OPNsense Forum

Archive => 20.1 Legacy Series => Topic started by: Tubs on May 09, 2020, 04:27:53 am

Title: os-acme - DNS-01 not working with Letsencrypt production environment
Post by: Tubs on May 09, 2020, 04:27:53 am

Hello,

On my OPNsense box 20.1 I changed Lesencrypt validation from HTTP-01 to DNS-01 using the nsupdate (RFC 2136) method. Testing with staging environment is OK. I get issued the certificate.

But when I change Letsencrypt to production environment I get the following error:

Code: [Select]

[Sat May 9 11:09:58 JST 2020] The supported validation types are: http-01 , but you specified: dns-01
[Sat May 9 11:09:58 JST 2020] Error, cannot get domain token entry abcdefgh.de
With staging environment, I also can re-issue without waiting time. So, no DNS caching or refresh issue.

Due to the fact that testing with staging environment is working I assume there is something wrong on OPNsense side. Or do I miss something?

Title: Re: os-acme - DNS-01 not working with Letsencrypt production environment
Post by: Tubs on May 09, 2020, 05:47:20 am

The same issue I got when changing from nsupdate method to PowerDNS API method.
Staging environment is OK but with production environment I get the error above.

I observed the logs of Letsencrypt plugin during renew. It looks like the plugin is ignoring the waiting time defined in the settings. I used standard setting of 120 s.

Title: Re: os-acme - DNS-01 not working with Letsencrypt production environment
Post by: Tubs on May 10, 2020, 08:25:27 am

All is fine again.

There was something set-up wrong on network side and I only checked the logs for the failed attempts. But for some reason the trials with staging did not re-verify ("already verified") and issued the cert while in production environment the verification failed.