Messages

perl5-5.36.3_1: missing file /usr/local/share/licenses/perl5-5.36.3_1/ART10
perl5-5.36.3_1: missing file /usr/local/share/licenses/perl5-5.36.3_1/GPLv1+
perl5-5.36.3_1: missing file /usr/local/share/licenses/perl5-5.36.3_1/LICENSE
perl5-5.36.3_1: missing file /usr/local/share/licenses/perl5-5.36.3_1/catalog.mk

FWIW, these are pretty normal and should not be fatal (break updates) anyway.

Well yes, if you create explicit one with drop and do NOT log, maybe it gets muted. Or not.

I regularly get this

pf: dropping packet with ip options

(hundreds per 5 Minutes) also with "downstream-vanilla" 24.7.3_1. Not yet applied 24.7.3-no_sa as cloudz already did.

Maybe a "normal" message with IP-options (MagentaTV?)...

You can get rid of that - see the "allow options" hint here if needed (for IGMP / IPTV etc.)

You can easily check if the SA is the culprit by trying the kernel with the SA completely removed via

Code Select Expand

opnsense-update -zkr 24.7.3-no_sa

and reboot, see this.

With that kernel and the logging set to various errors, the issue is gone. I do get a lot of

Well... no comment. Pretty sure it's downstream issue @franco  ::) ::) ::)

I need access to other resources on the host computers' network so I need a TAP interface.

Not really sure why do you need TAP for this.

You must disable the HTTPS redirect as already noted. Then it will work. You can re-enable after you have your certificate. Forget about DNS-01 at the moment, you clearly need to do some reading on how the thing works.

That was a genuine question. A.k.a. don't use cryptic acronyms when asking questions. And, you have that privilege shown right on your screenshot, so - WTH really. Wasting other people's time session for you, or?

I am too busy to deal with nonsense. Thanks for lurking.

Likewise. Buh bye...  ::) :o

For that last time:

Your ACME is NOT set up to use DNS-01 so whatever you do in DNS with _acme-challenge.yourtop.news is irrelevant. (And - as also already noted, delegation is done via CNAME, not TXT. TXT is created dynamically via API, you CANNOT prepopulate it manually.)

For HTTP-01 to work, you MUST NOT be redirecting the well-known URL to HTTPS.

And what exactly is RT dashboard?

I was not talking about user config at all. After you have logged in, go to Lobby - Password.

However, your web server obviously is configured to reply with a 301 redirect to all requests on port 80 to use HTTPS:

Did not even check that, since the OP claims:

there was no change on server or opensense firewall or domain settings. After update it today nothing happens, still doesn't work.

If that was the case, it'd have never worked in the first place. Sigh.

But your are not using DNS-01 at all... why would you be adding that? Plus again, those CNAME records are used for delegation, not validation. https://www.eff.org/deeplinks/2018/02/technical-deep-dive-securing-automation-acme-dns-challenge-validation


2024-09-06T08:55:24   opnsense   AcmeClient: domain validation failed (http01)

Lobby - Password?

Well, normally you renew ACME certificates well in advance, not one day before they expire. As said, making repeated attempts worked here.

I already did this but didn't solve my problem
_acme-challenge.<YOUR_DOMAIN>

Not sure what you did where really. DNS-01 does not work the way you imagine. The client needs to create the TXT records from the token provided by ACME, dynamically via API with your DNS provider.