Messages

[Reset ACME Client]

My remaining certificates renewed this morning. Under "Services > ACME Client > Log Files > System Log tab", do you see a non-zero value for "AcmeClient: AcmeClient: The shell command returned exit code 'n'"? Are you able to cat out the file at the end of that line? On my error post above, it is /var/etc/acme-client/accounts/6027ee9e097f39.62139316_prod/account.conf. Until I hit Reset ACME Client, that file did not exist. You can also try increasing the ACME logging level from "normal" to "debug" before the next renewal.

[Reset ACME Client]

Further searches through this forum produced the following links:

• https://forum.opnsense.org/index.php?topic=30249.msg147778#msg147778
• https://github.com/opnsense/plugins/issues/3154

The scenario made sense as I recently migrated to new hardware and imported config.xml. The recommendation is to click on Reset ACME Client. I was presented the following (emphasis mine) and I am confident this is the solution.

This will remove ALL certificates, private keys, CSRs from ACME Client and reset all certificate and account states. However, existing certificates will remain in OPNsense trust storage. The ACME Client will automatically regenerate everything on its next scheduled run. This is most useful when importing a config backup to a new firewall. Continue?

I notice I have the same problem on 25.7.2. All 3 of my certificates failed to renew but it works when I manually click on the button to "Issue or renew certificate". Acme-client logs show the error: 'host.domain.tld' is not an issued domain, skipping.

System log for the failure says:
AcmeClient: The shell command returned exit code '2': '/usr/local/sbin/acme.sh --renew --syslog 6 --log-level 1 --serv
er 'letsencrypt' --webroot /var/etc/acme-client/challenges --home '/var/etc/acme-client/home' --cert-home '/var/etc/acme-client/cert-home/6027eeb80684e4.42843464' --certpath '/var/etc/acme-client/certs/6027eeb80684e4.4
2843464/cert.pem' --keypath '/var/etc/acme-client/keys/6027eeb80684e4.42843464/private.key' --capath '/var/etc/acme-client/certs/6027eeb80684e4.42843464/chain.pem' --fullchainpath '/var/etc/acme-client/certs/6027eeb806
84e4.42843464/fullchain.pem' --domain 'host.domain.tld' --days '60'   --keylength 'ec-384' --ecc --accountconf '/var/etc/acme-client/accounts/6027ee9e097f39.62139316_prod/account.conf''

System log for the successful says:
AcmeClient: The shell command returned exit code '0': '/usr/local/sbin/acme.sh --issue --syslog 6 --log-level 1 --server 'letsencrypt' --webroot /var/etc/acme-client/challenges --home '/var/etc/acme-client/home' --cert-home '/var/etc/acme-client/cert-home/6027eeb80684e4.42843464' --certpath '/var/etc/acme-client/certs/6027eeb80684e4.42843464/cert.pem' --keypath '/var/etc/acme-client/keys/6027eeb80684e4.42843464/private.key' --capath '/var/etc/acme-client/certs/6027eeb80684e4.42843464/chain.pem' --fullchainpath '/var/etc/acme-client/certs/6027eeb80684e4.42843464/fullchain.pem' --domain 'host.domain.tld' --days '60' --force  --keylength 'ec-384' --accountconf '/var/etc/acme-client/accounts/6027ee9e097f39.62139316_prod/account.conf''


I see 3 differences between the shell commands. Perhaps one of them is the difference between a successful and failed renewal.

• --renew (failed) vs --force
• --force (succeeds)
• --ecc (failed)

On OPNsense and other BSD systems (including macOS) it is much simpler to use like this:

 % date -r 1752053171
Wed Jul  9 11:26:11 CEST 2025

As far as I know this does not work on Linux systems.

On Linux, it is this:

$ date -d @1752053171
Wed Jul  9 04:26:11 AM CDT 2025

I'm not going to run two DNS services just to be able to resolve internal host names. This whole deprecation of ISC has been a mess. ISC+Unbound is exceedingly simple and functional, Kea and dnsmasq are both half-baked.

The devs are caught in the middle with the ISC deprecation. Running EOL software is not an option in certain environments and Kea does not offer the same options. This gives users two paths with supported options depending on what their priority is. ISC is still there if EOL is fine. These additional choices bring extra support complexity so I think the devs would prefer not adding dnsmasq. Personally, I would prefer not running 2 DNS servers as well but hostname registration is important to me.

Still no support for registering DHCP leases from anything other than ISC DHCP?

Dnsmasq can handle hostname registration. Unbound is the primary resolver and forwards internal zone requests to Dnsmasq. This is covered in the documentation and walks you through the setup. I recommend someone create a sticky with a link to this doc since there are a lot of questions and discussions right now.

I am also having trouble with my captive portal under 25.1. I use "Enforce Local Group" to lock down access to a specific group, but the portal denies the logins; I've double-checked my credentials. What group privileges should I enable to allow access? I tried "All pages" as a test but it did not work.

As for the captive portal pop up, I ran tcpdump against my iOS connection. It got the HTTP 302 and connected to the portal with TLS1.2. I then see:

Code Select Expand

Alert (Level: Fatal, Description: Protocol Version)
This is the server response after Client Hello. It seems lighttpd no longer accepts TLS1.2 and requires TLS1.3 to connect.

Edit: Opened Github Issue 8300 for the TLS version.

I am having trouble with my captive portal. The portal requires a username and password, and I assigned a group under "Enforce Local Group" to restrict the users allowed. But this doesn't seem to work under 25.1. I get an error message saying "DENY user (x.x.x.x)" in portalauth/latest.log. Group privileges are set to "Nothing selected" after the upgrade. As a test, I tried setting privileges to "All pages" but authentication still fails.

Is there a specific privilege that allows captive portal logins?

Is there a common alias type whose data is missing? Are manually entered Host(s) and Port(s) aliases empty as well?

Logs for URL Table alias fetches are in Firewall > Log Files > General.

Finally reaching out for some help after following this thread and applying both patches Franco released the other day, and I am still struggling with IPSEC tunnels dropping. I am terminating between a Sonicwall 2650 and OPNSense, prior to 24.7.2 no issues, now having issues w/ P2 dropping. Below is the issue I think and I have validated that proposals match:

2024-08-28T10:25:58-05:00   Informational   charon   06[IKE] no acceptable proposal found   
2024-08-28T10:25:58-05:00   Informational   charon   06[CFG] configured proposals: ESP:AES_CBC_256/HMAC_SHA2_256_128/MODP_2048/NO_EXT_SEQ, ESP:AES_GCM_16_256/MODP_2048/NO_EXT_SEQ   
2024-08-28T10:25:58-05:00   Informational   charon   06[CFG] received proposals: ESP:AES_CBC_256/HMAC_SHA2_256_128/NO_EXT_SEQ   
2024-08-28T10:25:58-05:00   Informational   charon   06[ENC] parsed CREATE_CHILD_SA request 31 [ SA No TSi TSr ]

The Sonicwall does not have PFS enabled. This is confirmed by the missing MODP_2048 in received proposals. You should pick "default" for your ESP.

It actually doesn't matter if we test on FreeBSD or OPNsense kernel because we talk about the same code change.

I'm late to the party, but I got the impression that upstream thinks we did this to ourselves by choosing to diverge from their kernel. Would validating it on a vanilla FreeBSD kernel as @Uwe suggested remove that argument? It is a slippery slope.

I'm seriously discouraged from spending time experimenting with all that stuff to find out what else got broken on the way to report it only to be told "that's downstream problem".

Can a quick A-B test with their kernel help here as well? Now, this assumes our kernels are not bifurcated to the extent we lose functionality or significantly affect production. I also do not know how feasible this is, or how much work is involved to do this. It was just a thought after reading @Uwe's comment.

Using the ULA for loopback is a great solution. When I was setting this up, I ended up creating a Dynamic IPv6 Host alias of my WAN SLAAC, and using that as my redirect target. I might switch to using your method instead.

I am not running this hardware, but have you checked out this thread? OP mentioned turning off X2APIC so it might apply here as well.

https://www.reddit.com/r/freebsd/comments/136o9xi/freebsd_on_dell_r730xd_woes/

I can confirm that Bridge Mode must be set to "Disable" if you have static IP addresses assigned. But, /32 is not the correct subnet mask. Check the Static IP Information page for your account. Write down the usable IP range, subnet mask and gateway IP listed there. Then, take that gateway IP and confirm it is setup on your modem. It is listed as "WAN Static IP Address (IPv4)" under the Gateway > Connection > Comcast Network page. If you do not see that entry or if the IP address is different, contact Comcast Business Support. They need to provision that static IP on your modem. Those tend to get lost whenever Support reinitializes the modem. They sometimes think that is a quick fix when you call them for support.

Tried everything, IPv6 still goes off :/

If you have not done it already, I suggest turning on Debug logging under Interfaces > Settings > IPv6 DHCP header.