@johnpoz thank you for your quick reply, the issue was on myside, was using the wrong TOKEN code :)

So I removed the AccountID, ZoneID and the Token from the Cloudflare panel under certificates. After that issuing new certificates started to work just as expected.

@gertjan said in Add SSL DH Parameters: You can use this script to 'coook' something for yourself. There is a commented line that shows where I 'cat' the RSA4096 DH file to the cert.pem file. you can find the latest cert version in a known place. Btw : some more investigation will be needed, as : where does the HA proxy startup code gets the cert info from when preparing for a HA Proxy start ? In the past, the trick of modifying the main 'cert.pem' was used by many processes, but these days, as my apache2 example, it has become a separate setting in a config file. I hope "Domoticz" will also adopt that method. See the wiki page again : Domoticz has its own deploy script : you can also use that one as an example. Thanx for the example man, very interesting! Sadly my linux skills are like "trial and error" ;-) Especially (secured) SSL is quite difficult to understand Domoticz has a build-in HTTP (9090) and HTTPS (443) server and also the possibilty to pass the login inside the local network with an option in the settings: 192.168.1.*. This allows all computers inside the local network, starting with this ip address, to pass the login of domoticz. The problem with this login pass option is that also the outside world doesn't have to login because of the HTTP connection in the backend of HAproxy. Therfore I currently did not set this option to protect the webapplication. On the other hand the advantage of the current configuration allows me to turn off the HTTPS 443 ssl connection in the startup file of domoticz (I just figured out). This way I don't get certificate and https errors in domoticz anymore because everything is handled by the HAproxy server and ACME I have to think about it, thanx anyway for the info!

@gertjan It is more than a GUI error, when I check the certificate using the Certificate Manager, the one I am trying to get an vertificate for only has the private key. No Certificate data.

@johnpoz Ahhh ok! Perfect! Thank you!

@dutsnekcirf said in Is there a DNS-NoIP option?: My public DNS is provided by No-IP.org and I've managed to get a certificate created using the DNS-Manual method. My understanding is that this verification method does not allow for automatic certificate renewal. Is there one of the automated verification methods that I could use with no-ip.org? Thanks! I recently went through this same situation. I switched from Dyn-DNS to No-IP only to find out that No-IP does not expose API keys or anything to allow the acme package to perform the DNS changes necessary for automatic renewal. I ended up canceling no-ip and moving to cloudflare. Cloudflare is actually great once you get it setup and so far, free for what I am doing as well.

Found the solution: there must be 2 CNAME records according to https://github.com/acmesh-official/acme.sh/issues/2789 one for _acme-challenge.domain,tld to _acme-challenge.domain.tld and a second one for _acme-challenge.pfense.domain.tld to _acme-challenge.domain.tld.

@sensewolf What did the green 'log' in the GUI tell you ? Or, better : zero the log file I mentioned above. Do a manual renew. Look at the file again, it has many lines now. Upload them to (whatever) => pastebin.org Past the link here. Btw : be careful, don't press several times per day at the manual reew button : after 5 times or so, you'll get blacklisted for a day, as the number of times you renew a cert is limited.

@sgw said in Exchange 2016 - pull LE cert from pfsense: If Exchange should really require 128 GB RAM, that customer is out of the game anyway That was basically our thought process. I checked around a bit and some people with smaller servers said Exchange 2019 seemed to be OK with 64 or 92 but in the big picture I think Microsoft expects enterprises to run their own servers, and everyone else to use 365. re: maintenance, Microsoft only releases security updates for supported versions of Exchange which is the last two Cumulative Updates of each version. This MS page is noisy but if you look closely only the Exchange 2016 CU22 and CU23 lines have links because they are supported, and CU21 has no updates after March. Essentially, every 3-6 months one must install a CU which in my experience takes 2-3 hours because it's essentially a full Exchange install each time. If someone isn't installing those, no security updates for Exchange are installed via Windows Update. It just quietly doesn't see any. Exchange 2016 ends support in Oct. 2025. Microsoft only allows/supports migrations for the prior two versions. So your customer will need to move to Exchange 2019 or "Exchange 2022" or whatever it will be called by 2025. None of that is anywhere near your question but that's why we moved off local hosting, and none of it is our problem anymore. :)

Hi Everyone, I asked the same question over in the Let’s Encrypt forums, and I got some great answered and clarification on what I was trying to do. https://community.letsencrypt.org/t/acmev2-ssl-with-google/187727/18 Hopefully Google will do ACME wildcard verification through Google Domains in the future.

I am seeing same issue in 2.6.0-RELEASE with ACME 0.7.3 package. Provider is Cloudflare in DNS domain alias mode. Generating cert using 256/384 ECDSA key works, but even after switching to RSA 4096 still gives 2048 bit key cert.

@flemmingss Aha : You are using the pfSense HAproxy package. Go back to the [image: 1666358234499-2e218531-a3fd-4bbb-8478-530e10807cc3-image.png] page, and start reading. This time, up until the bottom. You will find the very important dns sleep. That's why it's there. And also this one : [image: 1666358312018-f3426682-5bbe-4a3e-920a-8bef7be592c6-image.png] as it was made for you. The certificate name will not change when it is renewed. No need to select 'another' cert in the HA Proxy settings. Now, when acme.sh successfully renewed the certificate, it will also restart HAproxy. So it takes in account the renewed certificate. And you can go back to the admin's main task : constantly ( ) checking if all automated tasks are correctly executed.

@gertjan Don't Worry I bought different domain name from NO-IP and the certificate started working with it. Thank you for your help.

@ms264556 said in How do we request a new package release?: and easy Before you click on 'get me 2.7.0', read the top most messages from this forum : pfSense > Software Development > CE 2.7.0 Development Snapshots