Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    ACME client can't check for DNS entries due to Error 60

    Scheduled Pinned Locked Moved ACME
    2 Posts 2 Posters 379 Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • M
      MordyT
      last edited by MordyT

      Hello,
      Running pfSense+ 24.03-RELEASE (arm) on a Netgate SG3100 with the ACME 0.8_1 package.

      Using Namecheap with DNS validation (API) and running into an issue. TL;DR I think the ACME package has a problem with the DNS check feature and can be fixed in a couple of ways.

      The relevant log snippet shows:
      response='<?xml version="1.0" encoding="utf-8"?>
      <ApiResponse Status="OK" xmlns="http://api.namecheap.com/xml.response">
      <Errors />
      <Warnings />
      <RequestedCommand>namecheap.domains.dns.sethosts</RequestedCommand>
      <CommandResponse Type="namecheap.domains.dns.setHosts">
      <DomainDNSSetHostsResult Domain="domain.tld" IsSuccess="true">
      <Warnings />
      </DomainDNSSetHostsResult>
      </CommandResponse>
      <Server>PHX01APIEXT01</Server>
      <GMTTimeDifference>--4:00</GMTTimeDifference>
      <ExecutionTime>0.218</ExecutionTime>
      </ApiResponse>'
      The txt record is added: Success.
      domain.tld,_acme-challenge.domain.tld,dns_namecheap,<le-challenge>,/usr/local/pkg/acme/dnsapi/dns_namecheap.sh

      Let's check each DNS record now. Sleep 20 seconds first.
      You can use '--dnssleep' to disable public dns checks.
      See: https://github.com/acmesh-official/acme.sh/wiki/dnscheck
      _is_idn_d='_acme-challenge.domain.tld'
      _idn_temp
      _is_idn_d='_acme-challenge.domain.tld'
      _idn_temp
      d='domain.tld'
      txtdomain='_acme-challenge.domain.tld'
      aliasDomain='_acme-challenge.domain.tld'
      txt='<le-challenge>'
      d_api='/usr/local/pkg/acme/dnsapi/dns_namecheap.sh'
      Checking domain.tld for _acme-challenge.domain.tld
      _c_txtdomain='_acme-challenge.domain.tld'
      _c_aliasdomain='_acme-challenge.domain.tld'
      _c_txt='<le-challenge>'
      Detect dns server first.
      GET
      url='https://cloudflare-dns.com'
      timeout=10
      Http already initialized.
      _CURL='curl --silent --dump-header /tmp/acme/<myname>/http.header -L -g --connect-timeout 10'
      Please refer to https://curl.haxx.se/libcurl/c/libcurl-errors.html for error code: 60
      ret='60'

      This continues for each public DNS server that is attempted to be checked.

      Reviewing error 60 on curl.haxx.se shows that it's a CA not trusted issue.

      Workarounds available today:
      Disable dns-check - easiest done by setting DNS-Sleep to some value on that page

      What I'd like to see:

      1. An option to ignore the CA check (-k I think in the curl command). This could be a simple checkbox in the package
      2. The CA's being used to be installed by package. I actually am unsure which CA's it is missing, I tried adding the 2 ISRG Root CAs in the Certificate Manager, but that did not solve the issue.
      GertjanG 1 Reply Last reply Reply Quote 0
      • GertjanG
        Gertjan @MordyT
        last edited by

        @MordyT said in ACME client can't check for DNS entries due to Error 60:

        url='https://cloudflare-dns.com'

        exist ??

        Set DNS-Sleep to at least :

        c4df8f8d-832c-486f-838b-61e5891e091b-image.png

        No "help me" PM's please. Use the forum, the community will thank you.
        Edit : and where are the logs ??

        1 Reply Last reply Reply Quote 0
        • First post
          Last post
        Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.