Greetings All,
I am very new to trying to use Cloudflare and Let’s Encrypt with my pfSense firewall. My FQDN is registered with Namecheap and DNS has been properly changed to work with Cloudflare.
I am trying to setup my pfSense firewall to work with Let’s Encrypt to auto-magically pull and update certs for use in my lab/test environment. Just like a previous poster I am trying to use:
- Because I am testing this setup I am using the “staging 2” option
- the latest ACME Certificates install package for pfSense (v. 0.6.4)
- pfSense v. 2.4.4-Release-p3
- Cloudflare succesfully added my Namecheap registered domain
- Am able to get to Cloudflare account details for API keys/tokens
- Under ‘Services>ACME>Certificates’ I am able to succesfully create ‘Account keys’ and perform the ‘Issue/renew’ function under ‘Certificates’ tab
At this point however, is where my issue starts. Though I get a check next to ‘Issue/renew’ box, I get an error and ‘Last renewed’ date never updates to current.
Here is the error message with PII redacted to protect “the innocent”:
nexfwchurch-GUI-Key
Renewing certificate
account: nexfwchurch-GUI-Key
server: letsencrypt-staging-2
/usr/local/pkg/acme/acme.sh --issue -d ‘myfqdndotcom’ --dns ‘dns_cf’ --home ‘/tmp/acme/nexfwchurch-GUI-Key/’ --accountconf ‘/tmp/acme/nexfwchurch-GUI-Key/accountconf.conf’ --force --reloadCmd ‘/tmp/acme/nexfwchurch-GUI-Key/reloadcmd.sh’ --log-level 3 --log ‘/tmp/acme/nexfwchurch-GUI-Key/acme_issuecert.log’
Array
(
[path] => /etc:/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/bin/
[PATH] => /etc:/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/bin/
[CF_Key] => --snip–
[CF_Email] => email address I registered with
[CF_Token] => --snip–
[CF_Account_ID] => --snip–
)
[Sun Nov 17 12:07:06 EST 2019] Single domain=‘myfqdndotcom’
[Sun Nov 17 12:07:06 EST 2019] Getting domain auth token for each domain
[Sun Nov 17 12:07:07 EST 2019] Getting webroot for domain=‘myfqdndotcom’
[Sun Nov 17 12:07:07 EST 2019] Adding txt value: xmWWmVhJ0mntdnAAKKu2Yx9PeA7xqfW8pp9gNqojlqM for domain: _acme-challenge.myfqdndotcom
[Sun Nov 17 12:07:08 EST 2019] invalid domain
[Sun Nov 17 12:07:08 EST 2019] Error add txt for domain:_acme-challenge.myfqdndotcom
[Sun Nov 17 12:07:08 EST 2019] Please check log file for more details: /tmp/acme/nexfwchurch-GUI-Key/acme_issuecert.log
And in the acme_issuecert.log file I see:
===============
[Sun Nov 17 15:39:18 EST 2019] code=‘200’
[Sun Nov 17 15:39:18 EST 2019] original='{
“type”: “dns-01”,
“status”: “pending”,
“url”: “https://acme-staging-v02.api.letsencrypt.org/acme/chall-v3/21646169/Kznaag”,
“token”: “–snip–”
}’
[Sun Nov 17 15:39:18 EST 2019] response=‘{“type”:“dns-01”,“status”:“pending”,“url”:“https://acme-staging-v02.api.letsencrypt.org/acme/chall-v3/21646169/Kznaag",“token”:"--snip--”}’
[Sun Nov 17 15:39:18 EST 2019] pid
[Sun Nov 17 15:39:18 EST 2019] No need to restore nginx, skip.
[Sun Nov 17 15:39:18 EST 2019] _clearupdns
[Sun Nov 17 15:39:18 EST 2019] dns_entries
[Sun Nov 17 15:39:18 EST 2019] skip dns.
The pfSense Acme client requires 4 items:
- Cloudflare API key – Global API key?
- Cloudflare API Email Address – Which I assume is email address I used when registering with Cloudflare
- Cloudflare API Token - Which I generated – however possibly I didn’t do this correctly. The token has permissions → Zone:Edit, DNS:Edit
- Account ID – Located under Account ID on account homepage, as well as contained within actual URL when I log into Cloudflare.
Thank you all in advance! Any help would be greatly appreciated.