Warning: certs cancellation due to LE bug
Gertjan last edited by
Yep, I had 2 of my certs which were affected.
Not on a pfSense device, my main web and mail server, handling about 5 domains.
I'm using a bare bone basic acme.sh solution, no fancy GUI stuff.
I had to
acme.sh --renew -d one-om-my-domains.tld -d *.one-om-my-domains.tld --deploy-hook deploy.sh --accountconf one-om-my-domains.tld.account.conf --dnssleep 120 --dns dns_nsupdate -ak 4096 --force
for every affected domain.
On pfSense it's just a question of hitting a button (actually, nice to have a GUI solution ;) ).
Check here https://unboundtest.com/caaproblem.html to see if your LE certs need to be changed - or check you mail box - or, better, check both.
That's fun. If you were an early LE adopter you may not have your e-mail setup in the account so they may not be able to contact you.
At least renewing is generally easy, and it's not like browsers check CRLs as strictly as they should anyhow.
I may just kick all of mine to be certain.
Also noteworthy that I am still occasionally seeing account registration/verification failures over IPv6 even when attempting renewals. If you get a cURL error (like error 35) when attempting to renew, set the firewall to prefer IPv4: System > Advanced, Networking tab, check Prefer to use IPv4 even if IPv6 is available. Then try the ACME renew again.