Let's Encrypt & ACME
Peek last edited by Peek
I have letsencrypt setup as CA within "Account Keys"
I can successfully acquire a certificate when setting :
- Domainname to "domain.com" and
- Method to "DNS-NSupdate / RFC 2136"
Yet, when logging into pfsense, the certificate warning "NET::ERR_CERT_COMMON_NAME_INVALID" is raised.
However, setting the Domainname to the FQDN of the appliance, i.e. pfsense.domain.com, an Issue/Renew of the certificate results in:
**[@time] adding _acme-challenge.pfsense.domain.com. 60 in txt "YOyoIfeZKqvNzBTVPI" ; TSIG error with server: tsig indicates error update failed: NOTAUTH(BADKEY) [@time] error updating domain [@time] Error add txt for domain:_acme-challenge.pfsense.domain.com
Is "_acme-challenge.pfsense" seen as a subdomain of "domain.com" whereby BIND 9.10.3 then doesn't allow updating of the domain.com zone regardless of the correct key being specified for the domain?...
I'm a bit lost on this one. Any help will be greatly appreciated.
This post is deleted!
"Key Name" to "pfsense" and
"Zone" to "domain.com"
still tries to create TXT record
[@time] adding _acme-challenge.pfsense.domain.com. 60 in txt "VTTcvhklvFWaDrbJc" ; TSIG error with server: tsig indicates error update failed: NOTAUTH(BADKEY) [@time] error updating domain [@time] Error add txt for domain:_acme-challenge.pfsense.domain.com
And then found it !
Take note of the difference between the key-file and key-name within the key-file.
Gertjan last edited by Gertjan
edit : btw :
is a sub domain do shouldn't exist already. It's just a 'random' place holder, so the acme check server can test for a TXT filed in "_acme-challenge.pfsense.domain.com" - which should contain the "VTTcvhklvFWaDrbJc" phrase. This proves that you control the domain "domain.com", thus the certificate can be handed over to you.