Just wanted to share as I spent hours trying to solve this:
Situation:
- OPNsense firewall with ACME client able to create certificates using PAT (Gandi's Personal Access Token, required to create the txt record in the DNS system temporarily)
- for some reason, the PROD ACME environment wasn't able to create a certificate, while the STAGING ACME environment was able to
Solution:
- I logged in OPNsense root shell account using SSH
- I copied the last two lines of the STAGING file found in here /var/etc/acme-client/accounts/*_stg/account.conf
- I edited /var/etc/acme-client/accounts/*_prod/account.conf, replacing the last line GANDI_LIVEDNS_TOKEN by the last two lines that are in the STAGING account.conf
- then within OPNsense web UI I issued a new PROD certificate, imported it (there's a small button for that), and switched in System / Settings / Administration the two STAG and PROD certificates to obviously use the new valid PROD certificate
I've been trying to solve that for months
At last!
(where * is for example 64da74b3412297.72803120_prod, or *_stag)
You cannot switch your configuration from staging to production. You need to remove the staging one and recreate the production one from scratch.
Could that be the cause of your problem?