Menu

Show posts

This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.

Show posts Menu

Messages - amp

Pages1
#1
21.7 Legacy Series / ACME Client Migration failed Upgrade to 21.7.7 / cert renews fails
January 06, 2022, 04:58:12 PM
Hi all,

the renewal of certs is not working anymore since a couple of days when i upgraded Opnsense to 21.7.7.

During the Upgrade the log gave the following error:

Code Select
*** OPNsense\AcmeClient\AcmeClient Migration failed, check log for details
Reloading plugin configuration
Configuring system logging...done.
Reloading template OPNsense/AcmeClient: OK
=====
Message from acme.sh-3.0.1:

--
This script will create the following directories if they do not exist:

~acme/.acme.sh
~acme/certs

The script will also install ~acme/.acme.sh/account.conf.sample which has
sane defaults.  Copy this to ~acme/.acme.sh/account.conf and edit contents
to suit.

In the /usr/local/share/examples/acme.sh directory, you can find the dnsapi
scripts which will be useful if you decide to use dns-01 challenges. Also
included are the deploy scripts.

A newsyslog.conf sample file is provided at /usr/local/share/examples/acme.sh/acme.sh.conf
and you could create a symlink from that to /usr/local/etc/newsyslog.conf.d/

Your sample cronjob looks like this:

############################################################################
$ sudo crontab -l -u acme
# use /bin/sh to run commands, overriding the default set by cron
SHELL=/bin/sh
# mail any output to here, no matter whose crontab this is
MAILTO=dan@example.org

7 22 * * * /usr/local/sbin/acme.sh --cron --home /var/db/acme/.acme.sh > /dev/null
############################################################################

Change x & y to some minute and hour of the day.


The first errors i had after the upgrade
https://forum.opnsense.org/index.php?topic=26072.0
i was able to solve with applying the patch
https://github.com/opnsense/plugins/issues/2712#issuecomment-997464895

Renewal of the certs fails now. Syslog (my domain is masked)

Code Select
Jan  3 11:44:43 opnsense opnsense[87820]: AcmeClient: issue certificate: foo.bar.net
Jan  3 11:44:43 opnsense opnsense[87820]: AcmeClient: using CA: letsencrypt
Jan  3 11:44:43 opnsense opnsense[87820]: AcmeClient: account is registered: rendertaxi
Jan  3 11:44:44 opnsense opnsense[87820]: AcmeClient: using challenge type: DNS Validation
Jan  3 11:44:44 opnsense opnsense[87820]: AcmeClient: running acme.sh command: /usr/local/sbin/acme.sh --issue --syslog 7 --debug --server 'letsencrypt' --dns 'dns_hostingde' --dnssleep '120' --home '/var/etc/acme-client/home' --certpath '/var/etc/acme-client/certs/5d2e0e947b3a33.66367275/cert.pem' --keypath '/var/etc/acme-client/keys/5d2e0e947b3a33.66367275/private.key' --capath '/var/etc/acme-client/certs/5d2e0e947b3a33.66367275/chain.pem' --fullchainpath '/var/etc/acme-client/certs/5d2e0e947b3a33.66367275/fullchain.pem' --domain 'foo.bar.net' --domain '*.foo.bar.net' --days '1' --force  --keylength '4096' --accountconf '/var/etc/acme-client/accounts/5c796d8fbcdf99.52736980_prod/account.conf'
Jan  3 11:44:52 opnsense opnsense[87820]: AcmeClient: domain validation failed (dns01)
Jan  3 11:44:52 opnsense opnsense[87820]: AcmeClient: validation for certificate failed: foo.bar.net

acmelog:

Code Select
Jan  3 11:44:44 opnsense acme.sh[12404]: [Mon Jan  3 11:44:44 CET 2022] Using server: letsencrypt
Jan  3 11:44:44 opnsense acme.sh[32184]: [Mon Jan  3 11:44:44 CET 2022] Running cmd: issue
Jan  3 11:44:44 opnsense acme.sh[53240]: [Mon Jan  3 11:44:44 CET 2022] _main_domain='foo.bar.net'
Jan  3 11:44:44 opnsense acme.sh[79235]: [Mon Jan  3 11:44:44 CET 2022] _alt_domains='*.foo.bar.net'
Jan  3 11:44:44 opnsense acme.sh[94629]: [Mon Jan  3 11:44:44 CET 2022] Using config home:/var/etc/acme-client/home
Jan  3 11:44:44 opnsense acme.sh[15754]: [Mon Jan  3 11:44:44 CET 2022] ACME_DIRECTORY='https://acme-v02.api.letsencrypt.org/directory'
Jan  3 11:44:44 opnsense acme.sh[76233]: [Mon Jan  3 11:44:44 CET 2022] DOMAIN_PATH='/var/etc/acme-client/home/foo.bar.net'
Jan  3 11:44:44 opnsense acme.sh[5928]: [Mon Jan  3 11:44:44 CET 2022] Using ACME_DIRECTORY: https://acme-v02.api.letsencrypt.org/directory
Jan  3 11:44:44 opnsense acme.sh[24873]: [Mon Jan  3 11:44:44 CET 2022] _init api for server: https://acme-v02.api.letsencrypt.org/directory
Jan  3 11:44:44 opnsense acme.sh[59329]: [Mon Jan  3 11:44:44 CET 2022] Retrying GET
Jan  3 11:44:44 opnsense acme.sh[83608]: [Mon Jan  3 11:44:44 CET 2022] GET
Jan  3 11:44:44 opnsense acme.sh[96784]: [Mon Jan  3 11:44:44 CET 2022] url='https://acme-v02.api.letsencrypt.org/directory'
Jan  3 11:44:44 opnsense acme.sh[13306]: [Mon Jan  3 11:44:44 CET 2022] timeout=
Jan  3 11:44:44 opnsense acme.sh[29615]: [Mon Jan  3 11:44:44 CET 2022] displayError='1'
Jan  3 11:44:44 opnsense acme.sh[76353]: [Mon Jan  3 11:44:44 CET 2022] _CURL='curl --silent --dump-header /var/etc/acme-client/home/http.header  -L '
Jan  3 11:44:45 opnsense acme.sh[98824]: [Mon Jan  3 11:44:45 CET 2022] ret='0'
Jan  3 11:44:45 opnsense acme.sh[18549]: [Mon Jan  3 11:44:45 CET 2022] _hcode='0'
Jan  3 11:44:45 opnsense acme.sh[61629]: [Mon Jan  3 11:44:45 CET 2022] ACME_KEY_CHANGE='https://acme-v02.api.letsencrypt.org/acme/key-change'
Jan  3 11:44:45 opnsense acme.sh[84210]: [Mon Jan  3 11:44:45 CET 2022] ACME_NEW_AUTHZ
Jan  3 11:44:45 opnsense acme.sh[1384]: [Mon Jan  3 11:44:45 CET 2022] ACME_NEW_ORDER='https://acme-v02.api.letsencrypt.org/acme/new-order'
Jan  3 11:44:45 opnsense acme.sh[21111]: [Mon Jan  3 11:44:45 CET 2022] ACME_NEW_ACCOUNT='https://acme-v02.api.letsencrypt.org/acme/new-acct'
Jan  3 11:44:45 opnsense acme.sh[41082]: [Mon Jan  3 11:44:45 CET 2022] ACME_REVOKE_CERT='https://acme-v02.api.letsencrypt.org/acme/revoke-cert'
Jan  3 11:44:45 opnsense acme.sh[56753]: [Mon Jan  3 11:44:45 CET 2022] ACME_AGREEMENT='https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf'
Jan  3 11:44:45 opnsense acme.sh[68532]: [Mon Jan  3 11:44:45 CET 2022] ACME_NEW_NONCE='https://acme-v02.api.letsencrypt.org/acme/new-nonce'
Jan  3 11:44:45 opnsense acme.sh[14799]: [Mon Jan  3 11:44:45 CET 2022] Le_NextRenewTime
Jan  3 11:44:45 opnsense acme.sh[45977]: [Mon Jan  3 11:44:45 CET 2022] Using CA: https://acme-v02.api.letsencrypt.org/directory
Jan  3 11:44:45 opnsense acme.sh[62760]: [Mon Jan  3 11:44:45 CET 2022] _on_before_issue
Jan  3 11:44:45 opnsense acme.sh[80668]: [Mon Jan  3 11:44:45 CET 2022] _chk_main_domain='foo.bar.net'
Jan  3 11:44:45 opnsense acme.sh[1100]: [Mon Jan  3 11:44:45 CET 2022] _chk_alt_domains='*.foo.bar.net'
Jan  3 11:44:45 opnsense acme.sh[27482]: [Mon Jan  3 11:44:45 CET 2022] Le_LocalAddress
Jan  3 11:44:45 opnsense acme.sh[64486]: [Mon Jan  3 11:44:45 CET 2022] d='foo.bar.net'
Jan  3 11:44:45 opnsense acme.sh[73396]: [Mon Jan  3 11:44:45 CET 2022] Check for domain='foo.bar.net'
Jan  3 11:44:45 opnsense acme.sh[12087]: [Mon Jan  3 11:44:45 CET 2022] _currentRoot='dns_hostingde'
Jan  3 11:44:45 opnsense acme.sh[48808]: [Mon Jan  3 11:44:45 CET 2022] d='*.foo.bar.net'
Jan  3 11:44:45 opnsense acme.sh[70364]: [Mon Jan  3 11:44:45 CET 2022] Check for domain='*.foo.bar.net'
Jan  3 11:44:45 opnsense acme.sh[98838]: [Mon Jan  3 11:44:45 CET 2022] _currentRoot='dns_hostingde'
Jan  3 11:44:45 opnsense acme.sh[49264]: [Mon Jan  3 11:44:45 CET 2022] d
Jan  3 11:44:45 opnsense acme.sh[10003]: [Mon Jan  3 11:44:45 CET 2022] _saved_account_key_hash is not changed, skip register account.
Jan  3 11:44:45 opnsense acme.sh[53587]: [Mon Jan  3 11:44:45 CET 2022] Read key length:4096
Jan  3 11:44:45 opnsense acme.sh[70563]: [Mon Jan  3 11:44:45 CET 2022] _createcsr
Jan  3 11:44:45 opnsense acme.sh[49555]: [Mon Jan  3 11:44:45 CET 2022] Multi domain='DNS:foo.bar.net,DNS:*.foo.bar.net'
Jan  3 11:44:46 opnsense acme.sh[18890]: [Mon Jan  3 11:44:46 CET 2022] Getting domain auth token for each domain
Jan  3 11:44:46 opnsense acme.sh[76378]: [Mon Jan  3 11:44:46 CET 2022] d='*.foo.bar.net'
Jan  3 11:44:46 opnsense acme.sh[32148]: [Mon Jan  3 11:44:46 CET 2022] d
Jan  3 11:44:46 opnsense acme.sh[43832]: [Mon Jan  3 11:44:46 CET 2022] url='https://acme-v02.api.letsencrypt.org/acme/new-order'
Jan  3 11:44:46 opnsense acme.sh[62973]: [Mon Jan  3 11:44:46 CET 2022] payload='{"identifiers": [{"type":"dns","value":"foo.bar.net"},{"type":"dns","value":"*.foo.bar.net"}]}'
Jan  3 11:44:46 opnsense acme.sh[80366]: [Mon Jan  3 11:44:46 CET 2022] RSA key
Jan  3 11:44:47 opnsense acme.sh[96674]: [Mon Jan  3 11:44:47 CET 2022] Retrying post
Jan  3 11:44:47 opnsense acme.sh[11545]: [Mon Jan  3 11:44:47 CET 2022] HEAD
Jan  3 11:44:47 opnsense acme.sh[29978]: [Mon Jan  3 11:44:47 CET 2022] _post_url='https://acme-v02.api.letsencrypt.org/acme/new-nonce'
Jan  3 11:44:47 opnsense acme.sh[60171]: [Mon Jan  3 11:44:47 CET 2022] _CURL='curl --silent --dump-header /var/etc/acme-client/home/http.header  -L  -I  '
Jan  3 11:44:47 opnsense acme.sh[84105]: [Mon Jan  3 11:44:47 CET 2022] _ret='0'
Jan  3 11:44:47 opnsense acme.sh[97145]: [Mon Jan  3 11:44:47 CET 2022] _hcode='0'
Jan  3 11:44:47 opnsense acme.sh[31980]: [Mon Jan  3 11:44:47 CET 2022] Retrying post
Jan  3 11:44:47 opnsense acme.sh[54117]: [Mon Jan  3 11:44:47 CET 2022] POST
Jan  3 11:44:47 opnsense acme.sh[76865]: [Mon Jan  3 11:44:47 CET 2022] _post_url='https://acme-v02.api.letsencrypt.org/acme/new-order'
Jan  3 11:44:47 opnsense acme.sh[97737]: [Mon Jan  3 11:44:47 CET 2022] _CURL='curl --silent --dump-header /var/etc/acme-client/home/http.header  -L '
Jan  3 11:44:48 opnsense acme.sh[20481]: [Mon Jan  3 11:44:48 CET 2022] _ret='0'
Jan  3 11:44:48 opnsense acme.sh[42102]: [Mon Jan  3 11:44:48 CET 2022] _hcode='0'
Jan  3 11:44:48 opnsense acme.sh[92231]: [Mon Jan  3 11:44:48 CET 2022] code='201'
Jan  3 11:44:48 opnsense acme.sh[94859]: [Mon Jan  3 11:44:48 CET 2022] Le_LinkOrder='https://acme-v02.api.letsencrypt.org/acme/order/329573360/52315478840'
Jan  3 11:44:48 opnsense acme.sh[25097]: [Mon Jan  3 11:44:48 CET 2022] Le_OrderFinalize='https://acme-v02.api.letsencrypt.org/acme/finalize/329573360/52315478840'
Jan  3 11:44:48 opnsense acme.sh[22332]: [Mon Jan  3 11:44:48 CET 2022] url='https://acme-v02.api.letsencrypt.org/acme/authz-v3/64604828070'
Jan  3 11:44:48 opnsense acme.sh[37582]: [Mon Jan  3 11:44:48 CET 2022] payload
Jan  3 11:44:48 opnsense acme.sh[42352]: [Mon Jan  3 11:44:48 CET 2022] Retrying post
Jan  3 11:44:48 opnsense acme.sh[55627]: [Mon Jan  3 11:44:48 CET 2022] POST
Jan  3 11:44:48 opnsense acme.sh[68263]: [Mon Jan  3 11:44:48 CET 2022] _post_url='https://acme-v02.api.letsencrypt.org/acme/authz-v3/64604828070'
Jan  3 11:44:48 opnsense acme.sh[87090]: [Mon Jan  3 11:44:48 CET 2022] _CURL='curl --silent --dump-header /var/etc/acme-client/home/http.header  -L '
Jan  3 11:44:49 opnsense acme.sh[18149]: [Mon Jan  3 11:44:49 CET 2022] _ret='0'
Jan  3 11:44:49 opnsense acme.sh[39705]: [Mon Jan  3 11:44:49 CET 2022] _hcode='0'
Jan  3 11:44:49 opnsense acme.sh[76562]: [Mon Jan  3 11:44:49 CET 2022] code='200'
Jan  3 11:44:49 opnsense acme.sh[12752]: [Mon Jan  3 11:44:49 CET 2022] url='https://acme-v02.api.letsencrypt.org/acme/authz-v3/64604828080'
Jan  3 11:44:49 opnsense acme.sh[27334]: [Mon Jan  3 11:44:49 CET 2022] payload
Jan  3 11:44:49 opnsense acme.sh[68537]: [Mon Jan  3 11:44:49 CET 2022] Retrying post
Jan  3 11:44:49 opnsense acme.sh[84355]: [Mon Jan  3 11:44:49 CET 2022] POST
Jan  3 11:44:49 opnsense acme.sh[3255]: [Mon Jan  3 11:44:49 CET 2022] _post_url='https://acme-v02.api.letsencrypt.org/acme/authz-v3/64604828080'
Jan  3 11:44:49 opnsense acme.sh[29169]: [Mon Jan  3 11:44:49 CET 2022] _CURL='curl --silent --dump-header /var/etc/acme-client/home/http.header  -L '
Jan  3 11:44:49 opnsense acme.sh[59205]: [Mon Jan  3 11:44:49 CET 2022] _ret='0'
Jan  3 11:44:49 opnsense acme.sh[83974]: [Mon Jan  3 11:44:49 CET 2022] _hcode='0'
Jan  3 11:44:49 opnsense acme.sh[29817]: [Mon Jan  3 11:44:49 CET 2022] code='200'
Jan  3 11:44:50 opnsense acme.sh[11890]: [Mon Jan  3 11:44:50 CET 2022] d='foo.bar.net'
Jan  3 11:44:50 opnsense acme.sh[35599]: [Mon Jan  3 11:44:50 CET 2022] Getting webroot for domain='foo.bar.net'
Jan  3 11:44:50 opnsense acme.sh[60415]: [Mon Jan  3 11:44:50 CET 2022] _w='dns_hostingde'
Jan  3 11:44:50 opnsense acme.sh[81312]: [Mon Jan  3 11:44:50 CET 2022] _currentRoot='dns_hostingde'
Jan  3 11:44:50 opnsense acme.sh[39024]: [Mon Jan  3 11:44:50 CET 2022] entry='"type":"dns-01","status":"pending","url":"https://acme-v02.api.letsencrypt.org/acme/chall-v3/64604828080/z3wYYw","token":"Sea250VI5PxlrdDqjjJW3fyTF-TR0vTjpCLYmxleYjI"'
Jan  3 11:44:50 opnsense acme.sh[95254]: [Mon Jan  3 11:44:50 CET 2022] token='Sea250VI5PxlrdDqjjJW3fyTF-TR0vTjpCLYmxleYjI'
Jan  3 11:44:50 opnsense acme.sh[42282]: [Mon Jan  3 11:44:50 CET 2022] uri='https://acme-v02.api.letsencrypt.org/acme/chall-v3/64604828080/z3wYYw'
Jan  3 11:44:50 opnsense acme.sh[59527]: [Mon Jan  3 11:44:50 CET 2022] keyauthorization='Sea250VI5PxlrdDqjjJW3fyTF-TR0vTjpCLYmxleYjI.AVhMEMapT1sSrxLP7o0dVJ5mlBYNqPkDe8i--3kHCSE'
Jan  3 11:44:50 opnsense acme.sh[89651]: [Mon Jan  3 11:44:50 CET 2022] dvlist='foo.bar.net#Sea250VI5PxlrdDqjjJW3fyTF-TR0vTjpCLYmxleYjI.AVhMEMapT1sSrxLP7o0dVJ5mlBYNqPkDe8i--3kHCSE#https://acme-v02.api.letsencrypt.org/acme/chall-v3/64604828080/z3wYYw#dns-01#dns_hostingde'
Jan  3 11:44:50 opnsense acme.sh[37298]: [Mon Jan  3 11:44:50 CET 2022] d='*.foo.bar.net'
Jan  3 11:44:50 opnsense acme.sh[59803]: [Mon Jan  3 11:44:50 CET 2022] Getting webroot for domain='*.foo.bar.net'
Jan  3 11:44:50 opnsense acme.sh[90306]: [Mon Jan  3 11:44:50 CET 2022] _w='dns_hostingde'
Jan  3 11:44:50 opnsense acme.sh[6688]: [Mon Jan  3 11:44:50 CET 2022] _currentRoot='dns_hostingde'
Jan  3 11:44:50 opnsense acme.sh[11157]: [Mon Jan  3 11:44:50 CET 2022] entry='"type":"dns-01","status":"pending","url":"https://acme-v02.api.letsencrypt.org/acme/chall-v3/64604828070/Gt4txA","token":"3UhiXBzJWVow3u3S1nTqO9sNEdfsIIKw5lQSKh_IAQY"'
Jan  3 11:44:50 opnsense acme.sh[44672]: [Mon Jan  3 11:44:50 CET 2022] token='3UhiXBzJWVow3u3S1nTqO9sNEdfsIIKw5lQSKh_IAQY'
Jan  3 11:44:50 opnsense acme.sh[84191]: [Mon Jan  3 11:44:50 CET 2022] uri='https://acme-v02.api.letsencrypt.org/acme/chall-v3/64604828070/Gt4txA'
Jan  3 11:44:50 opnsense acme.sh[5274]: [Mon Jan  3 11:44:50 CET 2022] keyauthorization='3UhiXBzJWVow3u3S1nTqO9sNEdfsIIKw5lQSKh_IAQY.AVhMEMapT1sSrxLP7o0dVJ5mlBYNqPkDe8i--3kHCSE'
Jan  3 11:44:50 opnsense acme.sh[32829]: [Mon Jan  3 11:44:50 CET 2022] dvlist='*.foo.bar.net#3UhiXBzJWVow3u3S1nTqO9sNEdfsIIKw5lQSKh_IAQY.AVhMEMapT1sSrxLP7o0dVJ5mlBYNqPkDe8i--3kHCSE#https://acme-v02.api.letsencrypt.org/acme/chall-v3/64604828070/Gt4txA#dns-01#dns_hostingde'
Jan  3 11:44:50 opnsense acme.sh[68492]: [Mon Jan  3 11:44:50 CET 2022] d
Jan  3 11:44:50 opnsense acme.sh[82622]: [Mon Jan  3 11:44:50 CET 2022] vlist='foo.bar.net#Sea250VI5PxlrdDqjjJW3fyTF-TR0vTjpCLYmxleYjI.AVhMEMapT1sSrxLP7o0dVJ5mlBYNqPkDe8i--3kHCSE#https://acme-v02.api.letsencrypt.org/acme/chall-v3/64604828080/z3wYYw#dns-01#dns_hostingde,*.foo.bar.net#3UhiXBzJWVow3u3S1nTqO9sNEdfsIIKw5lQSKh_IAQY.AVhMEMapT1sSrxLP7o0dVJ5mlBYNqPkDe8i--3kHCSE#https://acme-v02.api.letsencrypt.org/acme/chall-v3/64604828070/Gt4txA#dns-01#dns_hostingde,'
Jan  3 11:44:50 opnsense acme.sh[40314]: [Mon Jan  3 11:44:50 CET 2022] d='foo.bar.net'
Jan  3 11:44:50 opnsense acme.sh[76371]: [Mon Jan  3 11:44:50 CET 2022] _d_alias
Jan  3 11:44:50 opnsense acme.sh[92823]: [Mon Jan  3 11:44:50 CET 2022] txtdomain='_acme-challenge.foo.bar.net'
Jan  3 11:44:50 opnsense acme.sh[47323]: [Mon Jan  3 11:44:50 CET 2022] txt='MlloleVmBCemn4a8FZROWYez0iZcJ3hWfH62dQD7j9o'
Jan  3 11:44:50 opnsense acme.sh[70738]: [Mon Jan  3 11:44:50 CET 2022] d_api='/usr/local/share/examples/acme.sh/dnsapi/dns_hostingde.sh'
Jan  3 11:44:50 opnsense acme.sh[91717]: [Mon Jan  3 11:44:50 CET 2022] Found domain api file: /usr/local/share/examples/acme.sh/dnsapi/dns_hostingde.sh
Jan  3 11:44:50 opnsense acme.sh[12839]: [Mon Jan  3 11:44:50 CET 2022] Adding txt value: MlloleVmBCemn4a8FZROWYez0iZcJ3hWfH62dQD7j9o for domain:  _acme-challenge.foo.bar.net
Jan  3 11:44:50 opnsense acme.sh[26234]: [Mon Jan  3 11:44:50 CET 2022] Calling: _hostingde_addRecord() '_acme-challenge.foo.bar.net' 'MlloleVmBCemn4a8FZROWYez0iZcJ3hWfH62dQD7j9o'
Jan  3 11:44:50 opnsense acme.sh[98077]: [Mon Jan  3 11:44:50 CET 2022] Error add txt for domain:_acme-challenge.foo.bar.net
Jan  3 11:44:50 opnsense acme.sh[11182]: [Mon Jan  3 11:44:50 CET 2022] _on_issue_err
Jan  3 11:44:50 opnsense acme.sh[30561]: [Mon Jan  3 11:44:50 CET 2022] Please add '--debug' or '--log' to check more details.
Jan  3 11:44:50 opnsense acme.sh[46161]: [Mon Jan  3 11:44:50 CET 2022] See: https://github.com/acmesh-official/acme.sh/wiki/How-to-debug-acme.sh
Jan  3 11:44:50 opnsense acme.sh[18664]: [Mon Jan  3 11:44:50 CET 2022] url='https://acme-v02.api.letsencrypt.org/acme/chall-v3/64604828080/z3wYYw'
Jan  3 11:44:50 opnsense acme.sh[33580]: [Mon Jan  3 11:44:50 CET 2022] payload='{}'
Jan  3 11:44:50 opnsense acme.sh[58265]: [Mon Jan  3 11:44:50 CET 2022] Retrying post
Jan  3 11:44:50 opnsense acme.sh[88511]: [Mon Jan  3 11:44:50 CET 2022] POST
Jan  3 11:44:50 opnsense acme.sh[10150]: [Mon Jan  3 11:44:50 CET 2022] _post_url='https://acme-v02.api.letsencrypt.org/acme/chall-v3/64604828080/z3wYYw'
Jan  3 11:44:50 opnsense acme.sh[26120]: [Mon Jan  3 11:44:50 CET 2022] _CURL='curl --silent --dump-header /var/etc/acme-client/home/http.header  -L '
Jan  3 11:44:51 opnsense acme.sh[40502]: [Mon Jan  3 11:44:51 CET 2022] _ret='0'
Jan  3 11:44:51 opnsense acme.sh[57818]: [Mon Jan  3 11:44:51 CET 2022] _hcode='0'
Jan  3 11:44:51 opnsense acme.sh[7112]: [Mon Jan  3 11:44:51 CET 2022] code='200'
Jan  3 11:44:51 opnsense acme.sh[47875]: [Mon Jan  3 11:44:51 CET 2022] url='https://acme-v02.api.letsencrypt.org/acme/chall-v3/64604828070/Gt4txA'
Jan  3 11:44:51 opnsense acme.sh[65940]: [Mon Jan  3 11:44:51 CET 2022] payload='{}'
Jan  3 11:44:51 opnsense acme.sh[99287]: [Mon Jan  3 11:44:51 CET 2022] Retrying post
Jan  3 11:44:51 opnsense acme.sh[26001]: [Mon Jan  3 11:44:51 CET 2022] POST
Jan  3 11:44:51 opnsense acme.sh[52149]: [Mon Jan  3 11:44:51 CET 2022] _post_url='https://acme-v02.api.letsencrypt.org/acme/chall-v3/64604828070/Gt4txA'
Jan  3 11:44:51 opnsense acme.sh[76512]: [Mon Jan  3 11:44:51 CET 2022] _CURL='curl --silent --dump-header /var/etc/acme-client/home/http.header  -L '
Jan  3 11:44:52 opnsense acme.sh[98525]: [Mon Jan  3 11:44:52 CET 2022] _ret='0'
Jan  3 11:44:52 opnsense acme.sh[19765]: [Mon Jan  3 11:44:52 CET 2022] _hcode='0'
Jan  3 11:44:52 opnsense acme.sh[62464]: [Mon Jan  3 11:44:52 CET 2022] code='200'
Jan  3 11:44:52 opnsense acme.sh[46138]: [Mon Jan  3 11:44:52 CET 2022] Diagnosis versions:  openssl:openssl OpenSSL 1.1.1d-freebsd  24 Aug 2021 apache: apache doesn't exist. nginx: nginx doesn't exist. socat: socat by Gerhard Rieger and contributors - see www.dest-unreach.org socat version 1.7.4.2 on Dec 14 2021 05:02:44    running on FreeBSD version FreeBSD 12.1-RELEASE-p21-HBSD #0  04bde01a034(stable/21.7)-dirty: Mon Dec 13 09:07:56 CET 2021     root@sensey:/usr/obj/usr/src/amd64.amd64/sys/SMP, release 12.1-RELEASE-p21-HBSD, machine amd64 features:   #define WITH_STDIO 1   #define WITH_FDNUM 1   #define WITH_FILE 1   #define WITH_CREAT 1   #define WITH_GOPEN 1   #define WITH_TERMIOS 1   #define WITH_PIPE 1   #define WITH_UNIX 1   #undef WITH_ABSTRACT_UNIXSOCKET   #define WITH_IP4 1   #define WITH_IP6 1   #define WITH_RAWIP 1   #define WITH_GENERICSOCKET 1   #undef WITH_INTERFACE   #define WITH_TCP 1   #define WITH_UDP 1   #define WITH_SCTP 1   #define WITH_LISTEN 1   #define WITH_SOCKS4 1   #define WITH_SOCKS4A 1   #undef WITH_VSOCK   #define WITH_PROXY 1   #define WITH_SYSTEM 1   #define WITH_EXEC 1   #undef WITH_READLINE   #undef WITH_TUN   #define WITH_PTY 1   #define WITH_OPENSSL 1   #undef WITH_FIPS   #define WITH_LIBWRAP 1   #define WITH_SYCLS 1   #define WITH_FILAN 1   #define WITH_RETRY 1   #define WITH_MSGLEVEL 0 /*debug*/
Jan  3 11:44:52 opnsense acme.sh[60752]: [Mon Jan  3 11:44:52 CET 2022] pid
Jan  3 11:44:52 opnsense acme.sh[91289]: [Mon Jan  3 11:44:52 CET 2022] No need to restore nginx, skip.
Jan  3 11:44:52 opnsense acme.sh[5445]: [Mon Jan  3 11:44:52 CET 2022] _clearupdns
Jan  3 11:44:52 opnsense acme.sh[27800]: [Mon Jan  3 11:44:52 CET 2022] dns_entries
Jan  3 11:44:52 opnsense acme.sh[47561]: [Mon Jan  3 11:44:52 CET 2022] skip dns.

The error occurs when adding the txt:

Code Select
Error add txt for domain:_acme-challenge.foo.bar.net

When i run acme.sh from shell i get some more information:

Code Select
root@opnsense:~ # /usr/local/sbin/acme.sh --issue --syslog 7 --debug --server 'letsencrypt' --dns 'dns_hostingde' --dnssleep '120' --home '/var/etc/acme-client/home' --certpath '/var/etc/acme-client/certs/5d2e0e947b3a33.66367275/cert.pem' --keypath '/var/etc/acme-client/keys/5d2e0e947b3a33.66367275/private.key' --capath '/var/etc/acme-client/certs/5d2e0e947b3a33.66367275/chain.pem' --fullchainpath '/var/etc/acme-client/certs/5d2e0e947b3a33.66367275/fullchain.pem' --domain 'foo.bar.net' --domain '*.foo.bar.net' --days '1' --force  --keylength '4096' --accountconf '/var/etc/acme-client/accounts/5c796d8fbcdf99.52736980_prod/account.conf'

[Thu Jan  6 13:33:24 CET 2022] Selected server: https://acme-v02.api.letsencrypt.org/directory
[Thu Jan  6 13:33:24 CET 2022] Lets find script dir.
[Thu Jan  6 13:33:24 CET 2022] _SCRIPT_='/usr/local/sbin/acme.sh'
[Thu Jan  6 13:33:24 CET 2022] _script='/usr/local/sbin/acme.sh'
[Thu Jan  6 13:33:24 CET 2022] _script_home='/usr/local/sbin'
[Thu Jan  6 13:33:24 CET 2022] Using config home:/var/etc/acme-client/home
touch: /var/etc/acme-client/accounts/5c796d8fbcdf99.52736980_prod/account.conf: No such file or directory
grep: /var/etc/acme-client/accounts/5c796d8fbcdf99.52736980_prod/account.conf: No such file or directory
grep: /var/etc/acme-client/accounts/5c796d8fbcdf99.52736980_prod/account.conf: No such file or directory
/usr/local/sbin/acme.sh: cannot create /var/etc/acme-client/accounts/5c796d8fbcdf99.52736980_prod/account.conf: No such file or directory
grep: /var/etc/acme-client/accounts/5c796d8fbcdf99.52736980_prod/account.conf: No such file or directory
https://github.com/acmesh-official/acme.sh
v3.0.1
[Thu Jan  6 13:33:24 CET 2022] Using server: letsencrypt
[Thu Jan  6 13:33:24 CET 2022] Running cmd: issue
[Thu Jan  6 13:33:24 CET 2022] _main_domain='foo.bar.net'
[Thu Jan  6 13:33:24 CET 2022] _alt_domains='*.foo.bar.net'
[Thu Jan  6 13:33:24 CET 2022] Using config home:/var/etc/acme-client/home
[Thu Jan  6 13:33:24 CET 2022] ACME_DIRECTORY='https://acme-v02.api.letsencrypt.org/directory'
[Thu Jan  6 13:33:24 CET 2022] DOMAIN_PATH='/var/etc/acme-client/home/foo.bar.net'
[Thu Jan  6 13:33:24 CET 2022] Using ACME_DIRECTORY: https://acme-v02.api.letsencrypt.org/directory
[Thu Jan  6 13:33:24 CET 2022] _init api for server: https://acme-v02.api.letsencrypt.org/directory
[Thu Jan  6 13:33:24 CET 2022] Retrying GET
[Thu Jan  6 13:33:24 CET 2022] GET
[Thu Jan  6 13:33:24 CET 2022] url='https://acme-v02.api.letsencrypt.org/directory'
[Thu Jan  6 13:33:24 CET 2022] timeout=
[Thu Jan  6 13:33:24 CET 2022] displayError='1'
[Thu Jan  6 13:33:24 CET 2022] _CURL='curl --silent --dump-header /var/etc/acme-client/home/http.header  -L '
[Thu Jan  6 13:33:25 CET 2022] ret='0'
[Thu Jan  6 13:33:25 CET 2022] _hcode='0'
[Thu Jan  6 13:33:25 CET 2022] ACME_KEY_CHANGE='https://acme-v02.api.letsencrypt.org/acme/key-change'
[Thu Jan  6 13:33:25 CET 2022] ACME_NEW_AUTHZ
[Thu Jan  6 13:33:25 CET 2022] ACME_NEW_ORDER='https://acme-v02.api.letsencrypt.org/acme/new-order'
[Thu Jan  6 13:33:25 CET 2022] ACME_NEW_ACCOUNT='https://acme-v02.api.letsencrypt.org/acme/new-acct'
[Thu Jan  6 13:33:25 CET 2022] ACME_REVOKE_CERT='https://acme-v02.api.letsencrypt.org/acme/revoke-cert'
[Thu Jan  6 13:33:25 CET 2022] ACME_AGREEMENT='https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf'
[Thu Jan  6 13:33:25 CET 2022] ACME_NEW_NONCE='https://acme-v02.api.letsencrypt.org/acme/new-nonce'
[Thu Jan  6 13:33:25 CET 2022] Le_NextRenewTime
[Thu Jan  6 13:33:25 CET 2022] Using CA: https://acme-v02.api.letsencrypt.org/directory
[Thu Jan  6 13:33:25 CET 2022] _on_before_issue
[Thu Jan  6 13:33:25 CET 2022] _chk_main_domain='foo.bar.net'
[Thu Jan  6 13:33:25 CET 2022] _chk_alt_domains='*.foo.bar.net'
[Thu Jan  6 13:33:25 CET 2022] Le_LocalAddress
[Thu Jan  6 13:33:25 CET 2022] d='foo.bar.net'
[Thu Jan  6 13:33:25 CET 2022] Check for domain='foo.bar.net'
[Thu Jan  6 13:33:25 CET 2022] _currentRoot='dns_hostingde'
[Thu Jan  6 13:33:26 CET 2022] d='*.foo.bar.net'
[Thu Jan  6 13:33:26 CET 2022] Check for domain='*.foo.bar.net'
[Thu Jan  6 13:33:26 CET 2022] _currentRoot='dns_hostingde'
[Thu Jan  6 13:33:26 CET 2022] d
[Thu Jan  6 13:33:26 CET 2022] _saved_account_key_hash is not changed, skip register account.
[Thu Jan  6 13:33:26 CET 2022] Read key length:4096
[Thu Jan  6 13:33:26 CET 2022] _createcsr
[Thu Jan  6 13:33:26 CET 2022] Multi domain='DNS:foo.bar.net,DNS:*.foo.bar.net'
[Thu Jan  6 13:33:26 CET 2022] Getting domain auth token for each domain
[Thu Jan  6 13:33:26 CET 2022] d='*.foo.bar.net'
[Thu Jan  6 13:33:26 CET 2022] d
[Thu Jan  6 13:33:26 CET 2022] url='https://acme-v02.api.letsencrypt.org/acme/new-order'
[Thu Jan  6 13:33:26 CET 2022] payload='{"identifiers": [{"type":"dns","value":"foo.bar.net"},{"type":"dns","value":"*.foo.bar.net"}]}'
[Thu Jan  6 13:33:26 CET 2022] RSA key
[Thu Jan  6 13:33:27 CET 2022] Retrying post
[Thu Jan  6 13:33:27 CET 2022] HEAD
[Thu Jan  6 13:33:27 CET 2022] _post_url='https://acme-v02.api.letsencrypt.org/acme/new-nonce'
[Thu Jan  6 13:33:27 CET 2022] _CURL='curl --silent --dump-header /var/etc/acme-client/home/http.header  -L  -I  '
[Thu Jan  6 13:33:27 CET 2022] _ret='0'
[Thu Jan  6 13:33:27 CET 2022] _hcode='0'
[Thu Jan  6 13:33:27 CET 2022] Retrying post
[Thu Jan  6 13:33:27 CET 2022] POST
[Thu Jan  6 13:33:27 CET 2022] _post_url='https://acme-v02.api.letsencrypt.org/acme/new-order'
[Thu Jan  6 13:33:27 CET 2022] _CURL='curl --silent --dump-header /var/etc/acme-client/home/http.header  -L '
[Thu Jan  6 13:33:28 CET 2022] _ret='0'
[Thu Jan  6 13:33:28 CET 2022] _hcode='0'
[Thu Jan  6 13:33:28 CET 2022] code='201'
[Thu Jan  6 13:33:28 CET 2022] Le_LinkOrder='https://acme-v02.api.letsencrypt.org/acme/order/329573360/53124436250'
[Thu Jan  6 13:33:28 CET 2022] Le_OrderFinalize='https://acme-v02.api.letsencrypt.org/acme/finalize/329573360/53124436250'
[Thu Jan  6 13:33:28 CET 2022] url='https://acme-v02.api.letsencrypt.org/acme/authz-v3/65583514020'
[Thu Jan  6 13:33:28 CET 2022] payload
[Thu Jan  6 13:33:28 CET 2022] Retrying post
[Thu Jan  6 13:33:28 CET 2022] POST
[Thu Jan  6 13:33:28 CET 2022] _post_url='https://acme-v02.api.letsencrypt.org/acme/authz-v3/65583514020'
[Thu Jan  6 13:33:28 CET 2022] _CURL='curl --silent --dump-header /var/etc/acme-client/home/http.header  -L '
[Thu Jan  6 13:33:29 CET 2022] _ret='0'
[Thu Jan  6 13:33:29 CET 2022] _hcode='0'
[Thu Jan  6 13:33:29 CET 2022] code='200'
[Thu Jan  6 13:33:29 CET 2022] url='https://acme-v02.api.letsencrypt.org/acme/authz-v3/65583514030'
[Thu Jan  6 13:33:29 CET 2022] payload
[Thu Jan  6 13:33:29 CET 2022] Retrying post
[Thu Jan  6 13:33:29 CET 2022] POST
[Thu Jan  6 13:33:29 CET 2022] _post_url='https://acme-v02.api.letsencrypt.org/acme/authz-v3/65583514030'
[Thu Jan  6 13:33:29 CET 2022] _CURL='curl --silent --dump-header /var/etc/acme-client/home/http.header  -L '
[Thu Jan  6 13:33:30 CET 2022] _ret='0'
[Thu Jan  6 13:33:30 CET 2022] _hcode='0'
[Thu Jan  6 13:33:30 CET 2022] code='200'
[Thu Jan  6 13:33:30 CET 2022] d='foo.bar.net'
[Thu Jan  6 13:33:30 CET 2022] Getting webroot for domain='foo.bar.net'
[Thu Jan  6 13:33:30 CET 2022] _w='dns_hostingde'
[Thu Jan  6 13:33:30 CET 2022] _currentRoot='dns_hostingde'
[Thu Jan  6 13:33:30 CET 2022] entry='"type":"dns-01","status":"pending","url":"https://acme-v02.api.letsencrypt.org/acme/chall-v3/65583514030/Ks3kiQ","token":"NqH21wESATwki60MYNtGt06UAs_R7bElW5A2v-EXP2I"'
[Thu Jan  6 13:33:30 CET 2022] token='NqH21wESATwki60MYNtGt06UAs_R7bElW5A2v-EXP2I'
[Thu Jan  6 13:33:30 CET 2022] uri='https://acme-v02.api.letsencrypt.org/acme/chall-v3/65583514030/Ks3kiQ'
[Thu Jan  6 13:33:30 CET 2022] keyauthorization='NqH21wESATwki60MYNtGt06UAs_R7bElW5A2v-EXP2I.AVhMEMapT1sSrxLP7o0dVJ5mlBYNqPkDe8i--3kHCSE'
[Thu Jan  6 13:33:30 CET 2022] dvlist='foo.bar.net#NqH21wESATwki60MYNtGt06UAs_R7bElW5A2v-EXP2I.AVhMEMapT1sSrxLP7o0dVJ5mlBYNqPkDe8i--3kHCSE#https://acme-v02.api.letsencrypt.org/acme/chall-v3/65583514030/Ks3kiQ#dns-01#dns_hostingde'
[Thu Jan  6 13:33:30 CET 2022] d='*.foo.bar.net'
[Thu Jan  6 13:33:30 CET 2022] Getting webroot for domain='*.foo.bar.net'
[Thu Jan  6 13:33:30 CET 2022] _w='dns_hostingde'
[Thu Jan  6 13:33:30 CET 2022] _currentRoot='dns_hostingde'
[Thu Jan  6 13:33:30 CET 2022] entry='"type":"dns-01","status":"pending","url":"https://acme-v02.api.letsencrypt.org/acme/chall-v3/65583514020/ardCyw","token":"3-3qwWGR0E30V0eGTVFHh9Wxzkd_Ck6BHaCy6zZd94c"'
[Thu Jan  6 13:33:30 CET 2022] token='3-3qwWGR0E30V0eGTVFHh9Wxzkd_Ck6BHaCy6zZd94c'
[Thu Jan  6 13:33:30 CET 2022] uri='https://acme-v02.api.letsencrypt.org/acme/chall-v3/65583514020/ardCyw'
[Thu Jan  6 13:33:30 CET 2022] keyauthorization='3-3qwWGR0E30V0eGTVFHh9Wxzkd_Ck6BHaCy6zZd94c.AVhMEMapT1sSrxLP7o0dVJ5mlBYNqPkDe8i--3kHCSE'
[Thu Jan  6 13:33:30 CET 2022] dvlist='*.foo.bar.net#3-3qwWGR0E30V0eGTVFHh9Wxzkd_Ck6BHaCy6zZd94c.AVhMEMapT1sSrxLP7o0dVJ5mlBYNqPkDe8i--3kHCSE#https://acme-v02.api.letsencrypt.org/acme/chall-v3/65583514020/ardCyw#dns-01#dns_hostingde'
[Thu Jan  6 13:33:30 CET 2022] d
[Thu Jan  6 13:33:30 CET 2022] vlist='foo.bar.net#NqH21wESATwki60MYNtGt06UAs_R7bElW5A2v-EXP2I.AVhMEMapT1sSrxLP7o0dVJ5mlBYNqPkDe8i--3kHCSE#https://acme-v02.api.letsencrypt.org/acme/chall-v3/65583514030/Ks3kiQ#dns-01#dns_hostingde,*.foo.bar.net#3-3qwWGR0E30V0eGTVFHh9Wxzkd_Ck6BHaCy6zZd94c.AVhMEMapT1sSrxLP7o0dVJ5mlBYNqPkDe8i--3kHCSE#https://acme-v02.api.letsencrypt.org/acme/chall-v3/65583514020/ardCyw#dns-01#dns_hostingde,'
[Thu Jan  6 13:33:30 CET 2022] d='foo.bar.net'
[Thu Jan  6 13:33:30 CET 2022] _d_alias
[Thu Jan  6 13:33:30 CET 2022] txtdomain='_acme-challenge.foo.bar.net'
[Thu Jan  6 13:33:30 CET 2022] txt='IEKL2-_kW-TShCi_xUfkVC38E1bbB9L-PSurlFha7bo'
[Thu Jan  6 13:33:30 CET 2022] d_api
[Thu Jan  6 13:33:30 CET 2022] Can not find dns api hook for: dns_hostingde
[Thu Jan  6 13:33:30 CET 2022] You need to add the txt record manually.
[Thu Jan  6 13:33:30 CET 2022] Add the following TXT record:
[Thu Jan  6 13:33:30 CET 2022] Domain: '_acme-challenge.foo.bar.net'
[Thu Jan  6 13:33:30 CET 2022] TXT value: 'IEKL2-_kW-TShCi_xUfkVC38E1bbB9L-PSurlFha7bo'
[Thu Jan  6 13:33:30 CET 2022] Please be aware that you prepend _acme-challenge. before your domain
[Thu Jan  6 13:33:30 CET 2022] so the resulting subdomain will be: _acme-challenge.foo.bar.net
[Thu Jan  6 13:33:30 CET 2022] d='*.foo.bar.net'
[Thu Jan  6 13:33:30 CET 2022] _d_alias
[Thu Jan  6 13:33:30 CET 2022] txtdomain='_acme-challenge.foo.bar.net'
[Thu Jan  6 13:33:30 CET 2022] txt='X5h9WLxWt2Z4u-uCfgCFD8KTpSFcipYRUSj0zrZlwt4'
[Thu Jan  6 13:33:30 CET 2022] d_api
[Thu Jan  6 13:33:30 CET 2022] Can not find dns api hook for: dns_hostingde
[Thu Jan  6 13:33:30 CET 2022] You need to add the txt record manually.
[Thu Jan  6 13:33:31 CET 2022] Add the following TXT record:
[Thu Jan  6 13:33:31 CET 2022] Domain: '_acme-challenge.foo.bar.net'
[Thu Jan  6 13:33:31 CET 2022] TXT value: 'X5h9WLxWt2Z4u-uCfgCFD8KTpSFcipYRUSj0zrZlwt4'
[Thu Jan  6 13:33:31 CET 2022] Please be aware that you prepend _acme-challenge. before your domain
[Thu Jan  6 13:33:31 CET 2022] so the resulting subdomain will be: _acme-challenge.foo.bar.net
[Thu Jan  6 13:33:31 CET 2022] Dns record not added yet, so, save to /var/etc/acme-client/home/foo.bar.net/foo.bar.net.conf and exit.
[Thu Jan  6 13:33:31 CET 2022] Please add the TXT records to the domains, and re-run with --renew.
[Thu Jan  6 13:33:31 CET 2022] _on_issue_err
[Thu Jan  6 13:33:31 CET 2022] Please add '--debug' or '--log' to check more details.
[Thu Jan  6 13:33:31 CET 2022] See: https://github.com/acmesh-official/acme.sh/wiki/How-to-debug-acme.sh
[Thu Jan  6 13:33:31 CET 2022] Diagnosis versions:
openssl:openssl
OpenSSL 1.1.1d-freebsd  24 Aug 2021
apache:
apache doesn't exist.
nginx:
nginx doesn't exist.
socat:
socat by Gerhard Rieger and contributors - see www.dest-unreach.org
socat version 1.7.4.2 on Dec 14 2021 05:02:44
   running on FreeBSD version FreeBSD 12.1-RELEASE-p21-HBSD #0  04bde01a034(stable/21.7)-dirty: Mon Dec 13 09:07:56 CET 2021     root@sensey:/usr/obj/usr/src/amd64.amd64/sys/SMP, release 12.1-RELEASE-p21-HBSD, machine amd64
features:
  #define WITH_STDIO 1
  #define WITH_FDNUM 1
  #define WITH_FILE 1
  #define WITH_CREAT 1
  #define WITH_GOPEN 1
  #define WITH_TERMIOS 1
  #define WITH_PIPE 1
  #define WITH_UNIX 1
  #undef WITH_ABSTRACT_UNIXSOCKET
  #define WITH_IP4 1
  #define WITH_IP6 1
  #define WITH_RAWIP 1
  #define WITH_GENERICSOCKET 1
  #undef WITH_INTERFACE
  #define WITH_TCP 1
  #define WITH_UDP 1
  #define WITH_SCTP 1
  #define WITH_LISTEN 1
  #define WITH_SOCKS4 1
  #define WITH_SOCKS4A 1
  #undef WITH_VSOCK
  #define WITH_PROXY 1
  #define WITH_SYSTEM 1
  #define WITH_EXEC 1
  #undef WITH_READLINE
  #undef WITH_TUN
  #define WITH_PTY 1
  #define WITH_OPENSSL 1
  #undef WITH_FIPS
  #define WITH_LIBWRAP 1
  #define WITH_SYCLS 1
  #define WITH_FILAN 1
  #define WITH_RETRY 1
  #define WITH_MSGLEVEL 0 /*debug*/
[Thu Jan  6 13:33:31 CET 2022] pid
[Thu Jan  6 13:33:31 CET 2022] No need to restore nginx, skip.
[Thu Jan  6 13:33:31 CET 2022] _clearupdns
[Thu Jan  6 13:33:31 CET 2022] dns_entries
[Thu Jan  6 13:33:31 CET 2022] skip dns.

When adding the txt for the domain, the dns api hook seems to be missing:

Code Select
[Thu Jan  6 13:33:30 CET 2022] Can not find dns api hook for: dns_hostingde
[Thu Jan  6 13:33:30 CET 2022] You need to add the txt record manually.

I can find the dns_hostingde script in root@opnsense:/usr/local/share/examples/acme.sh/dnsapi # ls | grep hosting
dns_hostingde.sh

The acme.sh script does not seem to find it. Where does the api script need to go?

Thanks for your help.

Best, Alex
#2
General Discussion / Re: ACME plugin errors on configutation reload after new install 21.7.7
December 20, 2021, 10:05:44 PM
Hi Fright,

your mentioned patch fixed my errors. Thanks! I mark this as solved.

Alex
#3
General Discussion / SOLVED - ACME plugin errors on configutation reload after new install 21.7.7
December 20, 2021, 06:43:12 PM
Dear all,

i had to re-install our opnsense on a Netboard A10 because of a failing SD card. I installed a fresh 21.7.7 from a nano image and loaded the backup up configuration.

All went fine so far only the acme plugin gives errors:

/usr/local/opnsense/mvc/app/models/OPNsense/Base/BaseModel.php:572:
[OPNsense\AcmeClient\AcmeClient:validations.validation.88315961-72eb-48dd-b681-e7f966e36ce3.tlsalpn_acme_interface] option not in list
[OPNsense\AcmeClient\AcmeClient:validations.validation.7b2234ad-7d70-4fdf-90c3-4a9ca0bcfa23.tlsalpn_acme_interface] option not in list

when i test the config. Also i can't change any settings in the plugin as it always throws this error and asks me to correct it.

I checke the config.xml and find the validation method "7b2234ad-7d70-4fdf-90c3-4a9ca0bcfa23" under certificates and also under "validations".

The error points out to the TLS-ALPN-01 validation method which i don't use and have it not configured.

How can i fix this in the config?

I already submmitted the bug report via WebGUI, here is again the PHP Errors:

Code Select
[20-Dec-2021 17:30:51 Europe/Berlin] Phalcon\Validation\Exception: [OPNsense\AcmeClient\AcmeClient:validations.validation.88315961-72eb-48dd-b681-e7f966e36ce3.tlsalpn_acme_interface] option not in list
[OPNsense\AcmeClient\AcmeClient:validations.validation.7b2234ad-7d70-4fdf-90c3-4a9ca0bcfa23.tlsalpn_acme_interface] option not in list
in /usr/local/opnsense/mvc/app/models/OPNsense/Base/BaseModel.php:572
Stack trace:
#0 /usr/local/opnsense/mvc/app/controllers/OPNsense/AcmeClient/Api/ServiceController.php(224): OPNsense\Base\BaseModel->serializeToConfig()
#1 [internal function]: OPNsense\AcmeClient\Api\ServiceController->resetAction()
#2 [internal function]: Phalcon\Dispatcher\AbstractDispatcher->callActionMethod(Object(OPNsense\AcmeClient\Api\ServiceController), 'resetAction', Array)
#3 [internal function]: Phalcon\Dispatcher\AbstractDispatcher->dispatch()
#4 /usr/local/opnsense/www/api.php(26): Phalcon\Mvc\Application->handle('/api/acmeclient...')
#5 {main}
[20-Dec-2021 18:31:25 Europe/Berlin] Phalcon\Validation\Exception: [OPNsense\AcmeClient\AcmeClient:validations.validation.88315961-72eb-48dd-b681-e7f966e36ce3.tlsalpn_acme_interface] option not in list
in /usr/local/opnsense/mvc/app/models/OPNsense/Base/BaseModel.php:572
Stack trace:
#0 /usr/local/opnsense/mvc/app/controllers/OPNsense/Base/ApiMutableModelControllerBase.php(256): OPNsense\Base\BaseModel->serializeToConfig()
#1 /usr/local/opnsense/mvc/app/controllers/OPNsense/Base/ApiMutableModelControllerBase.php(422): OPNsense\Base\ApiMutableModelControllerBase->save()
#2 /usr/local/opnsense/mvc/app/controllers/OPNsense/AcmeClient/Api/ValidationsController.php(66): OPNsense\Base\ApiMutableModelControllerBase->delBase('validations.val...', '7b2234ad-7d70-4...')
#3 [internal function]: OPNsense\AcmeClient\Api\ValidationsController->delAction('7b2234ad-7d70-4...')
#4 [internal function]: Phalcon\Dispatcher\AbstractDispatcher->callActionMethod(Object(OPNsense\AcmeClient\Api\ValidationsController), 'delAction', Array)
#5 [internal function]: Phalcon\Dispatcher\AbstractDispatcher->dispatch()
#6 /usr/local/opnsense/www/api.php(26): Phalcon\Mvc\Application->handle('/api/acmeclient...')
#7 {main}

Also, when i try to reset the Acme client settings it won't do it because if the given error - i should first fix the error.

Thanks for your support! Alex
#4
19.1 Legacy Series / Re: LetsEncrypt Plugin - Request for hosting.de DNS Service
March 11, 2019, 09:46:45 PM
Good Evening Franco,

does it make sense it i test the patch before? Correct me if i am wrong, but i just have to

#opnsense-patch -c plugins e4a7d97 (which is the correct commit number btw.)

to install the patch?

Best, Alexander
#5
19.1 Legacy Series / Re: LetsEncrypt Plugin - Request for hosting.de DNS Service
March 11, 2019, 01:21:30 PM
Thanks for the hint - I made the changes to the corresponding files on GitHub according to the mentioned blueprints and made a pull request which is now approved.
#6
19.1 Legacy Series / LetsEncrypt Plugin - Request for hosting.de DNS Service
March 07, 2019, 10:36:38 PM
Dear all,
i would like to issue Certificates with the LetsEncrypt Plugin. I am on 19.1.3 and the acme Plugin is in version 1.20.

The DNS Provider is hosting.de, and as we want to issue Wildcard Certs, we plan to use the DNS-01 Validation method.

The acme.sh project by NeilPang provides a script to the hosting.de API, but the plugin does not yet list it.

Would it be possible to add this to the list of available DNS Services: https://github.com/Neilpang/acme.sh/blob/master/dnsapi/dns_hostingde.sh
Looking forward to your replies.

Good Evening, Alexander
#7
17.1 Legacy Series / Re: IPsec traffic blocked by Firewall despite allow rules - works in 16.7.14
March 27, 2017, 12:09:00 PM
Hi franco,

thanks for the patch. Ping to the firewall and back to the mobile client is working now!

Rule on the firewall is set to
"IPv4 *    *    *    *    *    *       Allow IPsec traffic any to any".

It seems not possible to restrict access further to
"IPv4 *    ipsec_net     *    LAN net    *    *       Allow IPsec traffic to LAN net"
then traffic will be blocked (ipsec_net is an alias to the Virtual Subnet of IPSec roadwarriors).
Any possibility to restrict access to subnets or is it necessary to keep to the any any rule?

This was tested now on a VM test install. I will report after the update of the production system when 17.1.4 is out.

Alex
#8
17.1 Legacy Series / Re: IPsec traffic blocked by Firewall despite allow rules - works in 16.7.14
March 24, 2017, 04:10:35 PM
Hi, thanks for your replies.

I installed the new kernel
# opnsense-update -bkr 17.1.3-next and rebooted
but it did not change the behaviour of blocking the traffic on IPSec Interface.

If i have a rule
IPv4 *    ipsec_net     *    LAN net    *    *       Allow IPsec traffic to LAN net
on the IPSec interface (while ipsec_net is an alias for my 10.10.1.0/24 roadwarriors subnet)
then traffic is blocked in the log on the IPSec interface:
X   Mar 24 16:04:16    IPsec    10.10.1.1    192.168.2.1    ICMP

If i change the rule on IPSec to
IPv4 *    *    *    *    *    *       Allow IPsec traffic any to any
then traffic is passed on IPSec but blocked on WAN:
X     Mar 24 16:07:01    WAN    10.10.1.1    192.168.2.1    ICMP
>     Mar 24 16:07:01    IPsec    10.10.1.1    192.168.2.1    ICMP

So i am missing a rule on WAN again to allow IPSec traffic? In my understanding, also relating to the DOCs https://docs.opnsense.org/manual/how-tos/sslvpn_client.html this would not be necessary.

Looking forward to your replies.

Best, Alex
#9
17.1 Legacy Series / IPsec traffic blocked by Firewall despite allow rules - works in 16.7.14
March 24, 2017, 02:33:34 PM
Hi all,

i am experiencing issues with IPSec and the Firewall on the 17.1 release. I currently run 17.1.3 on an appliance by deciso. We have this appliance here for a couple of weeks now.

Basically the firewall is blocking traffic on IPSec interface for Roadwarriors even with a "IPv4 *    *    *    *    *    * " any to any rule. Basic ping tests show blocked in the fw log despite the allow rule. It would be better to even restrict the rule to only allow the remote roadwarriors subnet to the LAN net but for tests i set it to allow any to any.

I did a test install in a VM with 16.7.14 and the basic setup with IPSec and Firewall and it works: i can ping the IP of the firewall itself. Then i upgraded to 17.1 it did not work any more, the ping is blocked by the fw. I reverted to the former snapshot and it worked again.

For both version 16.7.14 and 17.1.3 i exported the firewall rules from /tmp/rules.debug and tried to compare them but as the writing is quite different (the v16 file has nice comments while the new one not) i can't find the difference between them to figure out the missing rule in 17.

Here are the two rules.debug files, hopfully you can compare them better and see what might be missing or wrong in 17.1.3.

First rules 16.7.14 (working config)

OPNsense 16.7.14_2-amd64 FreeBSD 10.3-RELEASE-p14 OpenSSL 1.0.2j 26 Sep 2016

Code Select
set optimization normal
set timeout { adaptive.start 0, adaptive.end 0 }
set limit states 201000
set limit src-nodes 201000

# System aliases
loopback = "{ lo0 }"
IPsec = "{ enc0 }"
LAN = "{ vtnet1 }"
WAN = "{ vtnet0 }"

# SSH Lockout Table
table <sshlockout> persist
table <webConfiguratorlockout> persist
# Other tables
table <virusprot>
table <bogons> persist file "/usr/local/etc/bogons"

# User Aliases
table <ipsec_net> {   10.10.1.0/24 }
ipsec_net = "<ipsec_net>"

# Gateways
GWWAN_DHCP = " route-to ( vtnet0 192.168.0.1 ) "
GWNull4 = " route-to ( lo0 127.0.0.1 ) "
GWNull6 = " route-to ( lo0 ::1 ) "


set loginterface vtnet1

set skip on pfsync0

scrub on $LAN all   
scrub on $WAN all   

no nat proto carp
no rdr proto carp

# Outbound NAT rules (automatic)

# Subnets to NAT
tonatsubnets  = "{ 127.0.0.0/8 192.168.2.1/32 10.10.1.0/24 }"
nat  on $WAN from $tonatsubnets to any port 500 -> 192.168.0.49/32  static-port
nat  on $WAN from $tonatsubnets to any -> 192.168.0.49/32 port 1024:65535 

# Anti lockout, prevent redirects for protected ports to this interface ip
no rdr on vtnet1 proto tcp from any to ( vtnet1 ) port { 443 80 }


#---------------------------------------------------------------------------
# default deny rules
#---------------------------------------------------------------------------
block in log inet all label "Default deny rule IPv4"
block out log inet all label "Default deny rule IPv4"
block in log inet6 all  label "Default deny rule IPv6"
block out log inet6 all  label "Default deny rule IPv6"

# IPv6 ICMP is not auxilary, it is required for operation
# See man icmp6(4)
# 1    unreach         Destination unreachable
# 2    toobig          Packet too big
# 128  echoreq         Echo service request
# 129  echorep         Echo service reply
# 133  routersol       Router solicitation
# 134  routeradv       Router advertisement
# 135  neighbrsol      Neighbor solicitation
# 136  neighbradv      Neighbor advertisement
pass log quick inet6 proto ipv6-icmp from any to any icmp6-type {1,2,135,136}  keep state

# Allow only bare essential icmpv6 packets (NS, NA, and RA, echoreq, echorep)
pass out log quick inet6 proto ipv6-icmp from fe80::/10 to fe80::/10 icmp6-type {129,133,134,135,136}  keep state
pass out log quick inet6 proto ipv6-icmp from fe80::/10 to ff02::/16 icmp6-type {129,133,134,135,136}  keep state
pass in log quick inet6 proto ipv6-icmp from fe80::/10 to fe80::/10 icmp6-type {128,133,134,135,136}  keep state
pass in log quick inet6 proto ipv6-icmp from ff02::/16 to fe80::/10 icmp6-type {128,133,134,135,136}  keep state
pass in log quick inet6 proto ipv6-icmp from fe80::/10 to ff02::/16 icmp6-type {128,133,134,135,136}  keep state

# We use the mighty pf, we cannot be fooled.
block log quick inet proto { tcp, udp } from any port = 0 to any
block log quick inet proto { tcp, udp } from any to any port = 0
block log quick inet6 proto { tcp, udp } from any port = 0 to any
block log quick inet6 proto { tcp, udp } from any to any port = 0

# SSH lockout
block in log quick proto tcp from <sshlockout> to (self) port 22 label "sshlockout"

# webConfigurator lockout
block in log quick proto tcp from <webConfiguratorlockout> to (self) port 443  label "webConfiguratorlockout"
block in log quick from <virusprot> to any label "virusprot overload table"
antispoof log for $LAN
antispoof log for $WAN
# allow our DHCP client out to the WAN
pass in log on $WAN proto udp from any port = 67 to any port = 68 label "allow dhcp client out WAN"
pass out log on $WAN proto udp from any port = 68 to any port = 67 label "allow dhcp client out WAN"
# Not installing DHCP server firewall rules for WAN which is configured for DHCP.

# loopback
pass in log on $loopback inet all label "pass IPv4 loopback"
pass out log on $loopback inet all label "pass IPv4 loopback"
pass in log on $loopback inet6 all label "pass IPv6 loopback"
pass out log on $loopback inet6 all label "pass IPv6 loopback"

# let out anything from the firewall host itself and decrypted IPsec traffic
pass out log inet all keep state allow-opts label "let out anything IPv4 from firewall host itself"
pass out log inet6 all keep state allow-opts label "let out anything IPv6 from firewall host itself"
pass out log route-to ( vtnet0 192.168.0.1 ) from 192.168.0.49 to !192.168.0.0/24 keep state allow-opts label "let out anything from firewall host itself"
pass out log on $IPsec all keep state label "IPsec internal host to host"

# make sure the user cannot lock himself out of the webConfigurator or SSH
pass in log quick on vtnet1 proto tcp from any to (vtnet1) port { 443 80 } keep state label "anti-lockout rule"

# User-defined rules follow
pass  in log  quick  on $IPsec inet from $ipsec_net to 192.168.2.1/32 keep state  label "USER_RULE: Allow IPsec traffic to LAN net"
pass  in  quick  on $WAN inet proto tcp  from any to 192.168.0.49 port 443  allow-opts flags S/SA keep state  label "USER_RULE"
pass  in  quick  on $WAN reply-to ( vtnet0 192.168.0.1 ) inet proto esp  from any to 192.168.0.49 keep state  label "USER_RULE: IPSec ESP"
pass  in  quick  on $WAN reply-to ( vtnet0 192.168.0.1 ) inet proto { tcp udp }  from any to 192.168.0.49 port 500 keep state  label "USER_RULE: IPSec ISAKMP"
pass  in  quick  on $WAN reply-to ( vtnet0 192.168.0.1 ) inet proto { tcp udp }  from any to 192.168.0.49 port 4500 keep state  label "USER_RULE: IPSec NAT-T"

# VPN Rules
pass out log on $WAN   proto udp from any to  any  port = 500 keep state label "IPsec: MobileIPsec - outbound isakmp"
pass in log on $WAN   proto udp from  any  to any port = 500 keep state label "IPsec: MobileIPsec - inbound isakmp"
pass out log on $WAN   proto udp from any to  any  port = 4500 keep state label "IPsec: MobileIPsec - outbound nat-t"
pass in log on $WAN   proto udp from  any  to any port = 4500 keep state label "IPsec: MobileIPsec - inbound nat-t"
pass out log on $WAN   proto esp from any to  any  keep state label "IPsec: MobileIPsec - outbound esp proto"
pass in log on $WAN   proto esp from  any  to any keep state label "IPsec: MobileIPsec - inbound esp proto"

then 17.1.3 (not working)

OPNsense 17.1.3-amd64 FreeBSD 11.0-RELEASE-p8 OpenSSL 1.0.2k 26 Jan 2017

Code Select
set ruleset-optimization basic
set optimization normal
set timeout { adaptive.start 0, adaptive.end 0 }
set limit states 201000
set limit src-nodes 201000

# System aliases
loopback = "{ lo0 }"
IPsec = "{ enc0 }"
LAN = "{ vtnet1 }"
WAN = "{ vtnet0 }"

# SSH Lockout Table
table <sshlockout> persist
table <webConfiguratorlockout> persist
# Other tables
table <virusprot>
table <bogons> persist file "/usr/local/etc/bogons"

# User Aliases
table <ipsec_net> {   10.10.1.0/24 }
ipsec_net = "<ipsec_net>"
### define internal aliases
table <internal-enc0> {  }
table <internal-enc0ip> {  }
table <internal-lan> { 192.168.2.1 }
table <internal-lanip> { 192.168.2.1 }
table <internal-wan> { 192.168.0.0 }
table <internal-wanip> { 192.168.0.49 }

# Gateways
GWWAN_DHCP = " route-to ( vtnet0 192.168.0.1 ) "
GWNull4 = " route-to ( lo0 127.0.0.1 ) "
GWNull6 = " route-to ( lo0 ::1 ) "


set loginterface vtnet1

set skip on pfsync0

scrub on $LAN all   
scrub on $WAN all   

no nat proto carp
no rdr proto carp

# Outbound NAT rules (automatic)

# Subnets to NAT
tonatsubnets  = "{ 127.0.0.0/8 192.168.2.1/32 10.10.1.0/24 }"
nat  on $WAN from $tonatsubnets to any port 500 -> 192.168.0.49/32  static-port
nat  on $WAN from $tonatsubnets to any -> 192.168.0.49/32 port 1024:65535 

# Anti lockout, prevent redirects for protected ports to this interface ip
no rdr on vtnet1 proto tcp from any to ( vtnet1 ) port { 443 80 }

antispoof log for vtnet1
antispoof log for vtnet0
#pass in  log quick on lo0 inet6 from {any} to {any} label "Pass all loopback IPv6"
#block in  log quick inet6 from {any} to {any} label "Block all IPv6"
block in  log inet from {any} to {any} label "Default deny rule"
block in  log inet6 from {any} to {any} label "Default deny rule"
pass in  log quick inet6 proto ipv6-icmp from {any} to {any} icmp6-type {1,2,135,136} keep state label "IPv6 requirements (ICMP)"
pass out log quick inet6 proto ipv6-icmp from {fe80::/10} to {fe80::/10,ff02::/16} icmp6-type {129,133,134,135,136} keep state label "IPv6 requirements (ICMP)"
pass in log quick inet6 proto ipv6-icmp from {fe80::/10} to {fe80::/10,ff02::/16} icmp6-type {128,133,134,135,136} keep state label "IPv6 requirements (ICMP)"
pass in log quick inet6 proto ipv6-icmp from {ff02::/16} to {fe80::/10} icmp6-type {128,133,134,135,136} keep state label "IPv6 requirements (ICMP)"
block in  log quick inet proto {tcp udp}  from {any}  port {0} to {any}
block in  log quick inet6 proto {tcp udp}  from {any}  port {0} to {any}
block in  log quick inet proto {tcp udp}  from {any} to {any}  port {0}
block in  log quick inet6 proto {tcp udp}  from {any} to {any}  port {0}
#block in log quick proto carp from {(self)} to {any}
pass in  log quick proto carp from {any} to {any}
block in log quick proto tcp from {<sshlockout>} to {(self)}  port {22} label "sshlockout"
block in log quick proto tcp from {<webConfiguratorlockout>} to {(self)}  port {443} label "webConfiguratorlockout"
block in  log quick from {<virusprot>} to {any} label "virusprot overload table"
#block in log quick on lo0 from {<bogons>} to {any} label "block bogon IPv4 networks from loopback"
#block in log quick on lo0 from {<bogonsv6>} to {any} label "block bogon IPv6 networks from loopback"
#block in log quick on lo0 from {10.0.0.0/8,127.0.0.0/8,100.64.0.0/10,172.16.0.0/12,192.168.0.0/16,fc00::/7} to {any} label "Block private networks from loopback"
#block in log quick on enc0 from {<bogons>} to {any} label "block bogon IPv4 networks from IPsec"
#block in log quick on enc0 from {<bogonsv6>} to {any} label "block bogon IPv6 networks from IPsec"
#block in log quick on enc0 from {10.0.0.0/8,127.0.0.0/8,100.64.0.0/10,172.16.0.0/12,192.168.0.0/16,fc00::/7} to {any} label "Block private networks from IPsec"
#block in log quick on vtnet1 from {<bogons>} to {any} label "block bogon IPv4 networks from LAN"
#block in log quick on vtnet1 from {<bogonsv6>} to {any} label "block bogon IPv6 networks from LAN"
#block in log quick on vtnet1 from {10.0.0.0/8,127.0.0.0/8,100.64.0.0/10,172.16.0.0/12,192.168.0.0/16,fc00::/7} to {any} label "Block private networks from LAN"
#block in log quick on vtnet0 from {<bogons>} to {any} label "block bogon IPv4 networks from WAN"
#block in log quick on vtnet0 from {<bogonsv6>} to {any} label "block bogon IPv6 networks from WAN"
#block in log quick on vtnet0 from {10.0.0.0/8,127.0.0.0/8,100.64.0.0/10,172.16.0.0/12,192.168.0.0/16,fc00::/7} to {any} label "Block private networks from WAN"
pass in log on vtnet0 proto udp from {any}  port {67} to {any}  port {68} label "allow DHCP client on WAN"
pass out log on vtnet0 proto udp from {any}  port {68} to {any}  port {67} label "allow DHCP client on WAN"
pass in  log quick on lo0 from {any} to {any} label "pass loopback"
pass out log from {any} to {any} keep state allow-opts label "let out anything from firewall host itself"
pass out log on enc0 from {any} to {any} keep state label "IPsec internal host to host"
pass in log quick on vtnet1 proto tcp from {any} to {(self)}  port {443 80} keep state label "anti-lockout rule"
pass out log route-to ( vtnet0 192.168.0.1 ) from 192.168.0.49 to !192.168.0.0/24 keep state allow-opts label "let out anything from firewall host itself"

# User-defined rules follow
pass  in log  quick  on $IPsec inet from $ipsec_net to 192.168.2.1/32 keep state  label "USER_RULE: Allow IPsec traffic to LAN net"
pass  in  quick  on $WAN inet proto tcp  from any to 192.168.0.49 port 443  allow-opts flags S/SA keep state  label "USER_RULE"
pass  in  quick  on $WAN reply-to ( vtnet0 192.168.0.1 ) inet proto esp  from any to 192.168.0.49 keep state  label "USER_RULE: IPSec ESP"
pass  in  quick  on $WAN reply-to ( vtnet0 192.168.0.1 ) inet proto { tcp udp }  from any to 192.168.0.49 port 500 keep state  label "USER_RULE: IPSec ISAKMP"
pass  in  quick  on $WAN reply-to ( vtnet0 192.168.0.1 ) inet proto { tcp udp }  from any to 192.168.0.49 port 4500 keep state  label "USER_RULE: IPSec NAT-T"

# VPN Rules
pass out log on $WAN   proto udp from any to  any  port = 500 keep state label "IPsec: MobileIPsec - outbound isakmp"
pass in log on $WAN   proto udp from  any  to any port = 500 keep state label "IPsec: MobileIPsec - inbound isakmp"
pass out log on $WAN   proto udp from any to  any  port = 4500 keep state label "IPsec: MobileIPsec - outbound nat-t"
pass in log on $WAN   proto udp from  any  to any port = 4500 keep state label "IPsec: MobileIPsec - inbound nat-t"
pass out log on $WAN   proto esp from any to  any  keep state label "IPsec: MobileIPsec - outbound esp proto"
pass in log on $WAN   proto esp from  any  to any keep state label "IPsec: MobileIPsec - inbound esp proto"


I left all IPs in the file as it is a test VM and WAN is connected to my main LAN.

I hope i can help debugging this. If you need anything else tell me.

Best, Alex
#10
17.1 Legacy Series / Re: IPSEC fw rules don't trigger
March 23, 2017, 09:54:39 AM
Hi all, i would like to say hello this is my first post on the forum, i am a new opnsense user on a deciso appliance.

i am also having similar issues that VPN traffic is blocked by the firewall despite rules set.

@ SystemSh0cker, Can you elaborate on your solution a bit more? I think i don't understand yet completely how you have done it.
Did you backup the complete config, then deleted all firewall rules beside the one:

"IPv4*     *    *    LAN net    *    * "

and then restored only the firewall rules from the backup again?

Thanks for clarifying.
Pages1