Acme Letsencrypt is failing to verify manual DNS entry



  • I have the Acme plugin configured to validate via manual DNS.
    I continue to get the " Please add the TXT records to the domains, and retry again."
    The _amce.host.domain.pw DNS entry has been added to my external zone.
    I have verified it has propagated and I can see the record is available to my firewall by looking it up via dig from the shell on that appliance.

    Any ideas on why this isn't working?


  • Rebel Alliance Developer Netgate

    Did you actually use "_acme.host.domain" or did you use  "_acme-challenge.host.domain"? It has to be "_acme-challenge", and be sure it's a TXT record as well.



  • I always do something stupid like that…put a decimal in the wrong place...

    Added i incorrectly here but it's correct in DNS, _acme-challenge.host.domain.pw
    Good catch.

    Am I better of trying to perform this task in the shell or through the gui?



  • Issue resolved, I believe.
    Issue command in the ACME plugin never worked.
    Never ended up with a cert, just the same "add the DNS entry" message.

    However, I hit RENEW and It happily generated the cert and installed it, exactly as hoped.

    Interesting behavior.

    Thanks for responding! Nuttin but love!


  • LAYER 8 Netgate

    You hit issue to get the key you need to put in the entry. If you hit issue again you get another key.

    Hit issue, add the required TXT record to the zone, then hit renew.

    The whole scheme is really designed to use an automatic DNS TXT record update method. You will have to go through the manual process again before the certificate expires, since the key you place in the TXT record is not held long-term at let's encrypt.



  • your try update to new version acme.sh-2.7.4. pfsense using old version.  ;)



  • I have encountered the same problem



  • Derelict - Any place to find info on the DNS auto-update process? That makes sense and if I have to renew these certs every 3 months, I prefer to automate. Thanks for the additional explanation.

    yon  - thanks!



  • @kcactc:

    Derelict - Any place to find info on the DNS auto-update process? ….

    You mean the "DNS-NSupdate" method ?


  • LAYER 8 Netgate

    There are a number of dynamic DNS providers in the Acme package.

    I had other reasons to run a local BIND server so I did this:

    https://doc.pfsense.org/index.php/RFC2136_Dynamic_DNS



  • @Derelict:

    I had other reasons to run a local BIND server so I did this:
    https://doc.pfsense.org/index.php/RFC2136_Dynamic_DNS

    That was my starting point to.
    Already had a bind9 server running some where on the net that knows about the domain name I'm using locally.
    Used the same bind9 + RFC2136 so a host.domaine points already to the always changing IPv4.
    Now it also works with the acme package using the "DNS-NSupdate" method.
    Pure magic.



  • just update from https://github.com/Neilpang/acme.sh/releases

    pfsense use old VER=2.6.7 version now


  • Rebel Alliance Developer Netgate

    @yon:

    just update from https://github.com/Neilpang/acme.sh/releases

    pfsense use old VER=2.6.7 version now

    DO NOT update ACME files manually from github. That is a terrible suggestion. If you manually copy over something from there, you will clobber local changes and you'll definitely break at least the nsupdate method, if not others. There is a PR we're looking at to update ACME but we're focused on 2.4-RELEASE at the moment.



  • @jimp:

    @yon:

    just update from https://github.com/Neilpang/acme.sh/releases

    pfsense use old VER=2.6.7 version now

    DO NOT update ACME files manually from github. That is a terrible suggestion. If you manually copy over something from there, you will clobber local changes and you'll definitely break at least the nsupdate method, if not others. There is a PR we're looking at to update ACME but we're focused on 2.4-RELEASE at the moment.

    I have no other better way, so I am looking for a temporary solution.After the update, it looks like it works right now.


  • Rebel Alliance Developer Netgate

    Your probably is highly unlikely to be related to this subject, and your suggestion is also not relevant. If you want to hack up your own firewall, feel free, but do not suggest others repeat your mistakes.

    Locking this thread since it has been solved and is deviating from the original topic.


Log in to reply