<![CDATA[Let's Encrypt & ACME]]>Hi,

I have letsencrypt setup as CA within "Account Keys"

I can successfully acquire a certificate when setting :

  • Domainname to "domain.com" and
  • Method to "DNS-NSupdate / RFC 2136"

Yet, when logging into pfsense, the certificate warning "NET::ERR_CERT_COMMON_NAME_INVALID" is raised.

However, setting the Domainname to the FQDN of the appliance, i.e. pfsense.domain.com, an Issue/Renew of the certificate results in:

**[@time] adding _acme-challenge.pfsense.domain.com. 60 in txt "YOyoIfeZKqvNzBTVPI"
; TSIG error with server: tsig indicates error
update failed: NOTAUTH(BADKEY)
[@time] error updating domain
[@time] Error add txt for domain:_acme-challenge.pfsense.domain.com

Simply changing the Domainname from "pfsense.domain.com" to "domain.com" and the certificate is once again issued successfully, yet with an invalid CN.

Is "_acme-challenge.pfsense" seen as a subdomain of "domain.com" whereby BIND 9.10.3 then doesn't allow updating of the domain.com zone regardless of the correct key being specified for the domain?...

I'm a bit lost on this one. Any help will be greatly appreciated.

Thanks

]]>https://forum.netgate.com/topic/143541/let-s-encrypt-acmeRSS for NodeWed, 15 Apr 2026 19:14:06 GMTTue, 21 May 2019 03:41:23 GMT60<![CDATA[Reply to Let's Encrypt & ACME on Tue, 28 May 2019 21:48:55 GMT]]>@Peek said in Let's Encrypt & ACME:

_acme-challenge.pfsense.domain.com

What about asking for a wildcard cert for root "domain.com" ?
Using
domain.com
and
*.domain.com
(twice) as "Domainname".

You can use pfsense.domain.com, another.domain.com and something-else.domain.com, they will all 'work'.

edit : btw :
_acme-challenge.pfsense.domain.com
is a sub domain do shouldn't exist already. It's just a 'random' place holder, so the acme check server can test for a TXT filed in "_acme-challenge.pfsense.domain.com" - which should contain the "VTTcvhklvFWaDrbJc" phrase. This proves that you control the domain "domain.com", thus the certificate can be handed over to you.

]]>https://forum.netgate.com/post/845528https://forum.netgate.com/post/845528Tue, 28 May 2019 21:48:55 GMT<![CDATA[Reply to Let's Encrypt & ACME on Wed, 22 May 2019 01:27:58 GMT]]>And then found it !

Take note of the difference between the key-file and key-name within the key-file.

]]>https://forum.netgate.com/post/844234https://forum.netgate.com/post/844234Wed, 22 May 2019 01:27:58 GMT<![CDATA[Reply to Let's Encrypt & ACME on Wed, 22 May 2019 00:16:29 GMT]]>Setting

"Key Name" to "pfsense" and
"Zone" to "domain.com"

still tries to create TXT record
_acme-challenge.pfsense.domain.com
rather than
pfsense.domain.com

[@time] adding _acme-challenge.pfsense.domain.com. 60 in txt "VTTcvhklvFWaDrbJc"
; TSIG error with server: tsig indicates error
update failed: NOTAUTH(BADKEY)
[@time] error updating domain
[@time] Error add txt for domain:_acme-challenge.pfsense.domain.com
]]>https://forum.netgate.com/post/844231https://forum.netgate.com/post/844231Wed, 22 May 2019 00:16:29 GMT