Hello,
We run OPNsense v25.10.2_12 with OPNWAF v2.1 proxy on top of it. There's a commercial wildcard certificate *.example.com installed on the machine. A couple of web sites use the cert with no problem. We also have a bunch of other web sites which use Let's Encrypt certificates managed by the OPNWAF built-in ACME client.
Now I need to set up a web site like a.b.example.com which is obviously not covered by the *.example.com certificate. I've enabled ACME in the respective Virtual Server configuration, but the certificate was not issued. What's worse, when I accept the self-signed fallback certificate, the proxy returns error 503. It does not even try to contact the upstream (back-end) web server.
Tried to set up another web site ab.example.com. It works with *.example.com but returns 503 when ACME is enabled (and fallback cert accepted). I cannot find any other output, there's no error in /var/log/apache/* log files even when I set logging to debug level. The Apache configuration in /usr/local/etc/apache24/Includes/gateway_vhosts.conf seems to be correct. Can it be that the two certificates (commercial + ACME one) cannot coexist for the same domain?
Thank you,
Ivo
P.S. Every OPNWAF reload takes 2-3 minutes during which one httpd process utilizes 100 % of one CPU core. None of web sites is working in such a moment of course which makes a reconfiguration quite difficult. The Apache error log reads "SIGUSR1 received. Doing graceful restart". Can it be that the config check takes so long? We have about 120 virtual hosts at the moment.