OPNsense Forum

Hello,
i installed the letsencrypt plugin and set it up to use DNS-01, i need the wildcard-option.
When i tested the whole thing, i used the Letsencrypt Test CA, everything works as expected: Certs are issued and copied to the opnsense, i see them at "Security".
So far, so good.

Now i wanted to change from Test CA to Standard CA, but here it fails:

Installing full chain to: /var/etc/acme-client/certs/65***/fullchain.pem
Installing key to: /var/etc/acme-client/keys/65***/private.key
Installing CA to: /var/etc/acme-client/certs/65***/chain.pem
Installing cert to: /var/etc/acme-client/certs/65***/cert.pem
And the full chain certs is there: /var/etc/acme-client/home/xxx.ddnss.de_ecc/fullchain.cer
The intermediate CA cert is in: /var/etc/acme-client/home/xxx.ddnss.de_ecc/ca.cer
Your cert key is in: /var/etc/acme-client/home/xxx.ddnss.de_ecc/xxx.ddnss.de.key
Your cert is in: /var/etc/acme-client/home/xxx.ddnss.de_ecc/xxx.ddnss.de.cer
Cert success.
Le_LinkCert='https://acme-staging-v02.api.letsencrypt.org/acme/cert/2bxyz'
Downloading cert.
Polling order status: https://acme-staging-v02.api.letsencrypt.org/acme/order/13xx/13xx
Retry after: 3
Order status is processing, lets sleep and retry.
Le_OrderFinalize='https://acme-staging-v02.api.letsencrypt.org/acme/finalize/13xx/13xx'
Lets finalize the order.
Verify finished, start to sign.
wg.xxx.ddnss.de is already verified, skip dns-01.
ovpn.xxx.ddnss.de is already verified, skip dns-01.
xxx.ddnss.de is already verified, skip dns-01.
Getting webroot for domain='wg.xxx.ddnss.de'
Getting webroot for domain='ovpn.xxx.ddnss.de'
Getting webroot for domain='xxx.ddnss.de'
Getting domain auth token for each domain
Multi domain='DNS:xxx.ddnss.de,DNS:ovpn.xxx.ddnss.de,DNS:wg.xxx.ddnss.de'
Using CA: https://acme-staging-v02.api.letsencrypt.org/directory
See: https://github.com/acmesh-official/acme.sh/wiki/How-to-debug-acme.sh
Please add '--debug' or '--log' to check more details.
Error add txt for domain:_acme-challenge.xxx.ddnss.de
Errors happened during adding the TXT record, response=- badauth : Invalid username or password. Authentication failed.
Trying to add TXT record
Adding txt value: ***ABCDEF*** for domain: _acme-challenge.xxx.ddnss.de
Getting webroot for domain='wg.xxx.ddnss.de'
Getting webroot for domain='ovpn.xxx.ddnss.de'
Getting webroot for domain='xxx.ddnss.de'
Getting domain auth token for each domain
Multi domain='DNS:xxx.ddnss.de,DNS:ovpn.xxx.ddnss.de,DNS:wg.xxx.ddnss.de'
Using CA: https://acme-v02.api.letsencrypt.org/directory

I added the full log (stripped private parts and times for clarity/security)
The log contains the "Standard CA" at the bottom of the log, the upper part is using the "Test CA".
I see a  badauth : Invalid username or pasword.

So here my question: Do i have to reregister at letsencrypt plugin (Konten) for the Standard CA?
Or am i missing something else?

Thanks a lot for any help!

Everything past
Multi domain='DNS:xxx.ddnss.de,DNS:ovpn.xxx.ddnss.de,DNS:wg.xxx.ddnss.de'
Using CA: https://acme-v02.api.letsencrypt.org/directory
is missing. That's where the interaction with the live CA supposedly starts.

You do need to register an account with Letsencrypt, yes. That's part of the ACME module and should be a single click.

So my account is showing "registered", i did a reregister after setting the "standard CA".
Here nothing changed, but again the issuing failed again. So what is my fault?
Issuing with "test CA" works out of the box, only with "standard CA" it fails.
Can i provide more information?

The full log including the error message?  ;)

ok!
So i added the creation-log, where i tested the HTTP-01 and DNS-01 via the "Test CA". I had created that thing that night, so its the only "old" log i have. The new log is from today, when i switched from "Test CA" to "Standard CA". Both logs are complete, only private parts removed/changed.

Hope that helps...

acmeclient logs:
New log:
<14>1 2024-01-12T16:27:29+01:00 opnsense.localdomain acme.sh 39529 - [meta sequenceId="1"] [Fri Jan 12 16:27:29 CET 2024] Using CA: https://acme-v02.api.letsencrypt.org/directory
<14>1 2024-01-12T16:27:29+01:00 opnsense.localdomain acme.sh 82610 - [meta sequenceId="2"] [Fri Jan 12 16:27:29 CET 2024] Multi domain='DNS:_name_.ddnss.de,DNS:ovpn._name_.ddnss.de,DNS:wg._name_.ddnss.de'
<14>1 2024-01-12T16:27:29+01:00 opnsense.localdomain acme.sh 93894 - [meta sequenceId="3"] [Fri Jan 12 16:27:29 CET 2024] Getting domain auth token for each domain
<14>1 2024-01-12T16:27:32+01:00 opnsense.localdomain acme.sh 96060 - [meta sequenceId="4"] [Fri Jan 12 16:27:32 CET 2024] Getting webroot for domain='_name_.ddnss.de'
<14>1 2024-01-12T16:27:32+01:00 opnsense.localdomain acme.sh 17876 - [meta sequenceId="5"] [Fri Jan 12 16:27:32 CET 2024] Getting webroot for domain='ovpn._name_.ddnss.de'
<14>1 2024-01-12T16:27:32+01:00 opnsense.localdomain acme.sh 36573 - [meta sequenceId="6"] [Fri Jan 12 16:27:32 CET 2024] Getting webroot for domain='wg._name_.ddnss.de'
<14>1 2024-01-12T16:27:32+01:00 opnsense.localdomain acme.sh 67922 - [meta sequenceId="7"] [Fri Jan 12 16:27:32 CET 2024] Adding txt value: KPxxx for domain:  _acme-challenge._name_.ddnss.de
<14>1 2024-01-12T16:27:32+01:00 opnsense.localdomain acme.sh 75458 - [meta sequenceId="8"] [Fri Jan 12 16:27:32 CET 2024] Trying to add TXT record
<11>1 2024-01-12T16:27:32+01:00 opnsense.localdomain acme.sh 80690 - [meta sequenceId="9"] [Fri Jan 12 16:27:32 CET 2024] Errors happened during adding the TXT record, response=- badauth : Invalid username or password.  Authentication failed.
<11>1 2024-01-12T16:27:32+01:00 opnsense.localdomain acme.sh 82718 - [meta sequenceId="10"] [Fri Jan 12 16:27:32 CET 2024] Error add txt for domain:_acme-challenge._name_.ddnss.de
<11>1 2024-01-12T16:27:32+01:00 opnsense.localdomain acme.sh 85754 - [meta sequenceId="11"] [Fri Jan 12 16:27:32 CET 2024] Please add '--debug' or '--log' to check more details.
<11>1 2024-01-12T16:27:32+01:00 opnsense.localdomain acme.sh 88343 - [meta sequenceId="12"] [Fri Jan 12 16:27:32 CET 2024] See: https://github.com/acmesh-official/acme.sh/wiki/How-to-debug-acme.sh
<14>1 2024-01-12T16:28:32+01:00 opnsense.localdomain acme.sh 98426 - [meta sequenceId="1"] [Fri Jan 12 16:28:32 CET 2024] Using CA: https://acme-staging-v02.api.letsencrypt.org/directory
<14>1 2024-01-12T16:28:32+01:00 opnsense.localdomain acme.sh 40034 - [meta sequenceId="2"] [Fri Jan 12 16:28:32 CET 2024] Multi domain='DNS:_name_.ddnss.de,DNS:ovpn._name_.ddnss.de,DNS:wg._name_.ddnss.de'
<14>1 2024-01-12T16:28:32+01:00 opnsense.localdomain acme.sh 55875 - [meta sequenceId="3"] [Fri Jan 12 16:28:32 CET 2024] Getting domain auth token for each domain
<14>1 2024-01-12T16:28:36+01:00 opnsense.localdomain acme.sh 55450 - [meta sequenceId="4"] [Fri Jan 12 16:28:36 CET 2024] Getting webroot for domain='_name_.ddnss.de'
<14>1 2024-01-12T16:28:36+01:00 opnsense.localdomain acme.sh 72617 - [meta sequenceId="5"] [Fri Jan 12 16:28:36 CET 2024] Getting webroot for domain='ovpn._name_.ddnss.de'
<14>1 2024-01-12T16:28:36+01:00 opnsense.localdomain acme.sh 86034 - [meta sequenceId="6"] [Fri Jan 12 16:28:36 CET 2024] Getting webroot for domain='wg._name_.ddnss.de'
<14>1 2024-01-12T16:28:36+01:00 opnsense.localdomain acme.sh 24513 - [meta sequenceId="7"] [Fri Jan 12 16:28:36 CET 2024] _name_.ddnss.de is already verified, skip dns-01.
<14>1 2024-01-12T16:28:36+01:00 opnsense.localdomain acme.sh 33294 - [meta sequenceId="8"] [Fri Jan 12 16:28:36 CET 2024] ovpn._name_.ddnss.de is already verified, skip dns-01.
<14>1 2024-01-12T16:28:36+01:00 opnsense.localdomain acme.sh 41728 - [meta sequenceId="9"] [Fri Jan 12 16:28:36 CET 2024] wg._name_.ddnss.de is already verified, skip dns-01.
<14>1 2024-01-12T16:28:36+01:00 opnsense.localdomain acme.sh 45285 - [meta sequenceId="10"] [Fri Jan 12 16:28:36 CET 2024] Verify finished, start to sign.
<14>1 2024-01-12T16:28:36+01:00 opnsense.localdomain acme.sh 52187 - [meta sequenceId="11"] [Fri Jan 12 16:28:36 CET 2024] Lets finalize the order.
<14>1 2024-01-12T16:28:36+01:00 opnsense.localdomain acme.sh 54630 - [meta sequenceId="12"] [Fri Jan 12 16:28:36 CET 2024] Le_OrderFinalize='https://acme-staging-v02.api.letsencrypt.org/acme/finalize/13xxyy/13yyxx'
<14>1 2024-01-12T16:28:37+01:00 opnsense.localdomain acme.sh 84901 - [meta sequenceId="13"] [Fri Jan 12 16:28:37 CET 2024] Order status is processing, lets sleep and retry.
<14>1 2024-01-12T16:28:37+01:00 opnsense.localdomain acme.sh 88687 - [meta sequenceId="14"] [Fri Jan 12 16:28:37 CET 2024] Retry after: 3
<14>1 2024-01-12T16:28:40+01:00 opnsense.localdomain acme.sh 92984 - [meta sequenceId="15"] [Fri Jan 12 16:28:40 CET 2024] Polling order status: https://acme-staging-v02.api.letsencrypt.org/acme/order/13xxyy/13yyxx
<14>1 2024-01-12T16:28:41+01:00 opnsense.localdomain acme.sh 22191 - [meta sequenceId="16"] [Fri Jan 12 16:28:41 CET 2024] Downloading cert.
<14>1 2024-01-12T16:28:41+01:00 opnsense.localdomain acme.sh 25018 - [meta sequenceId="17"] [Fri Jan 12 16:28:41 CET 2024] Le_LinkCert='https://acme-staging-v02.api.letsencrypt.org/acme/cert/2bxxx'
<14>1 2024-01-12T16:28:41+01:00 opnsense.localdomain acme.sh 57945 - [meta sequenceId="18"] [Fri Jan 12 16:28:41 CET 2024] Cert success.
<14>1 2024-01-12T16:28:41+01:00 opnsense.localdomain acme.sh 61303 - [meta sequenceId="19"] [Fri Jan 12 16:28:41 CET 2024] Your cert is in: /var/etc/acme-client/home/_name_.ddnss.de_ecc/_name_.ddnss.de.cer
<14>1 2024-01-12T16:28:41+01:00 opnsense.localdomain acme.sh 64291 - [meta sequenceId="20"] [Fri Jan 12 16:28:41 CET 2024] Your cert key is in: /var/etc/acme-client/home/_name_.ddnss.de_ecc/_name_.ddnss.de.key
<14>1 2024-01-12T16:28:41+01:00 opnsense.localdomain acme.sh 71541 - [meta sequenceId="21"] [Fri Jan 12 16:28:41 CET 2024] The intermediate CA cert is in: /var/etc/acme-client/home/_name_.ddnss.de_ecc/ca.cer
<14>1 2024-01-12T16:28:41+01:00 opnsense.localdomain acme.sh 73801 - [meta sequenceId="22"] [Fri Jan 12 16:28:41 CET 2024] And the full chain certs is there: /var/etc/acme-client/home/_name_.ddnss.de_ecc/fullchain.cer
<14>1 2024-01-12T16:28:41+01:00 opnsense.localdomain acme.sh 24683 - [meta sequenceId="23"] [Fri Jan 12 16:28:41 CET 2024] Installing cert to: /var/etc/acme-client/certs/6597xxx/cert.pem
<14>1 2024-01-12T16:28:42+01:00 opnsense.localdomain acme.sh 28976 - [meta sequenceId="24"] [Fri Jan 12 16:28:42 CET 2024] Installing CA to: /var/etc/acme-client/certs/6597xxx/chain.pem
<14>1 2024-01-12T16:28:42+01:00 opnsense.localdomain acme.sh 33089 - [meta sequenceId="25"] [Fri Jan 12 16:28:42 CET 2024] Installing key to: /var/etc/acme-client/keys/6597xxx/private.key
<14>1 2024-01-12T16:28:42+01:00 opnsense.localdomain acme.sh 36157 - [meta sequenceId="26"] [Fri Jan 12 16:28:42 CET 2024] Installing full chain to: /var/etc/acme-client/certs/6597xxx/fullchain.pem
<14>1 2024-01-12T18:03:02+01:00 opnsense.localdomain acme.sh 77180 - [meta sequenceId="1"] [Fri Jan 12 18:03:02 CET 2024] Using CA: https://acme-v02.api.letsencrypt.org/directory
<14>1 2024-01-12T18:03:02+01:00 opnsense.localdomain acme.sh 21686 - [meta sequenceId="2"] [Fri Jan 12 18:03:02 CET 2024] Multi domain='DNS:_name_.ddnss.de,DNS:ovpn._name_.ddnss.de,DNS:wg._name_.ddnss.de'
<14>1 2024-01-12T18:03:02+01:00 opnsense.localdomain acme.sh 36101 - [meta sequenceId="3"] [Fri Jan 12 18:03:02 CET 2024] Getting domain auth token for each domain
<14>1 2024-01-12T18:03:05+01:00 opnsense.localdomain acme.sh 45712 - [meta sequenceId="4"] [Fri Jan 12 18:03:05 CET 2024] Getting webroot for domain='_name_.ddnss.de'
<14>1 2024-01-12T18:03:05+01:00 opnsense.localdomain acme.sh 69730 - [meta sequenceId="5"] [Fri Jan 12 18:03:05 CET 2024] Getting webroot for domain='ovpn._name_.ddnss.de'
<14>1 2024-01-12T18:03:05+01:00 opnsense.localdomain acme.sh 87669 - [meta sequenceId="6"] [Fri Jan 12 18:03:05 CET 2024] Getting webroot for domain='wg._name_.ddnss.de'
<14>1 2024-01-12T18:03:05+01:00 opnsense.localdomain acme.sh 18339 - [meta sequenceId="7"] [Fri Jan 12 18:03:05 CET 2024] Adding txt value: 1Zxxx for domain:  _acme-challenge._name_.ddnss.de
<14>1 2024-01-12T18:03:05+01:00 opnsense.localdomain acme.sh 25213 - [meta sequenceId="8"] [Fri Jan 12 18:03:05 CET 2024] Trying to add TXT record
<11>1 2024-01-12T18:03:05+01:00 opnsense.localdomain acme.sh 31429 - [meta sequenceId="9"] [Fri Jan 12 18:03:05 CET 2024] Errors happened during adding the TXT record, response=- badauth : Invalid username or password.  Authentication failed.
<11>1 2024-01-12T18:03:05+01:00 opnsense.localdomain acme.sh 34119 - [meta sequenceId="10"] [Fri Jan 12 18:03:05 CET 2024] Error add txt for domain:_acme-challenge._name_.ddnss.de
<11>1 2024-01-12T18:03:05+01:00 opnsense.localdomain acme.sh 35533 - [meta sequenceId="11"] [Fri Jan 12 18:03:05 CET 2024] Please add '--debug' or '--log' to check more details.
<11>1 2024-01-12T18:03:05+01:00 opnsense.localdomain acme.sh 38325 - [meta sequenceId="12"] [Fri Jan 12 18:03:05 CET 2024] See: https://github.com/acmesh-official/acme.sh/wiki/How-to-debug-acme.sh

old log (Creation):
<14>1 2024-01-05T00:54:05+01:00 opnsense.localdomain acme.sh 88909 - [meta sequenceId="1"] [Fri Jan  5 00:54:05 CET 2024] Using CA: https://acme-staging-v02.api.letsencrypt.org/directory
<14>1 2024-01-05T00:54:05+01:00 opnsense.localdomain acme.sh 31713 - [meta sequenceId="2"] [Fri Jan  5 00:54:05 CET 2024] Multi domain='DNS:_name_.ddnss.de,DNS:ovpn._name_.ddnss.de,DNS:wg._name_.ddnss.de'
<14>1 2024-01-05T00:54:05+01:00 opnsense.localdomain acme.sh 46005 - [meta sequenceId="3"] [Fri Jan  5 00:54:05 CET 2024] Getting domain auth token for each domain
<14>1 2024-01-05T00:54:08+01:00 opnsense.localdomain acme.sh 23868 - [meta sequenceId="4"] [Fri Jan  5 00:54:08 CET 2024] Getting webroot for domain='_name_.ddnss.de'
<14>1 2024-01-05T00:54:08+01:00 opnsense.localdomain acme.sh 47366 - [meta sequenceId="5"] [Fri Jan  5 00:54:08 CET 2024] Getting webroot for domain='ovpn._name_.ddnss.de'
<14>1 2024-01-05T00:54:08+01:00 opnsense.localdomain acme.sh 69674 - [meta sequenceId="6"] [Fri Jan  5 00:54:08 CET 2024] Getting webroot for domain='wg._name_.ddnss.de'
<14>1 2024-01-05T00:54:08+01:00 opnsense.localdomain acme.sh 16624 - [meta sequenceId="7"] [Fri Jan  5 00:54:08 CET 2024] _name_.ddnss.de is already verified, skip http-01.
<14>1 2024-01-05T00:54:08+01:00 opnsense.localdomain acme.sh 27362 - [meta sequenceId="8"] [Fri Jan  5 00:54:08 CET 2024] Verifying: ovpn._name_.ddnss.de
<14>1 2024-01-05T00:54:09+01:00 opnsense.localdomain acme.sh 63299 - [meta sequenceId="9"] [Fri Jan  5 00:54:09 CET 2024] Pending, The CA is processing your order, please just wait. (1/30)
<14>1 2024-01-05T00:54:12+01:00 opnsense.localdomain acme.sh 98641 - [meta sequenceId="10"] [Fri Jan  5 00:54:12 CET 2024] Pending, The CA is processing your order, please just wait. (2/30)
<14>1 2024-01-05T00:54:14+01:00 opnsense.localdomain acme.sh 36071 - [meta sequenceId="11"] [Fri Jan  5 00:54:14 CET 2024] Pending, The CA is processing your order, please just wait. (3/30)
<14>1 2024-01-05T00:54:17+01:00 opnsense.localdomain acme.sh 76477 - [meta sequenceId="12"] [Fri Jan  5 00:54:17 CET 2024] Pending, The CA is processing your order, please just wait. (4/30)
<14>1 2024-01-05T00:54:19+01:00 opnsense.localdomain acme.sh 9650 - [meta sequenceId="13"] [Fri Jan  5 00:54:19 CET 2024] Pending, The CA is processing your order, please just wait. (5/30)
<14>1 2024-01-05T00:54:22+01:00 opnsense.localdomain acme.sh 49599 - [meta sequenceId="14"] [Fri Jan  5 00:54:22 CET 2024] Success
<14>1 2024-01-05T00:54:22+01:00 opnsense.localdomain acme.sh 60251 - [meta sequenceId="15"] [Fri Jan  5 00:54:22 CET 2024] Verifying: wg._name_.ddnss.de
<14>1 2024-01-05T00:54:22+01:00 opnsense.localdomain acme.sh 97693 - [meta sequenceId="16"] [Fri Jan  5 00:54:22 CET 2024] Pending, The CA is processing your order, please just wait. (1/30)
<14>1 2024-01-05T00:54:25+01:00 opnsense.localdomain acme.sh 39852 - [meta sequenceId="17"] [Fri Jan  5 00:54:25 CET 2024] Pending, The CA is processing your order, please just wait. (2/30)
<14>1 2024-01-05T00:54:27+01:00 opnsense.localdomain acme.sh 79634 - [meta sequenceId="18"] [Fri Jan  5 00:54:27 CET 2024] Pending, The CA is processing your order, please just wait. (3/30)
<14>1 2024-01-05T00:54:30+01:00 opnsense.localdomain acme.sh 14412 - [meta sequenceId="19"] [Fri Jan  5 00:54:30 CET 2024] Pending, The CA is processing your order, please just wait. (4/30)
<14>1 2024-01-05T00:54:33+01:00 opnsense.localdomain acme.sh 51798 - [meta sequenceId="20"] [Fri Jan  5 00:54:33 CET 2024] Pending, The CA is processing your order, please just wait. (5/30)
<14>1 2024-01-05T00:54:35+01:00 opnsense.localdomain acme.sh 4226 - [meta sequenceId="21"] [Fri Jan  5 00:54:35 CET 2024] Success
<14>1 2024-01-05T00:54:35+01:00 opnsense.localdomain acme.sh 9650 - [meta sequenceId="22"] [Fri Jan  5 00:54:35 CET 2024] Verify finished, start to sign.
<14>1 2024-01-05T00:54:35+01:00 opnsense.localdomain acme.sh 17316 - [meta sequenceId="23"] [Fri Jan  5 00:54:35 CET 2024] Lets finalize the order.
<14>1 2024-01-05T00:54:35+01:00 opnsense.localdomain acme.sh 20026 - [meta sequenceId="24"] [Fri Jan  5 00:54:35 CET 2024] Le_OrderFinalize='https://acme-staging-v02.api.letsencrypt.org/acme/finalize/13xxx/13443807974'
<14>1 2024-01-05T00:54:36+01:00 opnsense.localdomain acme.sh 59744 - [meta sequenceId="25"] [Fri Jan  5 00:54:36 CET 2024] Order status is processing, lets sleep and retry.
<14>1 2024-01-05T00:54:36+01:00 opnsense.localdomain acme.sh 65402 - [meta sequenceId="26"] [Fri Jan  5 00:54:36 CET 2024] Retry after: 3
<14>1 2024-01-05T00:54:39+01:00 opnsense.localdomain acme.sh 7080 - [meta sequenceId="27"] [Fri Jan  5 00:54:39 CET 2024] Polling order status: https://acme-staging-v02.api.letsencrypt.org/acme/order/13xxx/13443807974
<14>1 2024-01-05T00:54:39+01:00 opnsense.localdomain acme.sh 36971 - [meta sequenceId="28"] [Fri Jan  5 00:54:39 CET 2024] Downloading cert.
<14>1 2024-01-05T00:54:39+01:00 opnsense.localdomain acme.sh 39554 - [meta sequenceId="29"] [Fri Jan  5 00:54:39 CET 2024] Le_LinkCert='https://acme-staging-v02.api.letsencrypt.org/acme/cert/2b5xxx'
<14>1 2024-01-05T00:54:40+01:00 opnsense.localdomain acme.sh 77721 - [meta sequenceId="30"] [Fri Jan  5 00:54:40 CET 2024] Cert success.
<14>1 2024-01-05T00:54:40+01:00 opnsense.localdomain acme.sh 80950 - [meta sequenceId="31"] [Fri Jan  5 00:54:40 CET 2024] Your cert is in: /var/etc/acme-client/home/_name_.ddnss.de_ecc/_name_.ddnss.de.cer
<14>1 2024-01-05T00:54:40+01:00 opnsense.localdomain acme.sh 83360 - [meta sequenceId="32"] [Fri Jan  5 00:54:40 CET 2024] Your cert key is in: /var/etc/acme-client/home/_name_.ddnss.de_ecc/_name_.ddnss.de.key
<14>1 2024-01-05T00:54:40+01:00 opnsense.localdomain acme.sh 91871 - [meta sequenceId="33"] [Fri Jan  5 00:54:40 CET 2024] The intermediate CA cert is in: /var/etc/acme-client/home/_name_.ddnss.de_ecc/ca.cer
<14>1 2024-01-05T00:54:40+01:00 opnsense.localdomain acme.sh 95700 - [meta sequenceId="34"] [Fri Jan  5 00:54:40 CET 2024] And the full chain certs is there: /var/etc/acme-client/home/_name_.ddnss.de_ecc/fullchain.cer
<14>1 2024-01-05T00:54:40+01:00 opnsense.localdomain acme.sh 47639 - [meta sequenceId="35"] [Fri Jan  5 00:54:40 CET 2024] Installing cert to: /var/etc/acme-client/certs/65yyy/cert.pem
<14>1 2024-01-05T00:54:40+01:00 opnsense.localdomain acme.sh 51984 - [meta sequenceId="36"] [Fri Jan  5 00:54:40 CET 2024] Installing CA to: /var/etc/acme-client/certs/65yyy/chain.pem
<14>1 2024-01-05T00:54:40+01:00 opnsense.localdomain acme.sh 55374 - [meta sequenceId="37"] [Fri Jan  5 00:54:40 CET 2024] Installing key to: /var/etc/acme-client/keys/65yyy/private.key
<14>1 2024-01-05T00:54:40+01:00 opnsense.localdomain acme.sh 59461 - [meta sequenceId="38"] [Fri Jan  5 00:54:40 CET 2024] Installing full chain to: /var/etc/acme-client/certs/65yyy/fullchain.pem
<14>1 2024-01-05T00:56:16+01:00 opnsense.localdomain acme.sh 26225 - [meta sequenceId="1"] [Fri Jan  5 00:56:16 CET 2024] Using CA: https://acme-staging-v02.api.letsencrypt.org/directory
<14>1 2024-01-05T00:56:16+01:00 opnsense.localdomain acme.sh 71501 - [meta sequenceId="2"] [Fri Jan  5 00:56:16 CET 2024] Multi domain='DNS:_name_.ddnss.de,DNS:ovpn._name_.ddnss.de,DNS:wg._name_.ddnss.de'
<14>1 2024-01-05T00:56:16+01:00 opnsense.localdomain acme.sh 87697 - [meta sequenceId="3"] [Fri Jan  5 00:56:16 CET 2024] Getting domain auth token for each domain
<14>1 2024-01-05T00:56:19+01:00 opnsense.localdomain acme.sh 81826 - [meta sequenceId="4"] [Fri Jan  5 00:56:19 CET 2024] Getting webroot for domain='_name_.ddnss.de'
<14>1 2024-01-05T00:56:19+01:00 opnsense.localdomain acme.sh 895 - [meta sequenceId="5"] [Fri Jan  5 00:56:19 CET 2024] Getting webroot for domain='ovpn._name_.ddnss.de'
<14>1 2024-01-05T00:56:19+01:00 opnsense.localdomain acme.sh 18687 - [meta sequenceId="6"] [Fri Jan  5 00:56:19 CET 2024] Getting webroot for domain='wg._name_.ddnss.de'
<14>1 2024-01-05T00:56:19+01:00 opnsense.localdomain acme.sh 64574 - [meta sequenceId="7"] [Fri Jan  5 00:56:19 CET 2024] _name_.ddnss.de is already verified, skip dns-01.
<14>1 2024-01-05T00:56:19+01:00 opnsense.localdomain acme.sh 75070 - [meta sequenceId="8"] [Fri Jan  5 00:56:19 CET 2024] ovpn._name_.ddnss.de is already verified, skip dns-01.
<14>1 2024-01-05T00:56:19+01:00 opnsense.localdomain acme.sh 86496 - [meta sequenceId="9"] [Fri Jan  5 00:56:19 CET 2024] wg._name_.ddnss.de is already verified, skip dns-01.
<14>1 2024-01-05T00:56:19+01:00 opnsense.localdomain acme.sh 90662 - [meta sequenceId="10"] [Fri Jan  5 00:56:19 CET 2024] Verify finished, start to sign.
<14>1 2024-01-05T00:56:19+01:00 opnsense.localdomain acme.sh 139 - [meta sequenceId="11"] [Fri Jan  5 00:56:19 CET 2024] Lets finalize the order.
<14>1 2024-01-05T00:56:19+01:00 opnsense.localdomain acme.sh 2483 - [meta sequenceId="12"] [Fri Jan  5 00:56:19 CET 2024] Le_OrderFinalize='https://acme-staging-v02.api.letsencrypt.org/acme/finalize/13xxx/13yyy'
<14>1 2024-01-05T00:56:20+01:00 opnsense.localdomain acme.sh 38212 - [meta sequenceId="13"] [Fri Jan  5 00:56:20 CET 2024] Order status is processing, lets sleep and retry.
<14>1 2024-01-05T00:56:20+01:00 opnsense.localdomain acme.sh 43236 - [meta sequenceId="14"] [Fri Jan  5 00:56:20 CET 2024] Retry after: 3
<14>1 2024-01-05T00:56:23+01:00 opnsense.localdomain acme.sh 49446 - [meta sequenceId="15"] [Fri Jan  5 00:56:23 CET 2024] Polling order status: https://acme-staging-v02.api.letsencrypt.org/acme/order/13xxx/13yyy
<14>1 2024-01-05T00:56:24+01:00 opnsense.localdomain acme.sh 77453 - [meta sequenceId="16"] [Fri Jan  5 00:56:24 CET 2024] Downloading cert.
<14>1 2024-01-05T00:56:24+01:00 opnsense.localdomain acme.sh 80646 - [meta sequenceId="17"] [Fri Jan  5 00:56:24 CET 2024] Le_LinkCert='https://acme-staging-v02.api.letsencrypt.org/acme/cert/2b6xxx'
<14>1 2024-01-05T00:56:25+01:00 opnsense.localdomain acme.sh 19710 - [meta sequenceId="18"] [Fri Jan  5 00:56:25 CET 2024] Cert success.
<14>1 2024-01-05T00:56:25+01:00 opnsense.localdomain acme.sh 23539 - [meta sequenceId="19"] [Fri Jan  5 00:56:25 CET 2024] Your cert is in: /var/etc/acme-client/home/_name_.ddnss.de_ecc/_name_.ddnss.de.cer
<14>1 2024-01-05T00:56:25+01:00 opnsense.localdomain acme.sh 26770 - [meta sequenceId="20"] [Fri Jan  5 00:56:25 CET 2024] Your cert key is in: /var/etc/acme-client/home/_name_.ddnss.de_ecc/_name_.ddnss.de.key
<14>1 2024-01-05T00:56:25+01:00 opnsense.localdomain acme.sh 33539 - [meta sequenceId="21"] [Fri Jan  5 00:56:25 CET 2024] The intermediate CA cert is in: /var/etc/acme-client/home/_name_.ddnss.de_ecc/ca.cer
<14>1 2024-01-05T00:56:25+01:00 opnsense.localdomain acme.sh 35719 - [meta sequenceId="22"] [Fri Jan  5 00:56:25 CET 2024] And the full chain certs is there: /var/etc/acme-client/home/_name_.ddnss.de_ecc/fullchain.cer
<14>1 2024-01-05T00:56:25+01:00 opnsense.localdomain acme.sh 88122 - [meta sequenceId="23"] [Fri Jan  5 00:56:25 CET 2024] Installing cert to: /var/etc/acme-client/certs/65xxx/cert.pem
<14>1 2024-01-05T00:56:25+01:00 opnsense.localdomain acme.sh 90581 - [meta sequenceId="24"] [Fri Jan  5 00:56:25 CET 2024] Installing CA to: /var/etc/acme-client/certs/65xxx/chain.pem
<14>1 2024-01-05T00:56:25+01:00 opnsense.localdomain acme.sh 93726 - [meta sequenceId="25"] [Fri Jan  5 00:56:25 CET 2024] Installing key to: /var/etc/acme-client/keys/65xxx/private.key
<14>1 2024-01-05T00:56:25+01:00 opnsense.localdomain acme.sh 98057 - [meta sequenceId="26"] [Fri Jan  5 00:56:25 CET 2024] Installing full chain to: /var/etc/acme-client/certs/65xxx/fullchain.pem


The acme.sh.log is empty

Ok, tried again, this time with debug-level 3 (I didnt see that i can change log-level before: sorry)
Log is here, again with changed private parts:

Upper part of the log was a new try by adding the TXT-record manually inside my ddnss.de account. The TXT-record i extracted from the log; was arjxxx. After the fail i revoked the cert and removed it, started the Cert-section of the acme-client of opnsense from scratch.

openssl:openssl
OpenSSL 1.1.1t-freebsd  7 Feb 2023
apache:
apache doesn't exist.
nginx:
nginx doesn't exist.
socat:
socat by Gerhard Rieger and contributors - see www.dest-unreach.org
socat version 1.8.0.0 on Dec 12 2023 01:40:08
   running on FreeBSD version FreeBSD 13.2-RELEASE-p7 stable/23.7-n254871-d5ec322cffc SMP, release 13.2-RELEASE-p7, machine amd64
features:
  #define WITH_HELP 1
  #define WITH_STATS 1
  #define WITH_STDIO 1
  #define WITH_FDNUM 1
  #define WITH_FILE 1
  #define WITH_CREAT 1
  #define WITH_GOPEN 1
  #define WITH_TERMIOS 1
  #define WITH_PIPE 1
  #define WITH_SOCKETPAIR 1
  #define WITH_UNIX 1
  #undef WITH_ABSTRACT_UNIXSOCKET
  #define WITH_IP4 1
  #define WITH_IP6 1
  #define WITH_RAWIP 1
  #define WITH_GENERICSOCKET 1
  #undef WITH_INTERFACE
  #define WITH_TCP 1
  #define WITH_UDP 1
  #define WITH_SCTP 1
  #define WITH_DCCP 1
  #define WITH_UDPLITE 1
  #define WITH_LISTEN 1
  #undef WITH_POSIXMQ
  #define WITH_SOCKS4 1
  #define WITH_SOCKS4A 1
  #define WITH_SOCKS5 1
  #undef WITH_VSOCK
  #undef WITH_NAMESPACES
  #define WITH_PROXY 1
  #define WITH_SYSTEM 1
  #define WITH_SHELL 1
  #define WITH_EXEC 1
  #undef WITH_READLINE
  #undef WITH_TUN
  #define WITH_PTY 1
  #define WITH_OPENSSL 1
  #undef WITH_FIPS
  #define WITH_LIBWRAP 1
  #define WITH_SYCLS 1
  #define WITH_FILAN 1
  #define WITH_RETRY 1
  #define WITH_MSGLEVEL 0 /*debug*/
  #define WITH_DEFAULT_IPV 4
pid
No need to restore nginx, skip.
_clearupdns
dns_entries
skip dns.
Using server: https://acme-v02.api.letsencrypt.org/directory
Running cmd: remove
Using config home:/var/etc/acme-client/home
ACME_DIRECTORY='https://acme-v02.api.letsencrypt.org/directory'
DOMAIN_PATH='/var/etc/acme-client/home/_name_.ddnss.de_ecc'
_name_.ddnss.de is removed, the key and cert files are in /var/etc/acme-client/home/_name_.ddnss.de_ecc
You can remove them by yourself.
Using server: https://acme-v02.api.letsencrypt.org/directory
Running cmd: issue
_main_domain='_name_.ddnss.de'
_alt_domains='ovpn._name_.ddnss.de,wg._name_.ddnss.de'
Using config home:/var/etc/acme-client/home
ACME_DIRECTORY='https://acme-v02.api.letsencrypt.org/directory'
DOMAIN_PATH='/var/etc/acme-client/home/_name_.ddnss.de_ecc'
Using ACME_DIRECTORY: https://acme-v02.api.letsencrypt.org/directory
_init api for server: https://acme-v02.api.letsencrypt.org/directory
GET
url='https://acme-v02.api.letsencrypt.org/directory'
timeout=
_CURL='curl --silent --dump-header /var/etc/acme-client/home/http.header  -L  --trace-ascii /tmp/tmp.K6JJsuj0  -g '
ret='0'
ACME_KEY_CHANGE='https://acme-v02.api.letsencrypt.org/acme/key-change'
ACME_NEW_AUTHZ
ACME_NEW_ORDER='https://acme-v02.api.letsencrypt.org/acme/new-order'
ACME_NEW_ACCOUNT='https://acme-v02.api.letsencrypt.org/acme/new-acct'
ACME_REVOKE_CERT='https://acme-v02.api.letsencrypt.org/acme/revoke-cert'
ACME_AGREEMENT='https://letsencrypt.org/documents/LE-SA-v1.3-September-21-2022.pdf'
ACME_NEW_NONCE='https://acme-v02.api.letsencrypt.org/acme/new-nonce'
Using CA: https://acme-v02.api.letsencrypt.org/directory
_on_before_issue
_chk_main_domain='_name_.ddnss.de'
_chk_alt_domains='ovpn._name_.ddnss.de,wg._name_.ddnss.de'
Le_LocalAddress
d='_name_.ddnss.de'
Check for domain='_name_.ddnss.de'
_currentRoot='dns_ddnss'
d='ovpn._name_.ddnss.de'
Check for domain='ovpn._name_.ddnss.de'
_currentRoot='dns_ddnss'
d='wg._name_.ddnss.de'
Check for domain='wg._name_.ddnss.de'
_currentRoot='dns_ddnss'
d
_saved_account_key_hash is not changed, skip register account.
Read key length:2048
Creating domain key
Using config home:/var/etc/acme-client/home
ACME_DIRECTORY='https://acme-v02.api.letsencrypt.org/directory'
Use length 384
Using ec name: secp384r1
The domain key is here: /var/etc/acme-client/home/_name_.ddnss.de_ecc/_name_.ddnss.de.key
_createcsr
Multi domain='DNS:_name_.ddnss.de,DNS:ovpn._name_.ddnss.de,DNS:wg._name_.ddnss.de'
Getting domain auth token for each domain
d='ovpn._name_.ddnss.de'
d='wg._name_.ddnss.de'
d
=======Begin Send Signed Request=======
url='https://acme-v02.api.letsencrypt.org/acme/new-order'
payload='{"identifiers": [{"type":"dns","value":"_name_.ddnss.de"},{"type":"dns","value":"ovpn._name_.ddnss.de"},{"type":"dns","value":"wg._name_.ddnss.de"}]}'
RSA key
HEAD
_post_url='https://acme-v02.api.letsencrypt.org/acme/new-nonce'
_CURL='curl --silent --dump-header /var/etc/acme-client/home/http.header  -L  --trace-ascii /tmp/tmp.VYzGoqve  -g  -I  '
_ret='0'
POST
_post_url='https://acme-v02.api.letsencrypt.org/acme/new-order'
_CURL='curl --silent --dump-header /var/etc/acme-client/home/http.header  -L  --trace-ascii /tmp/tmp.VYzGoqve  -g '
_ret='0'
code='201'
Le_LinkOrder='https://acme-v02.api.letsencrypt.org/acme/order/1499440536/237161386366'
Le_OrderFinalize='https://acme-v02.api.letsencrypt.org/acme/finalize/1499440536/237161386366'
=======Begin Send Signed Request=======
url='https://acme-v02.api.letsencrypt.org/acme/authz-v3/304869393246'
payload
POST
_post_url='https://acme-v02.api.letsencrypt.org/acme/authz-v3/304869393246'
_CURL='curl --silent --dump-header /var/etc/acme-client/home/http.header  -L  --trace-ascii /tmp/tmp.VYzGoqve  -g '
_ret='0'
code='200'
=======Begin Send Signed Request=======
url='https://acme-v02.api.letsencrypt.org/acme/authz-v3/304869393256'
payload
POST
_post_url='https://acme-v02.api.letsencrypt.org/acme/authz-v3/304869393256'
_CURL='curl --silent --dump-header /var/etc/acme-client/home/http.header  -L  --trace-ascii /tmp/tmp.VYzGoqve  -g '
_ret='0'
code='200'
=======Begin Send Signed Request=======
url='https://acme-v02.api.letsencrypt.org/acme/authz-v3/304869393266'
payload
POST
_post_url='https://acme-v02.api.letsencrypt.org/acme/authz-v3/304869393266'
_CURL='curl --silent --dump-header /var/etc/acme-client/home/http.header  -L  --trace-ascii /tmp/tmp.VYzGoqve  -g '
_ret='0'
code='200'
d='_name_.ddnss.de'
Getting webroot for domain='_name_.ddnss.de'
_w='dns_ddnss'
_currentRoot='dns_ddnss'
_authz_url='https://acme-v02.api.letsencrypt.org/acme/authz-v3/304869393246'
entry='"type":"dns-01","status":"pending","url":"https://acme-v02.api.letsencrypt.org/acme/chall-v3/304869393246/Rz2ICQ","token":"JIGxxx"'
token='JIGxxx'
uri='https://acme-v02.api.letsencrypt.org/acme/chall-v3/304869393246/Rz2ICQ'
keyauthorization='JIGxxx.06Iu9clXcEohd1PEgIHzB6LWoFJIlIXqNYKD8acPD3s'
dvlist='_name_.ddnss.de#JIGxxx.06Iu9clXcEohd1PEgIHzB6LWoFJIlIXqNYKD8acPD3s#https://acme-v02.api.letsencrypt.org/acme/chall-v3/304869393246/Rz2ICQ#dns-01#dns_ddnss#https://acme-v02.api.letsencrypt.org/acme/authz-v3/304869393246'
d='ovpn._name_.ddnss.de'
Getting webroot for domain='ovpn._name_.ddnss.de'
_w='dns_ddnss'
_currentRoot='dns_ddnss'
_authz_url='https://acme-v02.api.letsencrypt.org/acme/authz-v3/304869393256'
entry='"type":"dns-01","status":"pending","url":"https://acme-v02.api.letsencrypt.org/acme/chall-v3/304869393256/Ax3gTg","token":"klmxxx"'
token='klmxxx'
uri='https://acme-v02.api.letsencrypt.org/acme/chall-v3/304869393256/Ax3gTg'
keyauthorization='klmxxx.06Iu9clXcEohd1PEgIHzB6LWoFJIlIXqNYKD8acPD3s'
dvlist='ovpn._name_.ddnss.de#klmxxx.06Iu9clXcEohd1PEgIHzB6LWoFJIlIXqNYKD8acPD3s#https://acme-v02.api.letsencrypt.org/acme/chall-v3/304869393256/Ax3gTg#dns-01#dns_ddnss#https://acme-v02.api.letsencrypt.org/acme/authz-v3/304869393256'
d='wg._name_.ddnss.de'
Getting webroot for domain='wg._name_.ddnss.de'
_w='dns_ddnss'
_currentRoot='dns_ddnss'
_authz_url='https://acme-v02.api.letsencrypt.org/acme/authz-v3/304869393266'
entry='"type":"dns-01","status":"pending","url":"https://acme-v02.api.letsencrypt.org/acme/chall-v3/304869393266/of851Q","token":"mQSxxx"'
token='mQSxxx'
uri='https://acme-v02.api.letsencrypt.org/acme/chall-v3/304869393266/of851Q'
keyauthorization='mQSxxx.06Iu9clXcEohd1PEgIHzB6LWoFJIlIXqNYKD8acPD3s'
dvlist='wg._name_.ddnss.de#mQSxxx.06Iu9clXcEohd1PEgIHzB6LWoFJIlIXqNYKD8acPD3s#https://acme-v02.api.letsencrypt.org/acme/chall-v3/304869393266/of851Q#dns-01#dns_ddnss#https://acme-v02.api.letsencrypt.org/acme/authz-v3/304869393266'
d
vlist='_name_.ddnss.de#JIGxxx.06Iu9clXcEohd1PEgIHzB6LWoFJIlIXqNYKD8acPD3s#https://acme-v02.api.letsencrypt.org/acme/chall-v3/304869393246/Rz2ICQ#dns-01#dns_ddnss#https://acme-v02.api.letsencrypt.org/acme/authz-v3/304869393246,ovpn._name_.ddnss.de#klmxxx.06Iu9clXcEohd1PEgIHzB6LWoFJIlIXqNYKD8acPD3s#https://acme-v02.api.letsencrypt.org/acme/chall-v3/304869393256/Ax3gTg#dns-01#dns_ddnss#https://acme-v02.api.letsencrypt.org/acme/authz-v3/304869393256,wg._name_.ddnss.de#mQSxxx.06Iu9clXcEohd1PEgIHzB6LWoFJIlIXqNYKD8acPD3s#https://acme-v02.api.letsencrypt.org/acme/chall-v3/304869393266/of851Q#dns-01#dns_ddnss#https://acme-v02.api.letsencrypt.org/acme/authz-v3/304869393266,'
d='_name_.ddnss.de'
_d_alias='=_name_.ddnss.de'
txtdomain='_name_.ddnss.de'
txt='arjxxx'
d_api='/usr/local/share/examples/acme.sh/dnsapi/dns_ddnss.sh'
Found domain api file: /usr/local/share/examples/acme.sh/dnsapi/dns_ddnss.sh
Adding txt value: arjxxx for domain:  _name_.ddnss.de
Error extracting the domain.
Error add txt for domain:_name_.ddnss.de
_on_issue_err
Please add '--debug' or '--log' to check more details.
See: https://github.com/acmesh-official/acme.sh/wiki/How-to-debug-acme.sh
=======Begin Send Signed Request=======
url='https://acme-v02.api.letsencrypt.org/acme/chall-v3/304869393246/Rz2ICQ'
payload='{}'
POST
_post_url='https://acme-v02.api.letsencrypt.org/acme/chall-v3/304869393246/Rz2ICQ'
_CURL='curl --silent --dump-header /var/etc/acme-client/home/http.header  -L  --trace-ascii /tmp/tmp.VYzGoqve  -g '
_ret='0'
code='200'
=======Begin Send Signed Request=======
url='https://acme-v02.api.letsencrypt.org/acme/chall-v3/304869393256/Ax3gTg'
payload='{}'
POST
_post_url='https://acme-v02.api.letsencrypt.org/acme/chall-v3/304869393256/Ax3gTg'
_CURL='curl --silent --dump-header /var/etc/acme-client/home/http.header  -L  --trace-ascii /tmp/tmp.VYzGoqve  -g '
_ret='0'
code='200'
=======Begin Send Signed Request=======
url='https://acme-v02.api.letsencrypt.org/acme/chall-v3/304869393266/of851Q'
payload='{}'
POST
_post_url='https://acme-v02.api.letsencrypt.org/acme/chall-v3/304869393266/of851Q'
_CURL='curl --silent --dump-header /var/etc/acme-client/home/http.header  -L  --trace-ascii /tmp/tmp.VYzGoqve  -g '
_ret='0'
code='200'
Diagnosis versions:
openssl:openssl
OpenSSL 1.1.1t-freebsd  7 Feb 2023
apache:
apache doesn't exist.
nginx:
nginx doesn't exist.
socat:
socat by Gerhard Rieger and contributors - see www.dest-unreach.org
socat version 1.8.0.0 on Dec 12 2023 01:40:08
   running on FreeBSD version FreeBSD 13.2-RELEASE-p7 stable/23.7-n254871-d5ec322cffc SMP, release 13.2-RELEASE-p7, machine amd64
features:
  #define WITH_HELP 1
  #define WITH_STATS 1
  #define WITH_STDIO 1
  #define WITH_FDNUM 1
  #define WITH_FILE 1
  #define WITH_CREAT 1
  #define WITH_GOPEN 1
  #define WITH_TERMIOS 1
  #define WITH_PIPE 1
  #define WITH_SOCKETPAIR 1
  #define WITH_UNIX 1
  #undef WITH_ABSTRACT_UNIXSOCKET
  #define WITH_IP4 1
  #define WITH_IP6 1
  #define WITH_RAWIP 1
  #define WITH_GENERICSOCKET 1
  #undef WITH_INTERFACE
  #define WITH_TCP 1
  #define WITH_UDP 1
  #define WITH_SCTP 1
  #define WITH_DCCP 1
  #define WITH_UDPLITE 1
  #define WITH_LISTEN 1
  #undef WITH_POSIXMQ
  #define WITH_SOCKS4 1
  #define WITH_SOCKS4A 1
  #define WITH_SOCKS5 1
  #undef WITH_VSOCK
  #undef WITH_NAMESPACES
  #define WITH_PROXY 1
  #define WITH_SYSTEM 1
  #define WITH_SHELL 1
  #define WITH_EXEC 1
  #undef WITH_READLINE
  #undef WITH_TUN
  #define WITH_PTY 1
  #define WITH_OPENSSL 1
  #undef WITH_FIPS
  #define WITH_LIBWRAP 1
  #define WITH_SYCLS 1
  #define WITH_FILAN 1
  #define WITH_RETRY 1
  #define WITH_MSGLEVEL 0 /*debug*/
  #define WITH_DEFAULT_IPV 4
pid
No need to restore nginx, skip.
_clearupdns
dns_entries
skip dns.
Using server: https://acme-v02.api.letsencrypt.org/directory
Running cmd: remove
Using config home:/var/etc/acme-client/home
ACME_DIRECTORY='https://acme-v02.api.letsencrypt.org/directory'
DOMAIN_PATH='/var/etc/acme-client/home/_name_.ddnss.de_ecc'
_name_.ddnss.de is removed, the key and cert files are in /var/etc/acme-client/home/_name_.ddnss.de_ecc
You can remove them by yourself.
Using server: https://acme-v02.api.letsencrypt.org/directory
Running cmd: issue
_main_domain='_name_.ddnss.de'
_alt_domains='ovpn._name_.ddnss.de,wg._name_.ddnss.de'
Using config home:/var/etc/acme-client/home
ACME_DIRECTORY='https://acme-v02.api.letsencrypt.org/directory'
DOMAIN_PATH='/var/etc/acme-client/home/_name_.ddnss.de'
Using ACME_DIRECTORY: https://acme-v02.api.letsencrypt.org/directory
_init api for server: https://acme-v02.api.letsencrypt.org/directory
GET
url='https://acme-v02.api.letsencrypt.org/directory'
timeout=
_CURL='curl --silent --dump-header /var/etc/acme-client/home/http.header  -L  --trace-ascii /tmp/tmp.f4YHeerM  -g '
ret='0'
ACME_KEY_CHANGE='https://acme-v02.api.letsencrypt.org/acme/key-change'
ACME_NEW_AUTHZ
ACME_NEW_ORDER='https://acme-v02.api.letsencrypt.org/acme/new-order'
ACME_NEW_ACCOUNT='https://acme-v02.api.letsencrypt.org/acme/new-acct'
ACME_REVOKE_CERT='https://acme-v02.api.letsencrypt.org/acme/revoke-cert'
ACME_AGREEMENT='https://letsencrypt.org/documents/LE-SA-v1.3-September-21-2022.pdf'
ACME_NEW_NONCE='https://acme-v02.api.letsencrypt.org/acme/new-nonce'
Using CA: https://acme-v02.api.letsencrypt.org/directory
_on_before_issue
_chk_main_domain='_name_.ddnss.de'
_chk_alt_domains='ovpn._name_.ddnss.de,wg._name_.ddnss.de'
Le_LocalAddress
d='_name_.ddnss.de'
Check for domain='_name_.ddnss.de'
_currentRoot='dns_ddnss'
d='ovpn._name_.ddnss.de'
Check for domain='ovpn._name_.ddnss.de'
_currentRoot='dns_ddnss'
d='wg._name_.ddnss.de'
Check for domain='wg._name_.ddnss.de'
_currentRoot='dns_ddnss'
d
_saved_account_key_hash is not changed, skip register account.
Read key length:2048
Creating domain key
Using config home:/var/etc/acme-client/home
ACME_DIRECTORY='https://acme-v02.api.letsencrypt.org/directory'
Use length 4096
Using RSA: 4096
The domain key is here: /var/etc/acme-client/home/_name_.ddnss.de/_name_.ddnss.de.key
_createcsr
Multi domain='DNS:_name_.ddnss.de,DNS:ovpn._name_.ddnss.de,DNS:wg._name_.ddnss.de'
Getting domain auth token for each domain
d='ovpn._name_.ddnss.de'
d='wg._name_.ddnss.de'
d
=======Begin Send Signed Request=======
url='https://acme-v02.api.letsencrypt.org/acme/new-order'
payload='{"identifiers": [{"type":"dns","value":"_name_.ddnss.de"},{"type":"dns","value":"ovpn._name_.ddnss.de"},{"type":"dns","value":"wg._name_.ddnss.de"}]}'
RSA key
HEAD
_post_url='https://acme-v02.api.letsencrypt.org/acme/new-nonce'
_CURL='curl --silent --dump-header /var/etc/acme-client/home/http.header  -L  --trace-ascii /tmp/tmp.s1L8dAIJ  -g  -I  '
_ret='0'
POST
_post_url='https://acme-v02.api.letsencrypt.org/acme/new-order'
_CURL='curl --silent --dump-header /var/etc/acme-client/home/http.header  -L  --trace-ascii /tmp/tmp.s1L8dAIJ  -g '
_ret='0'
code='201'
Le_LinkOrder='https://acme-v02.api.letsencrypt.org/acme/order/1499440536/237166762976'
Le_OrderFinalize='https://acme-v02.api.letsencrypt.org/acme/finalize/1499440536/237166762976'
=======Begin Send Signed Request=======
url='https://acme-v02.api.letsencrypt.org/acme/authz-v3/304877000766'
payload
POST
_post_url='https://acme-v02.api.letsencrypt.org/acme/authz-v3/304877000766'
_CURL='curl --silent --dump-header /var/etc/acme-client/home/http.header  -L  --trace-ascii /tmp/tmp.s1L8dAIJ  -g '
_ret='0'
code='200'
=======Begin Send Signed Request=======
url='https://acme-v02.api.letsencrypt.org/acme/authz-v3/304877000776'
payload
POST
_post_url='https://acme-v02.api.letsencrypt.org/acme/authz-v3/304877000776'
_CURL='curl --silent --dump-header /var/etc/acme-client/home/http.header  -L  --trace-ascii /tmp/tmp.s1L8dAIJ  -g '
_ret='0'
code='200'
=======Begin Send Signed Request=======
url='https://acme-v02.api.letsencrypt.org/acme/authz-v3/304877000786'
payload
POST
_post_url='https://acme-v02.api.letsencrypt.org/acme/authz-v3/304877000786'
_CURL='curl --silent --dump-header /var/etc/acme-client/home/http.header  -L  --trace-ascii /tmp/tmp.s1L8dAIJ  -g '
_ret='0'
code='200'
d='_name_.ddnss.de'
Getting webroot for domain='_name_.ddnss.de'
_w='dns_ddnss'
_currentRoot='dns_ddnss'
_authz_url='https://acme-v02.api.letsencrypt.org/acme/authz-v3/304877000766'
entry='"type":"dns-01","status":"pending","url":"https://acme-v02.api.letsencrypt.org/acme/chall-v3/304877000766/zkr5bQ","token":"ffnxxx"'
token='ffnxxx'
uri='https://acme-v02.api.letsencrypt.org/acme/chall-v3/304877000766/zkr5bQ'
keyauthorization='ffnxxx.06Iu9clXcEohd1PEgIHzB6LWoFJIlIXqNYKD8acPD3s'
dvlist='_name_.ddnss.de#ffnxxx.06Iu9clXcEohd1PEgIHzB6LWoFJIlIXqNYKD8acPD3s#https://acme-v02.api.letsencrypt.org/acme/chall-v3/304877000766/zkr5bQ#dns-01#dns_ddnss#https://acme-v02.api.letsencrypt.org/acme/authz-v3/304877000766'
d='ovpn._name_.ddnss.de'
Getting webroot for domain='ovpn._name_.ddnss.de'
_w='dns_ddnss'
_currentRoot='dns_ddnss'
_authz_url='https://acme-v02.api.letsencrypt.org/acme/authz-v3/304877000776'
entry='"type":"dns-01","status":"pending","url":"https://acme-v02.api.letsencrypt.org/acme/chall-v3/304877000776/6tBmxw","token":"8vDxxx"'
token='8vDxxx'
uri='https://acme-v02.api.letsencrypt.org/acme/chall-v3/304877000776/6tBmxw'
keyauthorization='8vDxxx.06Iu9clXcEohd1PEgIHzB6LWoFJIlIXqNYKD8acPD3s'
dvlist='ovpn._name_.ddnss.de#8vDxxx.06Iu9clXcEohd1PEgIHzB6LWoFJIlIXqNYKD8acPD3s#https://acme-v02.api.letsencrypt.org/acme/chall-v3/304877000776/6tBmxw#dns-01#dns_ddnss#https://acme-v02.api.letsencrypt.org/acme/authz-v3/304877000776'
d='wg._name_.ddnss.de'
Getting webroot for domain='wg._name_.ddnss.de'
_w='dns_ddnss'
_currentRoot='dns_ddnss'
_authz_url='https://acme-v02.api.letsencrypt.org/acme/authz-v3/304877000786'
entry='"type":"dns-01","status":"pending","url":"https://acme-v02.api.letsencrypt.org/acme/chall-v3/304877000786/LBZXZQ","token":"19xxxx"'
token='19xxxx'
uri='https://acme-v02.api.letsencrypt.org/acme/chall-v3/304877000786/LBZXZQ'
keyauthorization='19xxxx.06Iu9clXcEohd1PEgIHzB6LWoFJIlIXqNYKD8acPD3s'
dvlist='wg._name_.ddnss.de#19xxxx.06Iu9clXcEohd1PEgIHzB6LWoFJIlIXqNYKD8acPD3s#https://acme-v02.api.letsencrypt.org/acme/chall-v3/304877000786/LBZXZQ#dns-01#dns_ddnss#https://acme-v02.api.letsencrypt.org/acme/authz-v3/304877000786'
d
vlist='_name_.ddnss.de#ffnxxx.06Iu9clXcEohd1PEgIHzB6LWoFJIlIXqNYKD8acPD3s#https://acme-v02.api.letsencrypt.org/acme/chall-v3/304877000766/zkr5bQ#dns-01#dns_ddnss#https://acme-v02.api.letsencrypt.org/acme/authz-v3/304877000766,ovpn._name_.ddnss.de#8vDxxx.06Iu9clXcEohd1PEgIHzB6LWoFJIlIXqNYKD8acPD3s#https://acme-v02.api.letsencrypt.org/acme/chall-v3/304877000776/6tBmxw#dns-01#dns_ddnss#https://acme-v02.api.letsencrypt.org/acme/authz-v3/304877000776,wg._name_.ddnss.de#19xxxx.06Iu9clXcEohd1PEgIHzB6LWoFJIlIXqNYKD8acPD3s#https://acme-v02.api.letsencrypt.org/acme/chall-v3/304877000786/LBZXZQ#dns-01#dns_ddnss#https://acme-v02.api.letsencrypt.org/acme/authz-v3/304877000786,'
d='_name_.ddnss.de'
_d_alias
txtdomain='_acme-challenge._name_.ddnss.de'
txt='vDXxxxx'
d_api='/usr/local/share/examples/acme.sh/dnsapi/dns_ddnss.sh'
Found domain api file: /usr/local/share/examples/acme.sh/dnsapi/dns_ddnss.sh
Adding txt value: vDXxxxx for domain:  _acme-challenge._name_.ddnss.de
Trying to add TXT record
param='key=6axxxx&host=_name_.ddnss.de&txtm=1&txt=vDXxxxx'
url='https://ddnss.de/upd.php?key=6axxxx&host=_name_.ddnss.de&txtm=1&txt=vDXxxxx'
GET
url='https://ddnss.de/upd.php?key=6axxxx&host=_name_.ddnss.de&txtm=1&txt=vDXxxxx'
timeout=
_CURL='curl --silent --dump-header /var/etc/acme-client/home/http.header  -L  --trace-ascii /tmp/tmp.s1L8dAIJ  -g '
ret='0'
TXT record has been successfully added to your DDNSS domain.
Note that all subdomains under this domain uses the same TXT record.
The txt record is added: Success.
d='ovpn._name_.ddnss.de'
_d_alias
txtdomain='_acme-challenge.ovpn._name_.ddnss.de'
txt='1FTxxx'
d_api='/usr/local/share/examples/acme.sh/dnsapi/dns_ddnss.sh'
Found domain api file: /usr/local/share/examples/acme.sh/dnsapi/dns_ddnss.sh
Adding txt value: 1FTxxx for domain:  _acme-challenge.ovpn._name_.ddnss.de
Trying to add TXT record
param='key=6axxxx&host=_name_.ddnss.de&txtm=1&txt=1FTxxx'
url='https://ddnss.de/upd.php?key=6axxxx&host=_name_.ddnss.de&txtm=1&txt=1FTxxx'
GET
url='https://ddnss.de/upd.php?key=6axxxx&host=_name_.ddnss.de&txtm=1&txt=1FTxxx'
timeout=
_CURL='curl --silent --dump-header /var/etc/acme-client/home/http.header  -L  --trace-ascii /tmp/tmp.s1L8dAIJ  -g '
ret='0'
TXT record has been successfully added to your DDNSS domain.
Note that all subdomains under this domain uses the same TXT record.
The txt record is added: Success.
d='wg._name_.ddnss.de'
_d_alias
txtdomain='_acme-challenge.wg._name_.ddnss.de'
txt='zaHxxx'
d_api='/usr/local/share/examples/acme.sh/dnsapi/dns_ddnss.sh'
Found domain api file: /usr/local/share/examples/acme.sh/dnsapi/dns_ddnss.sh
Adding txt value: zaHxxx for domain:  _acme-challenge.wg._name_.ddnss.de
Trying to add TXT record
param='key=6axxxx&host=_name_.ddnss.de&txtm=1&txt=zaHxxx'
url='https://ddnss.de/upd.php?key=6axxxx&host=_name_.ddnss.de&txtm=1&txt=zaHxxx'
GET
url='https://ddnss.de/upd.php?key=6axxxx&host=_name_.ddnss.de&txtm=1&txt=zaHxxx'
timeout=
_CURL='curl --silent --dump-header /var/etc/acme-client/home/http.header  -L  --trace-ascii /tmp/tmp.s1L8dAIJ  -g '
ret='0'
TXT record has been successfully added to your DDNSS domain.
Note that all subdomains under this domain uses the same TXT record.
The txt record is added: Success.
Sleep 120 seconds for the txt records to take effect
ok, let's start to verify
Verifying: _name_.ddnss.de
d='_name_.ddnss.de'
keyauthorization='ffnxxx.06Iu9clXcEohd1PEgIHzB6LWoFJIlIXqNYKD8acPD3s'
uri='https://acme-v02.api.letsencrypt.org/acme/chall-v3/304877000766/zkr5bQ'
_authz_url='https://acme-v02.api.letsencrypt.org/acme/authz-v3/304877000766'
_currentRoot='dns_ddnss'
=======Begin Send Signed Request=======
url='https://acme-v02.api.letsencrypt.org/acme/chall-v3/304877000766/zkr5bQ'
payload='{}'
POST
_post_url='https://acme-v02.api.letsencrypt.org/acme/chall-v3/304877000766/zkr5bQ'
_CURL='curl --silent --dump-header /var/etc/acme-client/home/http.header  -L  --trace-ascii /tmp/tmp.s1L8dAIJ  -g '
_ret='0'
code='200'
trigger validation code: 200
Lets check the status of the authz
Pending, The CA is processing your order, please just wait. (1/30)
sleep 2 secs to verify again
checking
=======Begin Send Signed Request=======
url='https://acme-v02.api.letsencrypt.org/acme/authz-v3/304877000766'
payload
POST
_post_url='https://acme-v02.api.letsencrypt.org/acme/authz-v3/304877000766'
_CURL='curl --silent --dump-header /var/etc/acme-client/home/http.header  -L  --trace-ascii /tmp/tmp.s1L8dAIJ  -g '
_ret='0'
code='200'
Invalid status, _name_.ddnss.de:Verify error detail:Incorrect TXT record
Skip for removelevel:
pid
No need to restore nginx, skip.
_clearupdns
dns_entries='_name_.ddnss.de,_acme-challenge._name_.ddnss.de,,dns_ddnss,vDXxxxx,/usr/local/share/examples/acme.sh/dnsapi/dns_ddnss.sh
ovpn._name_.ddnss.de,_acme-challenge.ovpn._name_.ddnss.de,,dns_ddnss,1FTxxx,/usr/local/share/examples/acme.sh/dnsapi/dns_ddnss.sh
wg._name_.ddnss.de,_acme-challenge.wg._name_.ddnss.de,,dns_ddnss,zaHxxx,/usr/local/share/examples/acme.sh/dnsapi/dns_ddnss.sh
'
Removing DNS records.
d='_name_.ddnss.de'
txtdomain='_acme-challenge._name_.ddnss.de'
aliasDomain='_acme-challenge._name_.ddnss.de'
_currentRoot='dns_ddnss'
txt='vDXxxxx'
d_api='/usr/local/share/examples/acme.sh/dnsapi/dns_ddnss.sh'
Removing txt: vDXxxxx for domain: _acme-challenge._name_.ddnss.de
Trying to remove TXT record
param='key=6axxxx&host=_name_.ddnss.de&txtm=2'
url='https://ddnss.de/upd.php?key=6axxxx&host=_name_.ddnss.de&txtm=2'
GET
url='https://ddnss.de/upd.php?key=6axxxx&host=_name_.ddnss.de&txtm=2'
timeout=
_CURL='curl --silent --dump-header /var/etc/acme-client/home/http.header  -L  --trace-ascii /tmp/tmp.s1L8dAIJ  -g '
ret='0'
TXT record has been successfully removed from your DDNSS domain.
Removed: Success
d='ovpn._name_.ddnss.de'
txtdomain='_acme-challenge.ovpn._name_.ddnss.de'
aliasDomain='_acme-challenge.ovpn._name_.ddnss.de'
_currentRoot='dns_ddnss'
txt='1FTxxx'
d_api='/usr/local/share/examples/acme.sh/dnsapi/dns_ddnss.sh'
Removing txt: 1FTxxx for domain: _acme-challenge.ovpn._name_.ddnss.de
Trying to remove TXT record
param='key=6axxxx&host=_name_.ddnss.de&txtm=2'
url='https://ddnss.de/upd.php?key=6axxxx&host=_name_.ddnss.de&txtm=2'
GET
url='https://ddnss.de/upd.php?key=6axxxx&host=_name_.ddnss.de&txtm=2'
timeout=
_CURL='curl --silent --dump-header /var/etc/acme-client/home/http.header  -L  --trace-ascii /tmp/tmp.s1L8dAIJ  -g '
ret='0'
TXT record has been successfully removed from your DDNSS domain.
Removed: Success
d='wg._name_.ddnss.de'
txtdomain='_acme-challenge.wg._name_.ddnss.de'
aliasDomain='_acme-challenge.wg._name_.ddnss.de'
_currentRoot='dns_ddnss'
txt='zaHxxx'
d_api='/usr/local/share/examples/acme.sh/dnsapi/dns_ddnss.sh'
Removing txt: zaHxxx for domain: _acme-challenge.wg._name_.ddnss.de
Trying to remove TXT record
param='key=6axxxx&host=_name_.ddnss.de&txtm=2'
url='https://ddnss.de/upd.php?key=6axxxx&host=_name_.ddnss.de&txtm=2'
GET
url='https://ddnss.de/upd.php?key=6axxxx&host=_name_.ddnss.de&txtm=2'
timeout=
_CURL='curl --silent --dump-header /var/etc/acme-client/home/http.header  -L  --trace-ascii /tmp/tmp.s1L8dAIJ  -g '
ret='0'
TXT record has been successfully removed from your DDNSS domain.
Removed: Success
_on_issue_err
Please add '--debug' or '--log' to check more details.
See: https://github.com/acmesh-official/acme.sh/wiki/How-to-debug-acme.sh
=======Begin Send Signed Request=======
url='https://acme-v02.api.letsencrypt.org/acme/chall-v3/304877000766/zkr5bQ'
payload='{}'
POST
_post_url='https://acme-v02.api.letsencrypt.org/acme/chall-v3/304877000766/zkr5bQ'
_CURL='curl --silent --dump-header /var/etc/acme-client/home/http.header  -L  --trace-ascii /tmp/tmp.s1L8dAIJ  -g '
_ret='0'
code='400'
=======Begin Send Signed Request=======
url='https://acme-v02.api.letsencrypt.org/acme/chall-v3/304877000776/6tBmxw'
payload='{}'
POST
_post_url='https://acme-v02.api.letsencrypt.org/acme/chall-v3/304877000776/6tBmxw'
_CURL='curl --silent --dump-header /var/etc/acme-client/home/http.header  -L  --trace-ascii /tmp/tmp.s1L8dAIJ  -g '
_ret='0'
code='200'
=======Begin Send Signed Request=======
url='https://acme-v02.api.letsencrypt.org/acme/chall-v3/304877000786/LBZXZQ'
payload='{}'
POST
_post_url='https://acme-v02.api.letsencrypt.org/acme/chall-v3/304877000786/LBZXZQ'
_CURL='curl --silent --dump-header /var/etc/acme-client/home/http.header  -L  --trace-ascii /tmp/tmp.s1L8dAIJ  -g '
_ret='0'
code='200'
Diagnosis versions:
openssl:openssl
OpenSSL 1.1.1t-freebsd  7 Feb 2023
apache:
apache doesn't exist.
nginx:
nginx doesn't exist.
socat:
socat by Gerhard Rieger and contributors - see www.dest-unreach.org
socat version 1.8.0.0 on Dec 12 2023 01:40:08
   running on FreeBSD version FreeBSD 13.2-RELEASE-p7 stable/23.7-n254871-d5ec322cffc SMP, release 13.2-RELEASE-p7, machine amd64
features:
  #define WITH_HELP 1
  #define WITH_STATS 1
  #define WITH_STDIO 1
  #define WITH_FDNUM 1
  #define WITH_FILE 1
  #define WITH_CREAT 1
  #define WITH_GOPEN 1
  #define WITH_TERMIOS 1
  #define WITH_PIPE 1
  #define WITH_SOCKETPAIR 1
  #define WITH_UNIX 1
  #undef WITH_ABSTRACT_UNIXSOCKET
  #define WITH_IP4 1
  #define WITH_IP6 1
  #define WITH_RAWIP 1
  #define WITH_GENERICSOCKET 1
  #undef WITH_INTERFACE
  #define WITH_TCP 1
  #define WITH_UDP 1
  #define WITH_SCTP 1
  #define WITH_DCCP 1
  #define WITH_UDPLITE 1
  #define WITH_LISTEN 1
  #undef WITH_POSIXMQ
  #define WITH_SOCKS4 1
  #define WITH_SOCKS4A 1
  #define WITH_SOCKS5 1
  #undef WITH_VSOCK
  #undef WITH_NAMESPACES
  #define WITH_PROXY 1
  #define WITH_SYSTEM 1
  #define WITH_SHELL 1
  #define WITH_EXEC 1
  #undef WITH_READLINE
  #undef WITH_TUN
  #define WITH_PTY 1
  #define WITH_OPENSSL 1
  #undef WITH_FIPS
  #define WITH_LIBWRAP 1
  #define WITH_SYCLS 1
  #define WITH_FILAN 1
  #define WITH_RETRY 1
  #define WITH_MSGLEVEL 0 /*debug*/
  #define WITH_DEFAULT_IPV 4



I did a revoke and delete of the previous certs and started a new try by adding a completely new Cert-Entry, entered the dom and the sub-doms, set challenge-type and the rest of the entries as default.
Now i saw a new TXT-record, was set automatically inside the account at ddnss.de.
So far so good.
But wait, it entered 3 TXT-records, but i only saw 1 TXT-record inside my ddnss.de account. And now at checking the whole thing acme found "Invalid status, _name_.ddnss.de:Verify error detail:Incorrect TXT record" and removed the whole thing. At the ddnss.de "TXT records" and "ACME DNS" was unchecked after.
So i seem to have made a wrong setting somewhere.
At ddnss.de i checked "TXT Record" and "ACME DNS". --> was removed by acme.sh

See the screenshot of the setting "Certs":