Cloudflare, Let's Encrypt, pfSense

Thanks for any help someone can provide.

Hi. I’m new to cloudfare. Today I switched my domain name servers to cloudflare. I have a registered domain name through no-ip.com (a payed domain — not a dynamic domain name). I’m hosting an apache website sitting behind a pfsense router. I already have Let’sEncrypt Certificates for the main domain and three subdomains. Certs are valid until 11-2019.

I’m interested in changing the acme renewal process from webroot to DNS challenge. I’m using the built in acme client on pfSense to try to perform the renewal process however I’m having problems:

[Sun Sep 29 12:38:05 CDT 2019] Multi domain='DNS:gohilton.com,DNS:www.gohilton.com,DNS:nextcloud.gohilton.com,DNS:office.gohilton.com'
[Sun Sep 29 12:38:05 CDT 2019] Getting domain auth token for each domain
[Sun Sep 29 12:38:09 CDT 2019] Getting webroot for domain='xxx.com'
[Sun Sep 29 12:38:09 CDT 2019] Getting webroot for domain='www.xxx.com'
[Sun Sep 29 12:38:09 CDT 2019] Getting webroot for domain='nextcloud.xxx.com'
[Sun Sep 29 12:38:09 CDT 2019] Getting webroot for domain='office.xxx.com'
[Sun Sep 29 12:38:09 CDT 2019] Adding txt value: ulYYV72DGxcUac6XwQTHFtnFS5QJQHhhpnDRXGwGECc for domain: _acme-challenge.xxx.com
[Sun Sep 29 12:38:10 CDT 2019] invalid domain
[Sun Sep 29 12:38:10 CDT 2019] Error add txt for domain:_acme-challenge.xxx.com
[Sun Sep 29 12:38:10 CDT 2019] Please check log file for more details: /tmp/acme/xxx_Certificates/acme_issuecert.log

I looked at the log file however it wasn’t helpful in the slightest. I’m wondering what I’m missing or if anyone could help me here with this one.

Looks like that client is acme.sh or similar.

First, let me ask: did you enable a Cloudflare plugin or otherwise enter Cloudflare API keys/API tokens? Since CF is now your DNS provider, the ACME client had to support the Cloudflare API when it needs to provision the DNS records.

Hey thanks for response

I’m actually trying to use the Acme Certificates Plugin on pfSense that has the Cloudflare plugin builtin. I looked up certbot at the command line – with the Cloudflare plugin – and compared it to the pfSense acme client. The pfSense Acme client requires 4 items:

  1. Cloudflare API key – Which I assume is the Global API key
  2. Cloudflare API Email Address – Which I assume is email address I used when registering with Cloudflare
  3. Cloudflare API Token - Which I generated – however possibly I didn’t do this correctly. The token has permissions -> Edit Zone DNS - Include specific Zone and I listed my only TLD. Subdomains within the TLD weren’t an option
  4. Account ID – This wasn’t actually specified anywhere on the Website, however I assume its the long hex number contained within actual URL when I log into Cloudflare.

That’s about all the information I can give you. The command line certbot version only requires email address and Cloudflare API key (no token). I think I might try this method next, however ultimately I’d like to use the pfSense client since it automated.

1 Like

I’d recommend to try adding the permission zone->zone->read, since the go-acme client says it needs those permissions.

Chances are it checks if the API token is set and tries to use that before even checking the Global API key, which is why it failed.

you’re correct that it’s the one in the URL, but you can also find it on the right side of any domain overview page:

image

Thanks for the information about the API token on Domain Overview Page (I didn’t see that information, really far down the page).

So I modified the token with following parameters:
Zone:Zone:Read
Zone:DNS:Edit

I re-ran the pfSense Acme client, unfortunately I got the exact same output as before listed in first post. That’s a bummer.

Thanks a lot for your help.

I kind of shelved this issue for now. I never was able to make use of the pfSense Acme Client. Unfortunately the logs weren’t very helpful

For now I’ve defaulted back to using certbot as the acme client on the web server and authenticate using the cloudflare plugin.

Once I’ll get time, I’ll actually installing acme.sh on the web server and try to renew certificates with this client rather than certbot. Supposedly certbot natively doesn’t work well with ECDSA certs and most posts I’ve researched have recommended to use acme rather than certbot for this usage case.

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.