Multiple, Different Methods in Certificate leads to renewal failure

pmb1

When I run a renew with the certificate configuration below (see screenshot) using Acme version 0.9_1 on pfsense 2.7.2-RELEASE, I receive the following error:

ACME, Failed to renew certificate for DuckDNs_and_DynuDNS
You must export variable: DuckDNS_Token

I am able to successfully able to execute a renewal by changing the file '/usr/local/pkg/acme/acme.inc', moving the line 3241:

$envvariables = array();

to outside of the foreach loop (so to line 3220). Here is what I mean:

                    is_array($certificate['a_domainlist']['item'])) {
                            $envvariables = array();
                            foreach($certificate['a_domainlist']['item'] as $domain) {
                                    if ($domain['status'] == 'disable') {

This causes all method environmental variables to be made available available to the renewal process.In the current code, only the last method environmental variables are included, which in the case of my configuration a re 'Dynu_ClientId' and 'Dynu_Secret' as can be seen from the failure logs. I have included logs of a failure case below.

It would be great to get this change included in the base code for a future release or have this issue resolved appopriately.

Here are the complete logs before my proposed code change (with potentially sensitive information redacted):

Mar 7 03:16:00 router php[10802]: Acme, renewing certificate: DuckDNs_and_DynuDNS
Mar 7 03:16:00 router ACME[12191]: Checking if renewal is needed for: DuckDNs_and_DynuDNS
Mar 7 03:16:00 router ACME[12191]: ## Its time to renew ##
Mar 7 03:16:00 router ACME[12191]: Renewing certificate
Mar 7 03:16:00 router ACME[12191]: account: Let's Encrypt
Mar 7 03:16:00 router ACME[12191]: server: letsencrypt-production-2
Mar 7 03:16:00 router ACME[12191]:
Mar 7 03:16:00 router ACME[12191]: /usr/local/pkg/acme/acme.sh --issue --domain '.XXXX.duckdns.org' --dns 'dns_duckdns' --domain 'XXXXXXXX.duckdns.org' --dns 'dns_duckdns' --do
main '.XXXXXXX.ddnsfree.com' --dns 'dns_dynu' --home '/tmp/acme/DuckDNs_and_DynuDNS/' --accountconf '/tmp/acme/DuckDNs_and_DynuDNS/accountconf.conf' --force --always-force-new-domain-key
--reloadCmd '/tmp/acme/DuckDNs_and_DynuDNS/reloadcmd.sh' --dnssleep '10' --log-level 3 --log '/tmp/acme/DuckDNs_and_DynuDNS/acme_issuecert.log'
Mar 7 03:16:00 router ACME[12191]: Array
Mar 7 03:16:00 router ACME[12191]: (
Mar 7 03:16:00 router ACME[12191]: [path] => /etc:/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/bin/
Mar 7 03:16:00 router ACME[12191]: [PATH] => /etc:/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/bin/
Mar 7 03:16:00 router ACME[12191]: [SSL_CERT_DIR] => /etc/ssl/certs/
Mar 7 03:16:00 router ACME[12191]: [Dynu_ClientId] => XXXXXX-XXXX-XXXX-XXXX-XXXXXXXXX
Mar 7 03:16:00 router ACME[12191]: [Dynu_Secret] => XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
Mar 7 03:16:00 router ACME[12191]: )
Mar 7 03:16:10 router ACME[12191]: [Fri Mar 7 03:16:01 EST 2025] Using CA: https://acme-v02.api.letsencrypt.org/directory
Mar 7 03:16:10 router ACME[12191]: [Fri Mar 7 03:16:03 EST 2025] Registering account: https://acme-v02.api.letsencrypt.org/directory
Mar 7 03:16:10 router ACME[12191]: [Fri Mar 7 03:16:04 EST 2025] Already registered
Mar 7 03:16:10 router php[10802]: ACME, Failed to renew certificate for DuckDNs_and_DynuDNS
Mar 7 03:16:10 router ACME[12191]: [Fri Mar 7 03:16:04 EST 2025] ACCOUNT_THUMBPRINT='XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX'
Mar 7 03:16:10 router ACME[12191]: [Fri Mar 7 03:16:04 EST 2025] Using pre-generated key: /tmp/acme/DuckDNs_and_DynuDNS/.XXXX.duckdns.org/.XXX.duckdns.org.key.next
Mar 7 03:16:10 router ACME[12191]: [Fri Mar 7 03:16:04 EST 2025] Generating next pre-generate key.
Mar 7 03:16:10 router ACME[12191]: [Fri Mar 7 03:16:05 EST 2025] Multi domain='DNS:.XXXX.duckdns.org,DNS:XXXXXXXXX.duckdns.org,DNS:.XXXX.ddnsfree.com'
Mar 7 03:16:10 router ACME[12191]: [Fri Mar 7 03:16:08 EST 2025] Getting webroot for domain='.XXXX.duckdns.org'
Mar 7 03:16:10 router ACME[12191]: [Fri Mar 7 03:16:08 EST 2025] Getting webroot for domain='XXXXXXXXX.duckdns.org'
Mar 7 03:16:10 router ACME[12191]: [Fri Mar 7 03:16:08 EST 2025] Getting webroot for domain='.XXXXXXXX.ddnsfree.com'
Mar 7 03:16:10 router ACME[12191]: [Fri Mar 7 03:16:08 EST 2025] Adding TXT value: XXXXXXXXXXXXXXXXXXXXXXXXXXXX for domain: _acme-challenge.XXXX.duckdns.org
Mar 7 03:16:10 router ACME[12191]: [Fri Mar 7 03:16:08 EST 2025] You must export variable: DuckDNS_Token
Mar 7 03:16:10 router ACME[12191]: [Fri Mar 7 03:16:08 EST 2025] The token for your DuckDNS account is necessary.
Mar 7 03:16:10 router ACME[12191]: [Fri Mar 7 03:16:08 EST 2025] You can look it up in your DuckDNS account.
Mar 7 03:16:10 router ACME[12191]: [Fri Mar 7 03:16:08 EST 2025] Error adding TXT record to domain: _acme-challenge.XXXX.duckdns.org
Mar 7 03:16:10 router ACME[12191]: [Fri Mar 7 03:16:08 EST 2025] Please check log file for more details: /tmp/acme/DuckDNs_and_DynuDNS/acme_issuecert.log

pfSense Version

Acme Certificate Version
router-barolat-System-Package-Manager-Installed-Packages.png

Certificate Configuration
router-barolat-Services-Acme-Certificate-options-Edit-Smaller.png