an Actions list with a PHP Command Script method, and something there has a / where it doesn't belong.

The cert will be fine, but whatever your action after is, is not.

Screen Shot 2023-12-21 at 4.32.50 PM.png

@jrey said in ACME DNS API support:

Clearly you are doing something else

Antworten

Yep, you are on a totally different path. I was asking about ACME and acme.sh's DNS providers. That RFC2136 is working for you is nice, but has nothing to do with the question :)

Like previously suspected, it seems the "acme-dns.io" selection is indeed the acme-dns tool from GitHub and you can enter your own hosted instance. It had a few rough edges but worked finally, so seems to work like expected - we will see if renewal works fine, too.

@gregeeh said in Question regarding Acme and DDNS:

Hope this was correct?

Sure as long as your browser trusts the CA is all that matters.

@Unoptanio I don’t think so? The other methods are all on that page.

Or just use the self signed cert.

@linuxlover2 said in new cert setup not finishing:

so now have to wait 2 weeks to renew.

One week, or even right away, check here Rate Limits.

@Gertjan Right, I don't mind waiting. I just hit that button about a week ago when I first noticed the issue and wanted to see if forcing an update would solve it.

One more question to the topic. I found an option to restart HAProxy after cert update. However, I have unfortunately not found an option to restart HAProxy on the second pfSense instance. How could this be done?

@jperezme

Methods used, wildcards etc, don't forget to watch the movie.

Well, really, I had deleted IPv6 and didn't realize that when I had implemented/enabled IPv6 that it would removed the IPv4 as been checked as a default route also...so I had to go to System > Routing to check the IPv4 box...the real reason that I could not register key...all is good.

@Gertjan said in ACME Certificate renewal failed - invalid domain - since pkg v0.7.5:

You still need to ID, using a 'key'

Yes, but's not a secret do you have at your DNS registrar as user login.
To not leave the pfsense world we can find here BIND configuration steps.

Thanks for your mentions.

@Unoptanio said in WEB GUI login using https with public IP address Certificate "Let's Encrypt" not working:

using the GUI, I deactivated the admin user.

I created a new user "test2023"and gave him administrator privileges.

Oho.
Seems like a very bad idea to me.
Non of the official Netgate docs gives such an advise.

pfSEnse is a firewall, not some sort of NAS, or media serving thing with "multiple" users.
Ones in a while, the big chief comes in (the admin) does it things, and then he leaves.

True : others "users" can be created for OpenVPN purposes, but these do not interact with pfSense GUI, or SSH etc, it's just a means to identify and authorize the (OpenVPN) connection.
Another example : captive portal users

Another benefit of using the ACME DNS method is wildcard names. I'd previously been using the http method with my namecheap hosted domain. I could not use their DNS API with my account. I then realised I could switch nameservers, on my namecheap account, to cloudflare and can now use the DNS method with pfSense ACME package.

The package still cant add txt record. You have to add txt manually and then update the cert.

Are you using HTTP challenge, has to be DNS challenge for wildcard. If have domains on dynu and pfSense gets wildcard certs fine with DNS challenge.

@Gertjan Thank you for clarifying that for me

@Gertjan Thanks. Sorry I didn't read your suggestion well. I've just deleted those expired certificates in System-->Certificates. It should be fine now.

@unraveller349

Ah, ok.

When you ask for a certicate, like pfsense.abc.net, you have to do this first :

fefe3484-e51f-4ba4-a5b8-abcc744f42a7-image.png

Btw :

You've set this :

c051c25c-7adf-4f4d-8df0-250ad459a25f-image.png

?
If a new certificate was obtained, the webconfigurator has to be restarted so it will use the new certificate. That's what the 'action' is for.

In your browser, you should from now on using

because the browser will first resolve 'pfsense.abc.net", it will obtain the pfSense LAN IP.
Did you check that ?

returns 192.168.1.1 ? (or whatever your pfSense LAN IP is).

Then it connects to 192.168.1.1, using port 443 (because of https).
The web server, pfSense GUI, will send a certificate over that says : I'm am "pfsense.abc.net" and because the browser was looking for "pfsense.abc.net" everything is fine.

If you were using https://192.168.1.1 then the test will fail.
Because "192.168.1.1" isn't part of the name (SAN) of the certificate.