OPNsense Forum

Archive => 21.1 Legacy Series => Topic started by: morini on September 13, 2021, 11:18:54 pm

Title: acme.sh / letsencrypt plugin: Problem renewing wildcard certificate using desec.
Post by: morini on September 13, 2021, 11:18:54 pm

Hi,

OPNsense version 21.1.9

Automated wildcard certificate renewal failed for me today with

[Mon Sep 13 18:51:46 BST 2021] domain.com:Verify error:Incorrect TXT record

I think I've worked out why from tailing /var/log/acme.sh.log while forcing a renewal from the opnsense gui. The acme client tries to create two _acme-challenge.domain.com TXT record entries using the desec.io api and it looks like when doing this it creates the first one then deletes it before creating the second. This causes the verification step to fail.

My workaround to get the renewal to go through was to increase the timeout to 300 seconds then grep acme.sh.log for the two TXT values. I then manually added the first value via the desec.io HTTP gui (the second value was already there). Verification then worked and my cert was issued fine.

Is there anything I have configured incorrectly or a way of fixing this? I would rather not have to manually intervene every 60 days if possible.

Thanks in advance for any help.

Title: Re: acme.sh / letsencrypt plugin: Problem renewing wildcard certificate using desec.
Post by: morini on November 26, 2021, 10:39:32 am

I guess nobody else is facing this issue? Or perhaps it is just me using deSec and acme.sh with opnSense.

Anyway, for anyone finding this via a google search in the future, I upgraded to OPNsense 21.7.3_3-amd64 and the problem appears to be gone. My wildcard certificate renewed automatically with no issues.