Cloudflare, Let's Encrypt, and pfSense ACME plugin issues

Greetings All,

I am very new to trying to use Cloudflare and Let’s Encrypt with my pfSense firewall. My FQDN is registered with Namecheap and DNS has been properly changed to work with Cloudflare.

I am trying to setup my pfSense firewall to work with Let’s Encrypt to auto-magically pull and update certs for use in my lab/test environment. Just like a previous poster I am trying to use:

  • Because I am testing this setup I am using the “staging 2” option
  • the latest ACME Certificates install package for pfSense (v. 0.6.4)
  • pfSense v. 2.4.4-Release-p3
  • Cloudflare succesfully added my Namecheap registered domain
  • Am able to get to Cloudflare account details for API keys/tokens
  • Under ‘Services>ACME>Certificates’ I am able to succesfully create ‘Account keys’ and perform the ‘Issue/renew’ function under ‘Certificates’ tab

At this point however, is where my issue starts. Though I get a check next to ‘Issue/renew’ box, I get an error and ‘Last renewed’ date never updates to current.

Here is the error message with PII redacted to protect “the innocent”:

Renewing certificate
account: nexfwchurch-GUI-Key
server: letsencrypt-staging-2

/usr/local/pkg/acme/ --issue -d ‘myfqdndotcom’ --dns ‘dns_cf’ --home ‘/tmp/acme/nexfwchurch-GUI-Key/’ --accountconf ‘/tmp/acme/nexfwchurch-GUI-Key/accountconf.conf’ --force --reloadCmd ‘/tmp/acme/nexfwchurch-GUI-Key/’ --log-level 3 --log ‘/tmp/acme/nexfwchurch-GUI-Key/acme_issuecert.log’
[path] => /etc:/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/bin/
[PATH] => /etc:/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/bin/
[CF_Key] => --snip–
[CF_Email] => email address I registered with
[CF_Token] => --snip–
[CF_Account_ID] => --snip–
[Sun Nov 17 12:07:06 EST 2019] Single domain=‘myfqdndotcom’
[Sun Nov 17 12:07:06 EST 2019] Getting domain auth token for each domain
[Sun Nov 17 12:07:07 EST 2019] Getting webroot for domain=‘myfqdndotcom’
[Sun Nov 17 12:07:07 EST 2019] Adding txt value: xmWWmVhJ0mntdnAAKKu2Yx9PeA7xqfW8pp9gNqojlqM for domain: _acme-challenge.myfqdndotcom
[Sun Nov 17 12:07:08 EST 2019] invalid domain
[Sun Nov 17 12:07:08 EST 2019] Error add txt for domain:_acme-challenge.myfqdndotcom
[Sun Nov 17 12:07:08 EST 2019] Please check log file for more details: /tmp/acme/nexfwchurch-GUI-Key/acme_issuecert.log

And in the acme_issuecert.log file I see:

[Sun Nov 17 15:39:18 EST 2019] code=‘200’

[Sun Nov 17 15:39:18 EST 2019] original=’{

“type”: “dns-01”,

“status”: “pending”,

“url”: “”,

“token”: “–snip–”


[Sun Nov 17 15:39:18 EST 2019] response=’{“type”:“dns-01”,“status”:“pending”,“url”:“",“token”:"--snip--”}’

[Sun Nov 17 15:39:18 EST 2019] pid

[Sun Nov 17 15:39:18 EST 2019] No need to restore nginx, skip.

[Sun Nov 17 15:39:18 EST 2019] _clearupdns

[Sun Nov 17 15:39:18 EST 2019] dns_entries

[Sun Nov 17 15:39:18 EST 2019] skip dns.

The pfSense Acme client requires 4 items:

  1. Cloudflare API key – Global API key?
  2. Cloudflare API Email Address – Which I assume is email address I used when registering with Cloudflare
  3. Cloudflare API Token - Which I generated – however possibly I didn’t do this correctly. The token has permissions -> Zone:Edit, DNS:Edit
  4. Account ID – Located under Account ID on account homepage, as well as contained within actual URL when I log into Cloudflare.

Thank you all in advance! Any help would be greatly appreciated.

Does the DNS record get created on Cloudflare’s side?

No, it did/does not. I saw the error message and presumed that I needed to create the .txt file and add the content. Then I noticed that each time I tried to issue/renew, a new txt value was generated.

Seems like the adding of the .txt file and the editing of the same is not taking place and I’m not sure why.

From the log you are attempting a dns-01 validation, which is the only case where Cloudflare credentials would be needed. You may see the DNS record, but you should definitely see such in the Cloudflare audit log.

1 Like

I see where I manually added text value but I don’t see where the .txt file is attempted to be auto-added. Is there something else that I’m missing?

There isn’t a text file, just a TXT record in DNS.

Should I be manually adding this TXT record or should ACME be able to add it during this issue/renew process? I’ve tried both ways and still see “invalid domain” and “Error add txt for domain:_acme-challenge.mfqdndotcom” and when I check acme_issuecert.log the last entry is still 200 with status pending as before.

It should be completely automatic. Make sure your pfSense is running the latest acme package too, there have been a few updates over the last some months which have resolved a ton of minor issues, some of which hit Cloudflare.

That’s what I thought…but that’s not what’s happening. Even though I updated pfSense to latest and updated ACME package to the latest as well (that fixed issue with Account ket not being properly created), I am still having issues.

I only see the original A and CNAME DNS records that I created.

I’m experiencing the exact same issue. I have successfully issued some by manually adding the TXT records but would really like to find a working version.

I successfully managed to get it working:

You need to put your global API key (not the token) under “API Key”

And the API Token Key that you created under the field “Token”

I gave the token: Zone.Zone, Zone.DNS

Right on. That is what I have also. Are you also trying to setup using pfSense?

I’m using pfSense and had the same issue where I would the “invalid domain” error during the script.

I came across a GitHub issue which looked similar and found that I had to allow “All Zones” in my Token rather than restricting just the domain in question:

Not sure if that’s helpful, but that ended up working for me.