-
My Let's Encrypt certificate is failing to auto-renew. It worked before, but I guess some configuration change since has broken it maybe. It logs:
Let's wait 10 seconds and check again. You can use '--dnssleep' to disable public dns checks. See: https://github.com/acmesh-official/acme.sh/wiki/dnscheck Checking pfsense.example.com for _acme-challenge.pfsense.example.com Not valid yet, let's wait 10 seconds and check next one. Let's wait 10 seconds and check again. Timed out waiting for DNS. Removing DNS records. Removing txt: xyzabc123 for domain: _acme-challenge.pfsense.example.com Removed: Success No doh
Indeed I block most/all outgoing DoH with pfBlockerNG. Is DoH required? The docs don't say such.
Where could I add the
--dnssleep
flag? There doesn't seem to be any UI for adding custom parameters...Thanks,
Sean
-
@seanmcb said in ACME renewal timeout and "No doh":
Where could I add the --dnssleep flag?
Here :
By default, --dnssleep is set to 120.
Read also : https://github.com/acmesh-official/acme.sh/wiki/dnscheck
-
@seanmcb said in ACME renewal timeout and "No doh":
Checking pfsense.example.com for _acme-challenge.pfsense.example.com
Did you actually configure that with your own domain?
-
@gertjan said in ACME renewal timeout and "No doh":
By default, --dnssleep is set to 120.
Read also : https://github.com/acmesh-official/acme.sh/wiki/dnscheckAh, despite their similar names, I didn't think that text field in the pfsense UI corresponded to the acme.sh
--dnssleep
option! Because the pfsense GUI says below that field:"When using a DNS validation method configure how much time to wait before attempting verification after the txt records are added. Defaults to 120 seconds."
but the acme.sh docs say:
"In dns mode, after the dns record is added, acme.sh will use cloudflare public dns or google dns to check if the record has taken effect. If you don't want this check, please use --dnssleep"
They are not describing the same thing at all. :)
I set the dnssleep field in my pfsense to 30 and now it works. So in fact that pfsense field does correspond to the
--dnssleep
option and the pfsense text below is just wrong:- pfsense is clearly not defaulting to 120. Leaving that text field empty (the default) seems to correspond to not passing
--dnssleep
at all - the purpose of the field is not to "configure how much time to wait before attempting verification" but rather it's to disable verification and instead wait the specified numbers of seconds.
I'll file a bug against the pfsense wording...
- pfsense is clearly not defaulting to 120. Leaving that text field empty (the default) seems to correspond to not passing
-
https://redmine.pfsense.org/issues/13495
-
https://github.com/acmesh-official/acme.sh/wiki/dnssleep
@seanmcb said in ACME renewal timeout and "No doh":
In dns manual mode, after the dns record is added manually, acme.sh will use cloudflare public dns ....
as cloudflare public dns or google dns are only used when dnssleep is not set.
dnssleep is pretty mandatory when using some API/auto mode.
But not for manual mode (human interaction is slow by default ;) )dnssleep exists because DNS syncing takes an unknown time.
The DNSAPI mode uses a script file and your access credentials so you it can add (and afterwards : remove) one or more TXT records. You will be updating the DNS domain name master DNS only. There should be at least one DNS slave, and it will get signalled 'by the master there is an update' in the zone.
The zone slave can then initiate a zone transfer whenever it wants, it could be right away, or x second / minutes later (the zone master admin determines the sync parameters).When the zone is synced, LE is signalled to proceed with zone checking. It will locate the domain name servers, pick any of them, and checks the TXT record.
Btw : I thinks it checks all the listed name servers.When using manual mode, there is no need to wait ..... sleep == dnssleep, as it will take you some time to connect to the GUI that allows you to set the needed TXT records in your domain zone
Because you didn't use dnssleep acme.sh will do now an extra step for you when you proceed : it will do a dns zone check for you by using cloudfare, google DNS etc.
So acme.sh will only signal LE to proceed with the zone checking if it knows that the TXT records are actually set (and the admin who sets the TXT records manually didn't make a mistake).I don't understand why this check isn't actually made also when DNSAPI mod is used, as an extra local check step before LE is asked to check and deliver a cert.
My for some sites where acme.sh is used there is no google or cloudfaire access ( pfblockerng users ;) )All this is my opinion of course.
From your https://redmine.pfsense.org/issues/13495
- the purpose of the field is not to "configure how much time to wait before attempting verification" but rather it's to disable verification and instead wait the specified numbers of seconds. This is useful for people like me that block access to cloudflare and google DNS.
Well, it is waiting xxx seconds after a "successful TXT field insertion".
During this time, DNS master and slave(s) should do their sync magic.
Then control is given back to LE so it can do its checking, and give you back a cert if it was successful.I guess this dnssleep parameters serves somehow a double function.
When absent (not set) acme.sh will do a local check using a known DNS resolvers. I tend to say : to inform you that you did your manual work ok.IMHO :the ddnssleep can be very low, but can't be zero in 99,99 % of all cases.
It should be set to "120" if you didn't modify that setting.Btw : I'm using nsupdate ( dns_nsupdate.sh ) method as I do not use the API of my registrar : I'm hosting my own domain name master and several domain name slaves (bind). These domain name servers only host my own domain names, so they have not much to do.
I can follow the update process while tracing the logs everywhere = the adding of the two TXT records, the signalling of the master to the slave, the reception of this signal by the slaves, the slaves that call back the master for a zone sync.One in a while, I also use freedns.afraid.org as an extra dns slave, and the sync back of freedns can take to up to 5 minutes to sync with my master. When I use the dns salves of my registrar, this can even take longer, as they have zillions of zones (domain names) to handle.
-
Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.