Messages

[only one of those servers gets updated]

One of my certificates is a wildcard for multiple subdomains. When the certificate gets renewed, I have multiple automations setup to distribute the cert to three different servers using the run-command Upload certificate to Synology DSM. What happens in practice is that only one of those servers gets updated. The same server gets updated multiple times if I have multiple target devices.

Digging in some I see that when a cert is issued, files that control the process & automations get generated at /var/etc/acme-client/cert-home. For each cert you'll find a .conf file with key parameters in it like SAVED_SYNO_USERNAME, SAVED_SYNO_PASSWORD, SAVED_SYNO_HOSTNAME. It appears that multiple occurrenses of those has not been considered?

If I watch the log the plugin will say it is updating each server, calling out the automation by name. But the command that it executes is identical for each of those servers. It just keeps hitting the same one each time.

Less critical but worth a note, if I change the creds in the automation the cert-home files do NOT get updated if I launch just the automation from the webui. The automation then supplies the wrong/old credentials (confirmed by putting --debug --output-insecure on the acme.sh command). To use up to date creds I have to actually force a issue/renew on the cert.

Running OPNsense 24.7.9_1-amd64

Are you trying to limit speed between devices that are connected to the same switch?

Thank You! I applied the 3790 patch you mention. Works like a charm  :)

Thanks. I'm using HTTPS and a custom port too. How about you?

In the ACME Client I pick a certificate and use the run-automations tool. If that includes any Synology DSM uploads it will crash. I get the red dot and can submit a crash from the firmware. I don't see a failure in the ACME client log. Extended logging will show me /var paths for certs getting passed into the acme.sh and all those seem to checkout as valid. It fails on three different certificates and different synology hosts that were all working just recently. The user and password are correct and the user is an administrator on the synology.

I had this working like week before last. Don't know if the 2.4.1->2.4.1.1 update affected it or something else?

The trailing dot works thanks! Also weird that most people don't seem to need it. Joining their camp would be ideal but this moves me along some  :)

I have opnsense setup behind a AT&T fiber WAN for my home network where I have a LAN and Unbound DNS with overrides to make some public names resolve to local addresses. IPV6 not enabled. Functionally, names seem to resolve correctly, like if I ping a domain name. But it's hard to debug some things because nslookup always puts the "Connection-specific DNS Suffix" (ipconfig) on the names I give it.

For example if I nslookup google.com I get output like this:

Server:  OPNsense.<MYDOMAIN>.net
Address:  <MY LAN GATEWAY IP>

Non-authoritative answer:
Name:    google.com.<MYDOMAIN>.net
Address:  <MY PUBLIC IP>

The name is always treated like a subdomain of my opnsense domain as set at System->Settings->General->Domain. At Services->DHCPv4->lan->Domain Name I see where I can put in a override. But there seems to be no way to "override" with a blank name since leaving it blank says to use the system default name.

How do I make my Windows nslookup resolve names correctly?