Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Let's Encrypt & ACME

    Scheduled Pinned Locked Moved ACME
    5 Posts 2 Posters 1.9k Views 2 Watching
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • PeekP Offline
      Peek
      last edited by Peek

      Hi,

      I have letsencrypt setup as CA within "Account Keys"

      I can successfully acquire a certificate when setting :

      • Domainname to "domain.com" and
      • Method to "DNS-NSupdate / RFC 2136"

      Yet, when logging into pfsense, the certificate warning "NET::ERR_CERT_COMMON_NAME_INVALID" is raised.

      However, setting the Domainname to the FQDN of the appliance, i.e. pfsense.domain.com, an Issue/Renew of the certificate results in:

      **[@time] adding _acme-challenge.pfsense.domain.com. 60 in txt "YOyoIfeZKqvNzBTVPI"
; TSIG error with server: tsig indicates error
update failed: NOTAUTH(BADKEY)
[@time] error updating domain
[@time] Error add txt for domain:_acme-challenge.pfsense.domain.com

      Simply changing the Domainname from "pfsense.domain.com" to "domain.com" and the certificate is once again issued successfully, yet with an invalid CN.

      Is "_acme-challenge.pfsense" seen as a subdomain of "domain.com" whereby BIND 9.10.3 then doesn't allow updating of the domain.com zone regardless of the correct key being specified for the domain?...

      I'm a bit lost on this one. Any help will be greatly appreciated.

      Thanks

      1 Reply Last reply Reply Quote 0
      • PeekP Offline
        Peek
        last edited by

        This post is deleted!
        1 Reply Last reply Reply Quote 0
        • PeekP Offline
          Peek
          last edited by

          Setting

          "Key Name" to "pfsense" and
          "Zone" to "domain.com"

          still tries to create TXT record
          _acme-challenge.pfsense.domain.com
          rather than
          pfsense.domain.com

          [@time] adding _acme-challenge.pfsense.domain.com. 60 in txt "VTTcvhklvFWaDrbJc"
; TSIG error with server: tsig indicates error
update failed: NOTAUTH(BADKEY)
[@time] error updating domain
[@time] Error add txt for domain:_acme-challenge.pfsense.domain.com
          GertjanG 1 Reply Last reply Reply Quote 0
          • PeekP Offline
            Peek
            last edited by

            And then found it !

            Take note of the difference between the key-file and key-name within the key-file.

            1 Reply Last reply Reply Quote 0
            • GertjanG Offline
              Gertjan @Peek
              last edited by Gertjan

              @Peek said in Let's Encrypt & ACME:

              _acme-challenge.pfsense.domain.com

              What about asking for a wildcard cert for root "domain.com" ?
              Using
              domain.com
              and
              *.domain.com
              (twice) as "Domainname".

              You can use pfsense.domain.com, another.domain.com and something-else.domain.com, they will all 'work'.

              edit : btw :
              _acme-challenge.pfsense.domain.com
              is a sub domain do shouldn't exist already. It's just a 'random' place holder, so the acme check server can test for a TXT filed in "_acme-challenge.pfsense.domain.com" - which should contain the "VTTcvhklvFWaDrbJc" phrase. This proves that you control the domain "domain.com", thus the certificate can be handed over to you.

              No "help me" PM's please. Use the forum, the community will thank you.
              Edit : and where are the logs ??

              1 Reply Last reply Reply Quote 0
              • First post
                Last post
              Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.