Messages

I guess nobody else is facing this issue? Or perhaps it is just me using deSec and acme.sh with opnSense.

Anyway, for anyone finding this via a google search in the future, I upgraded to OPNsense 21.7.3_3-amd64 and the problem appears to be gone. My wildcard certificate renewed automatically with no issues.

Hi,

OPNsense version 21.1.9

Automated wildcard certificate renewal failed for me today with

[Mon Sep 13 18:51:46 BST 2021] domain.com:Verify error:Incorrect TXT record

I think I've worked out why from tailing /var/log/acme.sh.log while forcing a renewal from the opnsense gui. The acme client tries to create two _acme-challenge.domain.com TXT record entries using the desec.io api and it looks like when doing this it creates the first one then deletes it before creating the second. This causes the verification step to fail.

My workaround to get the renewal to go through was to increase the timeout to 300 seconds then grep acme.sh.log for the two TXT values. I then manually added the first value via the desec.io HTTP gui (the second value was already there). Verification then worked and my cert was issued fine.

Is there anything I have configured incorrectly or a way of fixing this? I would rather not have to manually intervene every 60 days if possible.

Thanks in advance for any help.

Just to close the loop on this, my problems were nothing to do with opnsense or the upgrade, but rather an issue on the Zen side meaning my routers dhcp6 requests were being rejected. This has now been sorted and I'm all working again.

I'd consider myself fairly experienced networking wise, but confess I find ipv6 a bit of a black art! I would like to publicly thank marjohn56 for helping out with the fault finding. You sir are a gentleman.

Thanks a lot marjohn, I dropped you a PM.

Yes, the gateway shows as online. I have a monitor ipv6 address set and it is showing green. The problem seems to be just with the LAN clients, but looking on one of them I can see the ipv6 gateway is set (seems to be the link local address). From this client machine I can ping the LAN ipv6 address and the WAN ipv6 address but can't ping anything on the internet.

From the WAN, yes

# /sbin/ping6 -c '3' '2001:4860:4860::8844'
PING6(56=40+8+8 bytes) 2a02:8011:d000:5cf::1 --> 2001:4860:4860::8844
16 bytes from 2a02:8011:d000:5cf::1, icmp_seq=0 hlim=64 time=0.088 ms
16 bytes from 2a02:8011:d000:5cf::1, icmp_seq=1 hlim=64 time=0.094 ms
16 bytes from 2a02:8011:d000:5cf::1, icmp_seq=2 hlim=64 time=0.067 ms

--- 2001:4860:4860::8844 ping6 statistics ---
3 packets transmitted, 3 packets received, 0.0% packet loss
round-trip min/avg/max/std-dev = 0.067/0.083/0.094/0.012 ms

From the LAN no
# /sbin/ping6 -S '2a02:8010:65dd:1:1:1:1:1' -c '3' '2001:4860:4860::8844'
PING6(56=40+8+8 bytes) 2a02:8010:65dd:1:1:1:1:1 --> 2001:4860:4860::8844
ping6: wrote 2001:4860:4860::8844 16 chars, ret=-1
ping6: wrote 2001:4860:4860::8844 16 chars, ret=-1
ping6: wrote 2001:4860:4860::8844 16 chars, ret=-1

--- 2001:4860:4860::8844 ping6 statistics ---
3 packets transmitted, 0 packets received, 100.0% packet loss
ping6: sendmsg: Network is down
ping6: sendmsg: Network is down
ping6: sendmsg: Network is down

Thank you for replying. Your help is much appreciated.

Hi,

I am sorry for replying to an old thread but I am having trouble with IPV6 on Zen since upgrading to 21.1.4 yesterday. Everything was working fine before the upgrade and I initially (quite some considerable time ago) followed the instructions here

https://docs.opnsense.org/manual/how-tos/IPv6_ZenUK.html

and set it up using static assignments. It has been working fine for many months but since upgrading my LAN clients can no longer ping ipv6 addresses on the internet. The opnsense box can ping ipv6 addresses fine and the LAN clients can ping each other via their ipv6 addresses. However when LAN clients ping ipv6 external addresses they get "Destination unreachable: Address unreachable".

I backed up the config and tried to follow the instructions again using DHCP instead of static assignments. When I do that and reboot I don't seem to get any ipv6 address on the WAN interface. I'm obviously doing something wrong but not sure what. I've been going around in circles for half a day so thought it might be quicker to sign up for an account here and ask the experts. I have reverted to the original config as the DHCP instructions don't give me any ipv6 addresses on any interface. Feel free to move this post if it is in the wrong place.

Thanks in advance.