Messages

Hi all

I have notived that mDNS Traffic went up to 150Mbit/s in a school network (lot of Apple Gear) and saw that is was caused by mDNS. I could stop this by disable mDNS proxy on the passive HA node.

Maybe because of this, the switch "Enable CARP Failover" was introduced. The Problem: When i turn on "Enable CARP Failover" the mDNS Forwarder stops immediately. Does anyone experience the same issue?

You cannot view this attachment.

You cannot view this attachment.You cannot view this attachment.

Hi all

After upgrading to 25.1.10 performing a HA sync will cause a CARP failover. I didn't experienced this behaviour before. Does anyone else have this issue?

I don't know for Samba, but a Windows DC can run with an external DNS server. The important aspect is: The DNS server needs to allow dynamic updates. This way, the DC creates all relevant DNS entries (including SRV) needed for operation.

Had the same issue on a wildcard cert. Solved it by removing the SAN entry.
The SAN value will still be present on the final cert.

You're right, it has something to do with the SAN. For testing i have removed all SAN and the validadion is working again. But removing the SAN, they are also removed from the certificate of course.

But it's kinda wierd: After removing the SAN equal to the domain it worked again. Now i can add the other SAN (e.g. *.domain.com) again and it still seems to work..

So many thanks for the hint @Modaeus!

I tried with ZoneID Key already, same result. I can't see any TXT records but ACME plugin normally removes it after validation. Maybe im too slow to catch it. I also tried to add the key manually, but on every round ACME generates a new key.

If its a customer who is complaining, why not just buy a certificate? Getting a wildcard certificate for the domain/s fixes the problem instantly and it doesn't cost much for a business.

Agree, but i would like to fix THIS problem. It was working for years now, something seems to be changed.

Some more logs...

Code Select Expand


2024-05-29T14:56:40 opnsense AcmeClient: running acme.sh command: /usr/local/sbin/acme.sh --issue --syslog 8 --debug 2 --server 'letsencrypt' --dns 'dns_cf' --dnssleep '300' --home '/var/etc/acme-client/home' --cert-home '/var/etc/acme-client/cert-home/62b86c7fd6ddb9.24403730' --certpath '/var/etc/acme-client/certs/62b86c7fd6ddb9.24403730/cert.pem' --keypath '/var/etc/acme-client/keys/62b86c7fd6ddb9.24403730/private.key' --capath '/var/etc/acme-client/certs/62b86c7fd6ddb9.24403730/chain.pem' --fullchainpath '/var/etc/acme-client/certs/62b86c7fd6ddb9.24403730/fullchain.pem' --domain 'mydomain.com' --domain 'mydomain.com' --days '1' --force --keylength '4096' --accountconf '/var/etc/acme-client/accounts/5f806aef5d0241.03202364_prod/account.conf'
2024-05-29T14:56:40 opnsense AcmeClient: using challenge type: Cloudflare DNS Validation
2024-05-29T14:56:40 opnsense AcmeClient: account is registered: avbs-acme
2024-05-29T14:56:40 opnsense AcmeClient: using CA: letsencrypt
2024-05-29T14:56:40 opnsense AcmeClient: issue certificate: mydomain.com
2024-05-29T14:56:40 opnsense AcmeClient: certificate must be issued/renewed: mydomain.com
2024-05-29T12:54:44 opnsense AcmeClient: validation for certificate failed: mydomain.com
2024-05-29T12:54:44 opnsense AcmeClient: domain validation failed (dns01)
2024-05-29T12:54:44 opnsense /usr/local/opnsense/scripts/OPNsense/AcmeClient/lecert.php: AcmeClient: The shell command returned exit code '1': '/usr/local/sbin/acme.sh --issue --syslog 7 --debug --server 'letsencrypt_test' --dns 'dns_cf' --dnssleep '300' --home '/var/etc/acme-client/home' --cert-home '/var/etc/acme-client/cert-home/62b86c7fd6ddb9.24403730' --certpath '/var/etc/acme-client/certs/62b86c7fd6ddb9.24403730/cert.pem' --keypath '/var/etc/acme-client/keys/62b86c7fd6ddb9.24403730/private.key' --capath '/var/etc/acme-client/certs/62b86c7fd6ddb9.24403730/chain.pem' --fullchainpath '/var/etc/acme-client/certs/62b86c7fd6ddb9.24403730/fullchain.pem' --domain 'mydomain.com' --domain 'mydomain.com' --days '1' --force --keylength '4096' --accountconf '/var/etc/acme-client/accounts/5f806aef5d0241.03202364_stg/account.conf''
2024-05-29T12:54:29 opnsense AcmeClient: running acme.sh command: /usr/local/sbin/acme.sh --issue --syslog 7 --debug --server 'letsencrypt_test' --dns 'dns_cf' --dnssleep '300' --home '/var/etc/acme-client/home' --cert-home '/var/etc/acme-client/cert-home/62b86c7fd6ddb9.24403730' --certpath '/var/etc/acme-client/certs/62b86c7fd6ddb9.24403730/cert.pem' --keypath '/var/etc/acme-client/keys/62b86c7fd6ddb9.24403730/private.key' --capath '/var/etc/acme-client/certs/62b86c7fd6ddb9.24403730/chain.pem' --fullchainpath '/var/etc/acme-client/certs/62b86c7fd6ddb9.24403730/fullchain.pem' --domain 'mydomain.com' --domain 'mydomain.com' --days '1' --force --keylength '4096' --accountconf '/var/etc/acme-client/accounts/5f806aef5d0241.03202364_stg/account.conf'
2024-05-29T12:54:29 opnsense AcmeClient: using challenge type: Cloudflare DNS Validation
2024-05-29T12:54:29 opnsense AcmeClient: account is registered: avbs-acme
2024-05-29T12:54:29 opnsense AcmeClient: using CA: letsencrypt_test
2024-05-29T12:54:29 opnsense AcmeClient: issue certificate: mydomain.com
2024-05-29T12:54:29 opnsense AcmeClient: certificate must be issued/renewed: mydomain.com


Same problem here, one of my website's cert has expired now!! No clue how to fix and customer already complaining. Running

Code Select Expand

AcmeClient: domain validation failed (dns01)

acme.ch seems to have problems adding the txt, but i can't see why..

Code Select Expand

[Wed May 29 12:54:39 CEST 2024] Add txt record error.

This is geeting urgent!

same here. my opnsense vm suddenly lost configuration and i am unable to restore it because it throws mentioned error

proxmox 8.1.4

[mention]wntrmt [/mention] Lost config? This seems to be something else.

I think i cold solve the ,,arp" Problem deactivating the hardware acceleration features on the interfaces. Now opnsense survives a quick disconnect from the network again.

Just happened again. This is a serious issue! The only way to solve this is to reboot the VM..

Wierd... never have seen something like this. Maybe related to FreeBSD?

The main problem ist, that the failover also not properly work. Fail over works but it tries to fail back and then loosing connection completely

Hi all

I had a shot interruption on a physical swtich which is connected to a Hyper-V host. On the Hyper-V host, there is a OPNSense running (since years).

After the connection went up again, the OPNsense was unable to recover from the short outage and the box stayed completeley disconnected while throwing the error "arprequest_internal: cannot find matching address" The only way to bring back the OPNSense back was a reboot!

I have recreated the virtual switch on Hyper-V and removed Zenarmor just to isolate the problem. No success

Someone experience the same? Any ideas?

Ah, ok. But may you also try disable SR-IOV..

I was able to solve it! I had to recreate the virtual switch on Hyper-V servers without SR-IOV enabled.

[mention]danbet [/mention] Do you also run OPNsense on Hyper-V?