OPNsense Forum

Prior to 23.1, the ACME plugin seemed to work fine, and I had automatically renewed certificates for several months.

Somewhere around the change to 23.1, however, it no longer works via OPNSense, even though I can use Gandi's LiveDNS and API key from "letsencrypt" on a Pi just fine (so the issue is not Gandi, and not the API key).

My logs appear as such (with debug logging enabled for the ACME Settings):

2023-04-10T14:02:33 Error   opnsense    AcmeClient: validation for certificate failed: host.mydomain.com   
2023-04-10T14:02:33 Error   opnsense    AcmeClient: domain validation failed (dns01)   
2023-04-10T14:02:25 Notice  opnsense    AcmeClient: running acme.sh command: /usr/local/sbin/acme.sh --issue --syslog 7 --debug --server 'letsencrypt' --dns 'dns_gandi_livedns' --dnssleep '90' --home '/var/etc/acme-client/home' --certpath '/var/etc/acme-client/certs/whatever.07307279/cert.pem' --keypath '/var/etc/acme-client/keys/whatever.07307279/private.key' --capath '/var/etc/acme-client/certs/whatever.07307279/chain.pem' --fullchainpath '/var/etc/acme-client/certs/whatever.07307279/fullchain.pem' --domain 'host.mydomain.com' --days '1' --force --keylength '4096' --accountconf '/var/etc/acme-client/accounts/whatever.40506586_prod/account.conf'   
2023-04-10T14:02:25 Notice  opnsense    AcmeClient: using challenge type: GandiV5   
2023-04-10T14:02:25 Notice  opnsense    AcmeClient: account is registered: Let's Encrypt   
2023-04-10T14:02:25 Notice  opnsense    AcmeClient: using CA: letsencrypt   
2023-04-10T14:02:25 Notice  opnsense    AcmeClient: issue certificate: host.mydomain.com   
2023-04-10T14:02:25 Notice  opnsense    AcmeClient: certificate must be issued/renewed: host.mydomain.com

Obviously, this is in reverse chronological order.

I've obfuscated a few things, but, I do not think they are relevant to the issue.  The domain has the Gandi API enabled, the key works fine, etc etc.

What I do notice, however, is that the "dnssleep" option passed to the ACME shell script is being ignored.  I've tried various values here, 120 seconds, 240, 0 (default) - however, as you can see from the logs, within 2 seconds OPNSense records the attempt as a failure, and gives up.

Interestingly, even with "0" set as the value, the OPNSense plugin does not seem to re-try as per the on-screen note of:

QuoteThe time in seconds to wait for all the TXT records to take effect after adding them to the DNS API. Defaults to 0 seconds, which causes Acme Client to check public DNS services every 10 seconds for up to 20 minutes. If set to a non-zero value, a fixed DNS sleep time will be used and the local DNS servers will be queried instead. A DNS sleep time of 120 seconds or more is recommended for some DNS APIs.

Does anyone have ACME working with 23.1 series and Gandi LiveDNS?

For what it is worth, this problem persists with OPNsense 23.1.7_3 with ACME Client Plugin 3.16.

The DNS01 challenge for Gandi (and perhaps all DNS01 challenges?) seem to fail immediately, without respecting the DNS Sleep option. 

Also at All-Inkl.com does not work, why is OPNSense so buggy?

f

Problem can come from old API key being used:

Workaround is to manually edit the acme-client account.conf file and change the API key to latest value:

1. Login into opnsense root shell account.
2. Edit /var/etc/acme-client/accounts/*/account.conf
3. Replace latest Gandi API key in GANDI_LIVEDNS_KEY='your.latest.gandi.api.key'

Then try to re-generate your certs.

See: https://github.com/acmesh-official/acme.sh/issues/2011

Outstanding.  That was it.  I modified the .conf file, re-issued a certificate, and all looks good.

Thank you very much for the pointer!

Quote from: Koloa on May 15, 2023, 01:02:58 AM
Outstanding.  That was it.  I modified the .conf file, re-issued a certificate, and all looks good.

Thank you very much for the pointer!

I struggled with the same issue for months and when I finally found a solution it was a great relief so I can understand how helpful it can be for others.

Sent from my AC2003 using Tapatalk