Maybe some one else sees it ....

Gertjan

Hi all,

I've upgraded to 25.11, all is well.

A new acme package saw the day, and as this one is only used ones every 60 days or so, I hit 'Renew' just to check.
Guess what ?
"It doesn't work" (anymore).

I'm open for suggestions

---

Oh, you guys want me to tell what's wrong so you can tell me what's wrong ... I get it.

Here we go :
when "ascme.sh" is "doing its thing", it logs, I saw, right when it starts :

...
[Wed Dec 17 10:31:18 CET 2025] _CURL='curl --silent --dump-header /tmp/acme/V2_bhf.tld/http.header  -L  -g  --connect-timeout 10'
[Wed Dec 17 10:31:18 CET 2025] Please refer to https://curl.haxx.se/libcurl/c/libcurl-errors.html for error code: 35
[Wed Dec 17 10:31:18 CET 2025] ret='35'
[Wed Dec 17 10:31:18 CET 2025] response
[Wed Dec 17 10:31:18 CET 2025] Cannot init API for: https://acme-v02.api.letsencrypt.org/directory.
[Wed Dec 17 10:31:18 CET 2025] Sleeping for 10 seconds and retrying.

[Wed Dec 17 10:31:28 CET 2025] GET
[Wed Dec 17 10:31:28 CET 2025] url='https://acme-v02.api.letsencrypt.org/directory'
[Wed Dec 17 10:31:28 CET 2025] timeout=10
[Wed Dec 17 10:31:28 CET 2025] curl exists=0
[Wed Dec 17 10:31:28 CET 2025] wget exists=127
[Wed Dec 17 10:31:28 CET 2025] _CURL='curl --silent --dump-header /tmp/acme/V2_bhf.tld/http.header  -L  -g  --connect-timeout 10'
[Wed Dec 17 10:31:28 CET 2025] Please refer to https://curl.haxx.se/libcurl/c/libcurl-errors.html for error code: 35
[Wed Dec 17 10:31:28 CET 2025] ret='35'
[Wed Dec 17 10:31:28 CET 2025] response
[Wed Dec 17 10:31:28 CET 2025] Cannot init API for: https://acme-v02.api.letsencrypt.org/directory.
[Wed Dec 17 10:31:28 CET 2025] Sleeping for 10 seconds and retrying.

[Wed Dec 17 10:31:38 CET 2025] GET
[Wed Dec 17 10:31:38 CET 2025] url='https://acme-v02.api.letsencrypt.org/directory'
[Wed Dec 17 10:31:38 CET 2025] timeout=10
[Wed Dec 17 10:31:38 CET 2025] curl exists=0
[Wed Dec 17 10:31:38 CET 2025] wget exists=127
[Wed Dec 17 10:31:38 CET 2025] _CURL='curl --silent --dump-header /tmp/acme/V2_bhf.tld/http.header  -L  -g  --connect-timeout 10'
[Wed Dec 17 10:31:38 CET 2025] Please refer to https://curl.haxx.se/libcurl/c/libcurl-errors.html for error code: 35
[Wed Dec 17 10:31:38 CET 2025] ret='35'
[Wed Dec 17 10:31:38 CET 2025] response
[Wed Dec 17 10:31:38 CET 2025] Cannot init API for: https://acme-v02.api.letsencrypt.org/directory.
[Wed Dec 17 10:31:38 CET 2025] Sleeping for 10 seconds and retrying.
...

It executes :

curl --silent --dump-header /tmp/acme/V2_bhf.tld/http.header  -L  -g  --connect-timeout 10' https://acme-v02.api.letsencrypt.org/directory

and it get a "permission denied" back (error 35).
It does this '10' times or so, and then it aborts.

Me, suspecting interface or "IPv6" issues, test DNS first :

[25.11-RELEASE][root@pfSense.bhf.tld]/root: dig acme-v02.api.letsencrypt.org AAAA +short
prod.api.letsencrypt.org.
ca80a1adb12a4fbdac5ffcbc944e9a61.pacloudflare.com.
2606:4700:60:0:f53d:5624:85c7:3a2c

So, for ones, DNS isn't broken. edit : The DNS was using IPv6 for the resolving.

So IPv6 issues ?? - Let's switch to IPv4 (and no 'silence') :

curl --ipv4 --dump-header ./http.header -L -g --connect-timeout 10 https://acme-v02.api.letsencrypt.org/directory
{
  "keyChange": "https://acme-v02.api.letsencrypt.org/acme/key-change",
  "meta": {
    "caaIdentities": [
      "letsencrypt.org"
    ],
......

Humm. Wt* IPv4 works !!
Test again with IPv6, with another destination :

curl --ipv6 www.google.com
<!doctype html><html itemscope="" .....

a normal curl using IPv6 for google works just fine.

So, IPv6 works, but for "https://acme-v02.api.letsencrypt.org/directory" or the server that lives at "acme-v02.api.letsencrypt.org", it doesn't.

To make things more interesting - I tell 'curl' to use TLS1.2 - and not 1.3 :

[25.11-RELEASE][root@pfSense.bhf.tld]/root: curl --ipv6 --tlsv1.2 --tls-max 1.3 https://acme-v02.api.letsencrypt.org/directory
curl: (35) Send failure: Permission denied

Surprise works !

So :
TLSv1.2 works with 'letsencrypt, but not 1.3 ....."
It's not a IPv6 issue anymore.

I don't know .... is it : "acme-v02.api.letsencrypt.org" that has TLSv1.3 issues ?

[25.11-RELEASE][root@pfSense.bhf.tld]/root: curl --ipv6 --tlsv1.2 --tls-max 1.3 https://acme-v02.api.letsencrypt.org/directory
curl: (35) Send failure: Permission denied

No go.

[25.11-RELEASE][root@pfSense.bhf.tld]/root: curl --ipv6 --tlsv1.2 --tls-max 1.2 https://acme-v02.api.letsencrypt.org/directory
....[web page here]...

Is a go.

Who can tell me what I'm obviously can't understand ?

edit : related to this ? :

For info :

SteveITS

@Gertjan FWIW sounds similar to https://forum.netgate.com/post/1232659 ?

Gertjan

@SteveITS

Maybe ?

This :

4) Reset to factory defaults         13) Update from console
5) Reboot system                     14) Disable Secure Shell (sshd)
6) Halt system                       15) Restore recent configuration
7) Ping host                         16) Restart PHP-FPM
8) Shell

Enter an option: 13

pfSense-repoc-static: failed to fetch the repo data
failed to read the repo data.
failed to update the repository settings!!!
failed to update the repository settings!!!
Netgate 4100 - Serial: 2014221462 - Netgate Device ID: e57dfdc41dc5d5a2527a

*** Welcome to Netgate pfSense Plus 25.11-RELEASE (amd64) on pfSense ***

 Current Boot Environment: 25_11_RELEASE
    Next Boot Environment: 25_11_RELEASE

I can get around the "pfSense-repoc-static: failed to fetch the repo data" by forcing the upgrade/update to happen over over IPv4.

Disabling IPv6 with :

instead of my normal dual stack, and no more "pfSense-repoc-static: failed to fetch the repo data" message. The update goes fine.
I don't recall them anymore, but there are command line switches to force the usage of IPv4 for the pfSense update.... ?

IPv6 (routing etc) works just fine. For example, I'm posting this on forum.netgate.com using IPv6 as usual.

Bob.Dig

@Gertjan If I disable the IPv4 Gateway, it still does update with Netgate (13).

Also this curl-thingy does work here.

Gertjan

For now, 'solved' the situation by setting :

under System > Advanced > Networking

Now my 25.11 is happy.

Gertjan

@Bob.Dig said in Maybe some one else sees it ....:

If I disable the IPv4 Gateway, it still does update with Netgate (13).

That's the other way around.
Leaving only IPv6 ... that's to modern for me.

Bob.Dig

I even "enabled" all Hardware-Offloading in Networking, although I am running on Hyper-V, no problems (yet).

marcosm

@Gertjan A public pfSense+ development snapshot is now available. If possible please test again there.

tsberry901

This is what fixed it for me in Pfsense Plus v25.11:
System->Advanced->Networking
In the section:
[Network Interfaces]
Check the following boxes:
Hardware TCP Segmentation Offloading
and
Hardware Large Receive Offloading
(Save and reboot Pfsense)