Let's Encrypt, ACME pfSense plugin fail to create DNS records with token

runevee · April 28, 2020, 6:36pm

I’m trying to setup a wildcard certificate with the ACME plugin on my pfSense machine. However, I get the following error when trying to issue the certificate.

MyCert
Renewing certificate 
account: Cert 
server: letsencrypt-staging-2 

/usr/local/pkg/acme/acme.sh  --issue  -d '*.mydomain.com' --dns 'dns_cf'  --home '/tmp/acme/MyCert/' --accountconf '/tmp/acme/MyCert/accountconf.conf' --force --reloadCmd '/tmp/acme/MyCert/reloadcmd.sh' --log-level 3 --log '/tmp/acme/MyCert/acme_issuecert.log'
Array
(
    [path] => /etc:/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/bin/
    [PATH] => /etc:/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/bin/
    [CF_Key] => my_global_API_key
    [CF_Email] => my_cloudflare_email
    [CF_Token] => my_token
    [CF_Account_ID] => my_account_id_key
    [CF_Zone_ID] => my_zone_id_key
)
[Tue Apr 28 19:20:10 CEST 2020] Single domain='*.mydomain.com'
[Tue Apr 28 19:20:10 CEST 2020] Getting domain auth token for each domain
[Tue Apr 28 19:20:13 CEST 2020] Getting webroot for domain='*.mydomain.com'
[Tue Apr 28 19:20:13 CEST 2020] Adding txt value: nHGgDV4uI6z3e7iI7pIP9_Kedo78EXM82LaWFJn6u9A for domain:  _acme-challenge.mydomain.com
[Tue Apr 28 19:20:14 CEST 2020] Error
[Tue Apr 28 19:20:14 CEST 2020] Error add txt for domain:_acme-challenge.mydomain.com
[Tue Apr 28 19:20:14 CEST 2020] Please check log file for more details: /tmp/acme/MyCert/acme_issuecert.log

In the acme_issuecert.log I get the following lines:
[Tue Apr 28 18:18:56 CEST 2020] Single domain=’*.mydomain.com’
[Tue Apr 28 18:18:56 CEST 2020] Getting domain auth token for each domain
[Tue Apr 28 18:19:12 CEST 2020] Please refer to https://curl.haxx.se/libcurl/c/libcurl-errors.html for error code: 35
[Tue Apr 28 18:19:12 CEST 2020] Create new order error. Le_OrderFinalize not found.
[Tue Apr 28 18:19:12 CEST 2020] Please check log file for more details: /tmp/acme/MyCert/acme_issuecert.log

I don’t know if it is relevant but I have two domains on my CF account but I’m only using the DNS service.

The settings of the token is:
Permissions
Zone:Zone:Read
Zone:DNS:Edit

Zone Ressources
Include:Specific Zone:mydomain.com

IP Address filering:
This is not set

TTL:
This is not set

I have successfully validated the token from my terminal.

In pfSense I have filled out all the credentials for CF (Global API key, Email, token key, Zone Id, Zccount Id). When I click save the certificate is marked as last renewed at 01 Jan 1970 (see screen dump)

Screenshot 2020-04-28 at 20.22.04 .

When I click the renew button I get the error above.

ACME don’t create/modify any DNS records and there are no activity in the Auditlog except for me creating the token.

I’m running the lastest version of pfSense (2.4.5) and the most recent acme plugin (0.6.7).

Please let me know if you need additional information. Any help is highly appreciated.

chris.gregson · April 28, 2020, 8:40pm

Exact same issue here since upgrading the acme package to 0.6.7 in pfsense I can no longer renew any of my certs. Not sure if this is a package issue or something on the Cloudflare side yet.

dustin3 · April 28, 2020, 10:38pm

Seeing the same issue on my setup

lauri.gates · April 30, 2020, 11:31am

I had the same issue and it was fixed by upgrading the ACME package to 0.6.8 that was released yesterday.

runevee · April 30, 2020, 11:49am

Perfect! That solved the problem! Thanks for the solution.

joey741019 · May 3, 2020, 6:00am

I still have similar issue in 0.6.8

[Sun May  3 13:39:14 CST 2020] Detect dns server first.
[Sun May  3 13:39:14 CST 2020] GET
[Sun May  3 13:39:14 CST 2020] url='https://cloudflare-dns.com'
[Sun May  3 13:39:14 CST 2020] timeout=
[Sun May  3 13:39:14 CST 2020] Http already initialized.
[Sun May  3 13:39:14 CST 2020] _CURL='curl -L --silent --dump-header /tmp/acme/wildcard_HIDDEN.DOMAIN//http.header  -g '
[Sun May  3 13:39:14 CST 2020] Please refer to https://curl.haxx.se/libcurl/c/libcurl-errors.html for error code: 35
[Sun May  3 13:39:14 CST 2020] ret='35'
[Sun May  3 13:39:14 CST 2020] Use google doh server
[Sun May  3 13:39:14 CST 2020] _ns_ep='https://dns.google/resolve'
[Sun May  3 13:39:14 CST 2020] _ns_domain='_acme-challenge.HIDDEN.DOMAIN'
[Sun May  3 13:39:14 CST 2020] _ns_type='TXT'
[Sun May  3 13:39:14 CST 2020] GET
[Sun May  3 13:39:14 CST 2020] url='https://dns.google/resolve?name=_acme-challenge.HIDDEN.DOMAIN&type=TXT'
[Sun May  3 13:39:14 CST 2020] timeout=
[Sun May  3 13:39:14 CST 2020] Http already initialized.
[Sun May  3 13:39:14 CST 2020] _CURL='curl -L --silent --dump-header /tmp/acme/wildcard_HIDDEN.DOMAIN//http.header  -g '
[Sun May  3 13:40:29 CST 2020] Please refer to https://curl.haxx.se/libcurl/c/libcurl-errors.html for error code: 35
[Sun May  3 13:40:29 CST 2020] ret='35'
[Sun May  3 13:40:29 CST 2020] response
[Sun May  3 13:40:29 CST 2020] Not valid yet, let's wait 10 seconds and check next one.
[Sun May  3 13:40:29 CST 2020] _p_txtdomain='_acme-challenge.HIDDEN.DOMAIN'
[Sun May  3 13:40:29 CST 2020] Cloudflare purge TXT record for domain _acme-challenge.HIDDEN.DOMAIN
[Sun May  3 13:40:29 CST 2020] POST
[Sun May  3 13:40:29 CST 2020] _post_url='https://cloudflare-dns.com/api/v1/purge?domain=_acme-challenge.HIDDEN.DOMAIN&type=TXT'
[Sun May  3 13:40:29 CST 2020] body
[Sun May  3 13:40:29 CST 2020] _postContentType
[Sun May  3 13:40:29 CST 2020] Http already initialized.
[Sun May  3 13:40:29 CST 2020] _CURL='curl -L --silent --dump-header /tmp/acme/wildcard_HIDDEN.DOMAIN//http.header  -g '
[Sun May  3 13:40:29 CST 2020] Please refer to https://curl.haxx.se/libcurl/c/libcurl-errors.html for error code: 35
[Sun May  3 13:40:29 CST 2020] _ret='35'
[Sun May  3 13:40:29 CST 2020] response
[Sun May  3 13:40:39 CST 2020] Let's wait 10 seconds and check again.

system · May 28, 2020, 6:36pm

This topic was automatically closed after 30 days. New replies are no longer allowed.