-
I had setup ACME cert with 2 domain, xxx.dpdns.org (cloudflare) and xxx.dynu.com
on v24.11, there is no issue to renew let's encrypt cert
on v25.07.01, I got following error. Once I disable the xxx.dynu.com domain, there is no problem to renew the cert.
From the log, it seems adding TXT record to xxx.dpdns.org (cloudflare) using DNS-Dynu parameters, so Cloudflare api key not found.
===== Replace following ID / Token with <REMOVED>, and subdomain with "xxx"
===== Log ======
/usr/local/pkg/acme/acme.sh --issue --domain 'xxx.dpdns.org' --dns 'dns_cf' --domain '.xxx.dpdns.org' --dns 'dns_cf' --domain 'xxx.dynu.com' --dns 'dns_dynu' --domain '.xxx.dynu.com' --dns 'dns_dynu' --home '/tmp/acme/xxx.dpdns.org/' --accountconf '/tmp/acme/xxx.dpdns.org/accountconf.conf' --force --always-force-new-domain-key --reloadCmd '/tmp/acme/xxx.dpdns.org/reloadcmd.sh' --log-level 3 --log '/tmp/acme/xxx.dpdns.org/acme_issuecert.log'
Array
(
[path] => /etc:/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/bin/
[PATH] => /etc:/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/bin/
[SSL_CERT_DIR] => /etc/ssl/certs/
[Dynu_ClientId] => <REMOVED>
[Dynu_Secret] => <REMOVED>
)
[Sun Sep 7 20:05:54 HKT 2025] Using CA: https://acme-v02.api.letsencrypt.org/directory
[Sun Sep 7 20:05:54 HKT 2025] Using pre-generated key: /tmp/acme/xxx.dpdns.org/xxx.dpdns.org/xxx.dpdns.org.key.next
[Sun Sep 7 20:05:54 HKT 2025] Generating next pre-generate key.
[Sun Sep 7 20:05:55 HKT 2025] Multi domain='DNS:xxx.dpdns.org,DNS:.xxx.dpdns.org,DNS:xxx.dynu.com,DNS:.xxx.dynu.com'
[Sun Sep 7 20:06:02 HKT 2025] Getting webroot for domain='xxx.dpdns.org'
[Sun Sep 7 20:06:02 HKT 2025] Getting webroot for domain='.xxx.dpdns.org'
[Sun Sep 7 20:06:02 HKT 2025] Getting webroot for domain='xxx.dynu.com'
[Sun Sep 7 20:06:02 HKT 2025] Getting webroot for domain='.xxx.dynu.com'
[Sun Sep 7 20:06:02 HKT 2025] Adding TXT value: -crt6nFvBjOQBfGTy-xc_sXPL1V5F6jem0W1YOoyeUo for domain: _acme-challenge.xxx.dpdns.org
[Sun Sep 7 20:06:02 HKT 2025] You didn't specify a Cloudflare api key and email yet.
[Sun Sep 7 20:06:02 HKT 2025] You can get yours from here https://dash.cloudflare.com/profile.
[Sun Sep 7 20:06:02 HKT 2025] Error adding TXT record to domain: _acme-challenge.xxx.dpdns.org
[Sun Sep 7 20:06:02 HKT 2025] Please check log file for more details: /tmp/acme/xxx.dpdns.org/acme_issuecert.log -
S stephenw10 moved this topic from General pfSense Questions
-
Hi,
I read the ACME post, and found the solution from following:
https://forum.netgate.com/topic/196958/multiple-different-methods-in-certificate-leads-to-renewal-failure
<<QUOTE>>
I am able to successfully able to execute a renewal by changing the file '/usr/local/pkg/acme/acme.inc', moving the line 3241:$envvariables = array();
to outside of the foreach loop (so to line 3220). Here is what I mean:
is_array($certificate['a_domainlist']['item'])) { $envvariables = array(); foreach($certificate['a_domainlist']['item'] as $domain) { if ($domain['status'] == 'disable') {<<UNQUOTE>>
Remark: ACME 1.0 => acme.inc line no. is 3385
After update the acme.inc file, I can renew the ACME cert with multiple domain.
Thanks.
-
Hi,
Please help to forward / report the bugs in ACME 1.0 package.
Thanks.
Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.