OPNsense Forum

Archive => 18.7 Legacy Series => Topic started by: Taomyn on August 17, 2018, 11:15:03 am

Title: Let's Encrypt doesn't like sub-domains with no IP
Post by: Taomyn on August 17, 2018, 11:15:03 am

It seems LE doesn't like to create subdomain certificates if there is no IP address assigned to the subdomain. The logs show:

Quote

Aug 17 10:46:31    opnsense: /usr/local/opnsense/scripts/OPNsense/AcmeClient/certhelper.php: AcmeClient: validation for certificate failed: vpn.mydomain.com
Aug 17 10:46:31    opnsense: /usr/local/opnsense/scripts/OPNsense/AcmeClient/certhelper.php: AcmeClient: domain validation failed
Aug 17 10:46:17    sshlockout[72021]: sshlockout/webConfigurator v3.0 starting up
Aug 17 10:46:17    opnsense: /usr/local/opnsense/scripts/OPNsense/AcmeClient/certhelper.php: The command '/sbin/pfctl -a acme-client -f /var/etc/acme-client/configs/5b7689100289c8.42380781/acme_anchor_rules' returned exit code '1', the output was 'no IP address found for vpn.mydomain.com /var/etc/acme-client/configs/5b7689100289c8.42380781/acme_anchor_rules:1: could not parse host specification pfctl: Syntax error in config file: pf rules not loaded'

Would be nice if this was more easily detected and reported, or possibly fixed in some way.


For now I just need to keep remembering to add a CNAME alias record to my DNS server for the domain name internally with the external IP.