Menu

Show posts

This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.

Show posts Menu

Messages - Jakub

Pages1
#1
25.1, 25.4 Series / Re: acme broken?
March 29, 2025, 03:23:00 PM
Quote from: meyergru on March 29, 2025, 12:01:53 PM1. Subdomains instead of host names (i.e. "opnsense.xyz.XXX.ovh" instead of "opnsense.XXX.ovh").

I'm not using the sub sub domains

Quote from: meyergru on March 29, 2025, 12:01:53 PMPunctuation or white-space in any input, leading or following.

I'm not sure but i have capital letters in host name before and have changed to lower case

Quote from: meyergru on March 29, 2025, 12:01:53 PMTypo in the domain itself.

i have copy paste from the url once again

Quote from: meyergru on March 29, 2025, 12:01:53 PMOn a side note: You should probably not do it like this anyway. DNS-01 verification can accommodate wildcard certificates, which you should absolutely use in order to hide specific names like opnsense.XXX.ovh, because any issued certificate is published by the CA.
That way, you also need less certificates (i.e. just one) and use that for any upcoming URL.

I fully agree with you, it's not secure. access only from internal network but anyway not good setup.



additionally i did:
key length: "from 2048 to 4096"
DNS alias mode: "setup to Automatic mode."


for some reason certificate has been renewed, deleted from LuaDNS at the end.


Thank you for backing me during the process.

Have a good day

Jakub
#2
25.1, 25.4 Series / Re: acme broken?
March 29, 2025, 10:08:31 AM
Hi,

Quote from: meyergru on March 28, 2025, 10:07:36 PMThe best proof would be that because acme.sh thinks the DNS entry was not successfully added, it never deletes it again. That would be done after checking DNS in any case.

yes you right, record is not being deleted for this request.

i have setup debug2 and it's the output:

sorry for long quotation

Quote2025-03-29T09:34:50   acme.sh   [Sat Mar 29 09:34:50 CET 2025] Skipping dns.
2025-03-29T09:34:50   acme.sh   [Sat Mar 29 09:34:50 CET 2025] dns_entries
2025-03-29T09:34:50   acme.sh   [Sat Mar 29 09:34:50 CET 2025] _clearupdns
2025-03-29T09:34:50   acme.sh   [Sat Mar 29 09:34:50 CET 2025] No need to restore nginx config, skipping.
2025-03-29T09:34:50   acme.sh   [Sat Mar 29 09:34:50 CET 2025] pid
        socat version 1.8.
        socat by Gerhard Rieger and contributors - see www.dest-unreach.org
        socat:
        configure arguments: --prefix=/usr/local/etc/nginx --with-cc-opt='-I /usr/local/include' --conf-path=/usr/local/etc/nginx/nginx.conf --sbin-path=/usr/local/sbin/nginx --pid-path=/var/run/nginx.pid --error-log-path=/var/log/nginx/error.log --user=www --group=www --with-compat --with-pcre --modules-path=/usr/local/libexec/nginx --with-file-aio --http-client-body-temp-path=/var/tmp/nginx/client_body_temp --http-fastcgi-temp-path=/var/tmp/nginx/fastcgi_temp --http-proxy-temp-path=/var/tmp/nginx/proxy_temp --http-scgi-temp-path=/var/tmp/nginx/scgi_temp --http-uwsgi-temp-path=/var/tmp/nginx/uwsgi_temp --http-log-path=/var/log/nginx/access.log --with-http_v2_module --with-http_v3_module --with-http_addition_module --with-http_auth_request_module --with-http_dav_module --with-http_flv_module --with-http_gunzip_module --with-http_gzip_static_module --with-http_mp4_module --with-http_random_index_module --with-http_realip_module --with-http_secure_link_module --with-http_slice_module --with-http_ssl_module --with-http_stub_status_module --with-http_sub_module --without-mail_smtp_module --with-mail_ssl_module --with-stream --with-stream_realip_module --with-stream_ssl_module --with-stream_ssl_preread_module --with-threads --with-mail=dynamic --with-stream=dynamic --add-dynamic-module=/usr/obj/usr/ports/www/nginx/work/ngx_brotli-a71f931 --add-dynamic-module=/usr/obj/usr/ports/www/nginx/work/headers-more-nginx-module-06dc0be --add-dynamic-module=/usr/obj/usr/ports/www/nginx/work/naxsi-1.6/naxsi_src --add-dynamic-module=/usr/obj/usr/ports/www/nginx/work/njs-0.8.5/nginx --add-dynamic-module=/usr/obj/usr/ports/www/nginx/work/nginx-module-vts-bf64dbf --with-ld-opt='-L /usr/local/lib'
        TLS SNI support enabled
        built with OpenSSL 3.0.16 11 Feb 2025
        nginx version: nginx/1.26.3
        nginx:
        Apache doesn't exist.
        Apache:
        OpenSSL 3.0.15 3 Sep 2024 (Library: OpenSSL 3.0.15 3 Sep 2024)
        openssl:openssl
2025-03-29T09:34:50   acme.sh   [Sat Mar 29 09:34:50 CET 2025] Diagnosis versions:
2025-03-29T09:34:49   acme.sh   [Sat Mar 29 09:34:49 CET 2025] response='{"type":"dns-01","url":"https://acme-v02.api.letsencrypt.org/acme/chall/_letsencrypt_NR_/497168054957/_2mW1Q","status":"pending","token":"_TOKEN_"}';
        }'
        "token": "_TOKEN_"
        "status": "pending",
        "url": "https://acme-v02.api.letsencrypt.org/acme/chall/_letsencrypt_NR_/497168054957/_2mW1Q",
        "type": "dns-01",
2025-03-29T09:34:49   acme.sh   [Sat Mar 29 09:34:49 CET 2025] original='{
2025-03-29T09:34:49   acme.sh   [Sat Mar 29 09:34:49 CET 2025] code='200'
        '
        strict-transport-security: max-age=604800
        x-frame-options: DENY
        replay-nonce: KQqMGbQ5AYOsYKqWEI2xw9ZxohXffgVMJ6e82HKg-HWSM1b65iw
        location: https://acme-v02.api.letsencrypt.org/acme/chall/_letsencrypt_NR_/497168054957/_2mW1Q
        link: <https://acme-v02.api.letsencrypt.org/acme/authz/_letsencrypt_NR_/497168054957>;rel="up"
        link: <https://acme-v02.api.letsencrypt.org/directory>;rel="index"
        cache-control: public, max-age=0, no-cache
        boulder-requester: _letsencrypt_NR_
        content-length: 193
        content-type: application/json
        date: Sat, 29 Mar 2025 08:34:49 GMT
        server: nginx
2025-03-29T09:34:49   acme.sh   [Sat Mar 29 09:34:49 CET 2025] responseHeaders='HTTP/2 200
2025-03-29T09:34:49   acme.sh   [Sat Mar 29 09:34:49 CET 2025] _ret='0'
2025-03-29T09:34:49   acme.sh   [Sat Mar 29 09:34:49 CET 2025] _CURL='curl --silent --dump-header /var/etc/acme-client/home/http.header -L --trace-ascii /tmp/tmp.WyXmRcxuSn -g '
2025-03-29T09:34:49   acme.sh   [Sat Mar 29 09:34:49 CET 2025] Http already initialized.
2025-03-29T09:34:49   acme.sh   [Sat Mar 29 09:34:49 CET 2025] _postContentType='application/jose+json'
2025-03-29T09:34:49   acme.sh   [Sat Mar 29 09:34:49 CET 2025] body='{"protected": "_XXX_a0NvQ043RDh4UmRFUW1yNGNKNHMiLCAidXJsIjogImh0dHBzOi8vYWNtZS12MDIuYXBpLmxldHNlbmNyeXB0Lm9yZy9hY21lL2NoYWxsLzEwMTg4NjI1MC80OTcxNjgwNTQ5NTcvXzJtVzFRIiwgImFsZyI6ICJSUzI1NiIsICJraWQiOiAiaHR0cHM6Ly9hY21lLXYwMi5hcGkubGV0c2VuY3J5cHQub3JnL2FjbWUvYWNjdC8xMDE4ODYyNTAifQ", "payload": "e30", "signature": "d5BfCGcA3Yp_o_-dxHdBygKGwC2MTHkKbz-7ds_j803UUnGms7dgVzPO1GMATSTbNXXRac2ykAGvCF3bSRGUkV6TwdvVZisOim5LI9SPl4JqjD5Zf9_VTwJif9q2Kpqcqf0XxyMh0Vm0ZZuuJzakGxlaertqGtQ_MP7Fuwa5m2SdfsknWYh9GaWk_dfnjR2vnUwnaw99Pp4KlmTDxI-pTPqtU9Y6Mb8qufg9J_3OiWgCnhN5MXkj05XIH-Ow2cUBUR11mqFZsc7xfDDoMvJCRtC1beqUUNnQp9Z54qMVMG28PcuB6fNZmz2DKCZVXlG0OcGrzHQI90V7QMuHR60GcUMaOj6Ie3dAE52cwfTS_00TUNGQ6l2XYzGSOxS0Md3ZZYjXWcI0GWgzYhHTm-18VoqQPCJGnk_nSopLOvVdJ12RY3sTUHfLwB_ze442d6BeAMSz0AG4-koqZ-IM-El-2-BwBR55D-hhUj18XVau0aBW-nDZZwyRrJM4P5388b7d86DGHSnXO9su2zZ2u8MqixqeqgQLnDryZzcO1E8iQO96ng6IhqhPHwyKGVKSiPw6YckIz7RTaVtS8BBJSjWB97Wrxbb4hrg43XVHk_IGaVztSJ7R6i4eLg-17HMLcv_X1EQnyYrizxBLZ2FFIAav0Lwa5HXwc5Zj5dfI5EUxZ-k"}'
2025-03-29T09:34:49   acme.sh   [Sat Mar 29 09:34:49 CET 2025] _post_url='https://acme-v02.api.letsencrypt.org/acme/chall/_letsencrypt_NR_/497168054957/_2mW1Q';
2025-03-29T09:34:49   acme.sh   [Sat Mar 29 09:34:49 CET 2025] POST
2025-03-29T09:34:49   acme.sh   [Sat Mar 29 09:34:49 CET 2025] nonce='_NONCE_'
2025-03-29T09:34:49   acme.sh   [Sat Mar 29 09:34:49 CET 2025] Use _CACHED_NONCE='_NONCE_'
2025-03-29T09:34:49   acme.sh   [Sat Mar 29 09:34:49 CET 2025] Use cached jwk for file: /var/etc/acme-client/accounts/5faaa839612575.44326968_prod/account.key
2025-03-29T09:34:49   acme.sh   [Sat Mar 29 09:34:49 CET 2025] payload='{}'
2025-03-29T09:34:49   acme.sh   [Sat Mar 29 09:34:49 CET 2025] url='https://acme-v02.api.letsencrypt.org/acme/chall/_letsencrypt_NR_/497168054957/_2mW1Q';
2025-03-29T09:34:49   acme.sh   [Sat Mar 29 09:34:49 CET 2025] =======Sending Signed Request=======
2025-03-29T09:34:49   acme.sh   [Sat Mar 29 09:34:49 CET 2025] _t_vtype
2025-03-29T09:34:49   acme.sh   [Sat Mar 29 09:34:49 CET 2025] _t_key_authz='_TOKEN_.__VLIST_'
2025-03-29T09:34:49   acme.sh   [Sat Mar 29 09:34:49 CET 2025] _t_url='https://acme-v02.api.letsencrypt.org/acme/chall/_letsencrypt_NR_/497168054957/_2mW1Q';
2025-03-29T09:34:49   acme.sh   [Sat Mar 29 09:34:49 CET 2025] Trigger domain validation.
2025-03-29T09:34:49   acme.sh   [Sat Mar 29 09:34:49 CET 2025] start to deactivate authz
2025-03-29T09:34:49   acme.sh   [Sat Mar 29 09:34:48 CET 2025] _chk_vlist='OPNSENSE.XXX.ovh#_TOKEN_.__VLIST_#https://acme-v02.api.letsencrypt.org/acme/chall/_letsencrypt_NR_/497168054957/_2mW1Q#dns-01#dns_lua#https://acme-v02.api.letsencrypt.org/acme/authz/_letsencrypt_NR_/497168054957,';
2025-03-29T09:34:48   acme.sh   [Sat Mar 29 09:34:48 CET 2025] See: https://github.com/acmesh-official/acme.sh/wiki/How-to-debug-acme.sh
2025-03-29T09:34:48   acme.sh   [Sat Mar 29 09:34:48 CET 2025] Please add '--debug' or '--log' to see more information.
2025-03-29T09:34:48   acme.sh   [Sat Mar 29 09:34:48 CET 2025] _on_issue_err
2025-03-29T09:34:48   acme.sh   [Sat Mar 29 09:34:48 CET 2025] Error adding TXT record to domain: _acme-challenge.OPNSENSE.XXX.ovh
2025-03-29T09:34:48   acme.sh   [Sat Mar 29 09:34:48 CET 2025] Add txt record error.
2025-03-29T09:34:48   acme.sh   [Sat Mar 29 09:34:48 CET 2025] response='{"id":185022797,"name":"_acme-challenge.OPNSENSE.XXX.ovh.","type":"TXT","content":"XBCgy51U1uSXwcqTZJyQOqaX-rGdLBf28MiHcnM2kLQ","ttl":300,"zone_id":_DOMAIN_ID_,"created_at":"2025-03-29T08:34:48.865874041Z","updated_at":"2025-03-29T08:34:48.865874142Z"}'
2025-03-29T09:34:48   acme.sh   [Sat Mar 29 09:34:48 CET 2025] _ret='0'
2025-03-29T09:34:48   acme.sh   [Sat Mar 29 09:34:48 CET 2025] _CURL='curl --silent --dump-header /var/etc/acme-client/home/http.header -L --trace-ascii /tmp/tmp.WyXmRcxuSn -g '
2025-03-29T09:34:48   acme.sh   [Sat Mar 29 09:34:48 CET 2025] Http already initialized.
2025-03-29T09:34:48   acme.sh   [Sat Mar 29 09:34:48 CET 2025] _postContentType
2025-03-29T09:34:48   acme.sh   [Sat Mar 29 09:34:48 CET 2025] body='{"type":"TXT","name":"_acme-challenge.OPNSENSE.XXX.ovh.","content":"XBCgy51U1uSXwcqTZJyQOqaX-rGdLBf28MiHcnM2kLQ","ttl":120}'
2025-03-29T09:34:48   acme.sh   [Sat Mar 29 09:34:48 CET 2025] _post_url='https://api.luadns.com/v1/zones/_DOMAIN_ID_/records';
2025-03-29T09:34:48   acme.sh   [Sat Mar 29 09:34:48 CET 2025] POST
2025-03-29T09:34:48   acme.sh   [Sat Mar 29 09:34:48 CET 2025] data='{"type":"TXT","name":"_acme-challenge.OPNSENSE.XXX.ovh.","content":"XBCgy51U1uSXwcqTZJyQOqaX-rGdLBf28MiHcnM2kLQ","ttl":120}'
2025-03-29T09:34:48   acme.sh   [Sat Mar 29 09:34:48 CET 2025] zones/_DOMAIN_ID_/records
2025-03-29T09:34:48   acme.sh   [Sat Mar 29 09:34:48 CET 2025] Adding record
2025-03-29T09:34:48   acme.sh   [Sat Mar 29 09:34:48 CET 2025] _domain='XXX.ovh'
2025-03-29T09:34:48   acme.sh   [Sat Mar 29 09:34:48 CET 2025] _sub_domain='_acme-challenge.OPNSENSE'
2025-03-29T09:34:48   acme.sh   [Sat Mar 29 09:34:48 CET 2025] _domain_id='_DOMAIN_ID_'
2025-03-29T09:34:48   acme.sh   [Sat Mar 29 09:34:48 CET 2025] _domain_id='_DOMAIN_ID_'
2025-03-29T09:34:48   acme.sh   [Sat Mar 29 09:34:48 CET 2025] h='XXX.ovh'
2025-03-29T09:34:48   acme.sh   [Sat Mar 29 09:34:48 CET 2025] h='OPNSENSE.XXX.ovh'
2025-03-29T09:34:48   acme.sh   [Sat Mar 29 09:34:48 CET 2025] response='[{"id":92349,"name":"itlup.ovh","template_id":0,"synced":true,"queries_count":6329,"records_count":10,"aliases_count":0,"redirects_count":0,"forwards_count":0},{"id":_DOMAIN_ID_,"name":"XXX.ovh","template_id":0,"synced":true,"queries_count":9851,"records_count":8,"aliases_count":0,"redirects_count":0,"forwards_count":0}]'
2025-03-29T09:34:48   acme.sh   [Sat Mar 29 09:34:48 CET 2025] ret='0'
2025-03-29T09:34:47   acme.sh   [Sat Mar 29 09:34:47 CET 2025] _CURL='curl --silent --dump-header /var/etc/acme-client/home/http.header -L --trace-ascii /tmp/tmp.WyXmRcxuSn -g '
2025-03-29T09:34:47   acme.sh   [Sat Mar 29 09:34:47 CET 2025] Http already initialized.
2025-03-29T09:34:47   acme.sh   [Sat Mar 29 09:34:47 CET 2025] timeout=
2025-03-29T09:34:47   acme.sh   [Sat Mar 29 09:34:47 CET 2025] url='https://api.luadns.com/v1/zones';
2025-03-29T09:34:47   acme.sh   [Sat Mar 29 09:34:47 CET 2025] GET
2025-03-29T09:34:47   acme.sh   [Sat Mar 29 09:34:47 CET 2025] zones
2025-03-29T09:34:47   acme.sh   [Sat Mar 29 09:34:47 CET 2025] First detect the root zone
2025-03-29T09:34:47   acme.sh   [Sat Mar 29 09:34:47 CET 2025] Adding TXT value: XBCgy51U1uSXwcqTZJyQOqaX-rGdLBf28MiHcnM2kLQ for domain: _acme-challenge.OPNSENSE.XXX.ovh
2025-03-29T09:34:47   acme.sh   [Sat Mar 29 09:34:47 CET 2025] Found domain API file: /usr/local/share/examples/acme.sh/dnsapi/dns_lua.sh
2025-03-29T09:34:47   acme.sh   [Sat Mar 29 09:34:47 CET 2025] dns_entry='OPNSENSE.XXX.ovh,_acme-challenge.OPNSENSE.XXX.ovh,,dns_lua,XBCgy51U1uSXwcqTZJyQOqaX-rGdLBf28MiHcnM2kLQ,/usr/local/share/examples/acme.sh/dnsapi/dns_lua.sh'
2025-03-29T09:34:47   acme.sh   [Sat Mar 29 09:34:47 CET 2025] d_api='/usr/local/share/examples/acme.sh/dnsapi/dns_lua.sh'
2025-03-29T09:34:47   acme.sh   [Sat Mar 29 09:34:47 CET 2025] txt='XBCgy51U1uSXwcqTZJyQOqaX-rGdLBf28MiHcnM2kLQ'
2025-03-29T09:34:47   acme.sh   [Sat Mar 29 09:34:47 CET 2025] txtdomain='_acme-challenge.OPNSENSE.XXX.ovh'
2025-03-29T09:34:47   acme.sh   [Sat Mar 29 09:34:47 CET 2025] _d_alias
2025-03-29T09:34:47   acme.sh   [Sat Mar 29 09:34:47 CET 2025] d='OPNSENSE.XXX.ovh'
2025-03-29T09:34:47   acme.sh   [Sat Mar 29 09:34:47 CET 2025] vlist='OPNSENSE.XXX.ovh#_TOKEN_.__VLIST_#https://acme-v02.api.letsencrypt.org/acme/chall/_letsencrypt_NR_/497168054957/_2mW1Q#dns-01#dns_lua#https://acme-v02.api.letsencrypt.org/acme/authz/_letsencrypt_NR_/497168054957,';
2025-03-29T09:34:47   acme.sh   [Sat Mar 29 09:34:47 CET 2025] d
2025-03-29T09:34:47   acme.sh   [Sat Mar 29 09:34:47 CET 2025] dvlist='OPNSENSE.XXX.ovh#_TOKEN_.__VLIST_#https://acme-v02.api.letsencrypt.org/acme/chall/_letsencrypt_NR_/497168054957/_2mW1Q#dns-01#dns_lua#https://acme-v02.api.letsencrypt.org/acme/authz/_letsencrypt_NR_/497168054957';
2025-03-29T09:34:47   acme.sh   [Sat Mar 29 09:34:47 CET 2025] keyauthorization='_TOKEN_.__VLIST_'
2025-03-29T09:34:47   acme.sh   [Sat Mar 29 09:34:47 CET 2025] uri='https://acme-v02.api.letsencrypt.org/acme/chall/_letsencrypt_NR_/497168054957/_2mW1Q';
2025-03-29T09:34:47   acme.sh   [Sat Mar 29 09:34:47 CET 2025] token='_TOKEN_'
2025-03-29T09:34:47   acme.sh   [Sat Mar 29 09:34:47 CET 2025] entry='"type":"dns-01","url":"https://acme-v02.api.letsencrypt.org/acme/chall/_letsencrypt_NR_/497168054957/_2mW1Q","status":"pending","token":"_TOKEN_"';
2025-03-29T09:34:47   acme.sh   [Sat Mar 29 09:34:47 CET 2025] _authz_url='https://acme-v02.api.letsencrypt.org/acme/authz/_letsencrypt_NR_/497168054957';
2025-03-29T09:34:47   acme.sh   [Sat Mar 29 09:34:47 CET 2025] response='OPNSENSE.XXX.ovh,{"identifier":{"type":"dns","value":"OPNSENSE.XXX.ovh"},"status":"pending","expires":"2025-04-05T08:34:46Z","challenges":[{"type":"tls-alpn-01","url":"https://acme-v02.api.letsencrypt.org/acme/chall/_letsencrypt_NR_/497168054957/7B84Kg","status":"pending","token":"_TOKEN_"},{"type":"http-01","url":"https://acme-v02.api.letsencrypt.org/acme/chall/_letsencrypt_NR_/497168054957/tXyqiA","status":"pending","token":"_TOKEN_"},{"type":"dns-01","url":"https://acme-v02.api.letsencrypt.org/acme/chall/_letsencrypt_NR_/497168054957/_2mW1Q","status":"pending","token":"_TOKEN_"}]}#https://acme-v02.api.letsencrypt.org/acme/authz/_letsencrypt_NR_/497168054957';
2025-03-29T09:34:47   acme.sh   [Sat Mar 29 09:34:47 CET 2025] _candidates='OPNSENSE.XXX.ovh,{"identifier":{"type":"dns","value":"OPNSENSE.XXX.ovh"},"status":"pending","expires":"2025-04-05T08:34:46Z","challenges":[{"type":"tls-alpn-01","url":"https://acme-v02.api.letsencrypt.org/acme/chall/_letsencrypt_NR_/497168054957/7B84Kg","status":"pending","token":"_TOKEN_"},{"type":"http-01","url":"https://acme-v02.api.letsencrypt.org/acme/chall/_letsencrypt_NR_/497168054957/tXyqiA","status":"pending","token":"_TOKEN_"},{"type":"dns-01","url":"https://acme-v02.api.letsencrypt.org/acme/chall/_letsencrypt_NR_/497168054957/_2mW1Q","status":"pending","token":"_TOKEN_"}]}#https://acme-v02.api.letsencrypt.org/acme/authz/_letsencrypt_NR_/497168054957';
2025-03-29T09:34:47   acme.sh   [Sat Mar 29 09:34:47 CET 2025] _idn_temp
2025-03-29T09:34:47   acme.sh   [Sat Mar 29 09:34:47 CET 2025] _is_idn_d='OPNSENSE.XXX.ovh'
2025-03-29T09:34:47   acme.sh   [Sat Mar 29 09:34:47 CET 2025] _currentRoot='dns_lua'
2025-03-29T09:34:47   acme.sh   [Sat Mar 29 09:34:47 CET 2025] _w='dns_lua'
2025-03-29T09:34:47   acme.sh   [Sat Mar 29 09:34:47 CET 2025] Getting webroot for domain='OPNSENSE.XXX.ovh'
2025-03-29T09:34:47   acme.sh   [Sat Mar 29 09:34:47 CET 2025] d='OPNSENSE.XXX.ovh'
        '
2025-03-29T09:34:47   acme.sh   [Sat Mar 29 09:34:47 CET 2025] _authorizations_map='OPNSENSE.XXX.ovh,{"identifier":{"type":"dns","value":"OPNSENSE.XXX.ovh"},"status":"pending","expires":"2025-04-05T08:34:46Z","challenges":[{"type":"tls-alpn-01","url":"https://acme-v02.api.letsencrypt.org/acme/chall/_letsencrypt_NR_/497168054957/7B84Kg","status":"pending","token":"_TOKEN_"},{"type":"http-01","url":"https://acme-v02.api.letsencrypt.org/acme/chall/_letsencrypt_NR_/497168054957/tXyqiA","status":"pending","token":"_TOKEN_"},{"type":"dns-01","url":"https://acme-v02.api.letsencrypt.org/acme/chall/_letsencrypt_NR_/497168054957/_2mW1Q","status":"pending","token":"_TOKEN_"}]}#https://acme-v02.api.letsencrypt.org/acme/authz/_letsencrypt_NR_/497168054957
2025-03-29T09:34:47   acme.sh   [Sat Mar 29 09:34:47 CET 2025] _d='OPNSENSE.XXX.ovh'
2025-03-29T09:34:47   acme.sh   [Sat Mar 29 09:34:47 CET 2025] response='{"identifier":{"type":"dns","value":"OPNSENSE.XXX.ovh"},"status":"pending","expires":"2025-04-05T08:34:46Z","challenges":[{"type":"tls-alpn-01","url":"https://acme-v02.api.letsencrypt.org/acme/chall/_letsencrypt_NR_/497168054957/7B84Kg","status":"pending","token":"_TOKEN_"},{"type":"http-01","url":"https://acme-v02.api.letsencrypt.org/acme/chall/_letsencrypt_NR_/497168054957/tXyqiA","status":"pending","token":"_TOKEN_"},{"type":"dns-01","url":"https://acme-v02.api.letsencrypt.org/acme/chall/_letsencrypt_NR_/497168054957/_2mW1Q","status":"pending","token":"_TOKEN_"}]}'
2025-03-29T09:34:47   acme.sh   [Sat Mar 29 09:34:47 CET 2025] response='{"identifier":{"type":"dns","value":"OPNSENSE.XXX.ovh"},"status":"pending","expires":"2025-04-05T08:34:46Z","challenges":[{"type":"tls-alpn-01","url":"https://acme-v02.api.letsencrypt.org/acme/chall/_letsencrypt_NR_/497168054957/7B84Kg","status":"pending","token":"_TOKEN_"},{"type":"http-01","url":"https://acme-v02.api.letsencrypt.org/acme/chall/_letsencrypt_NR_/497168054957/tXyqiA","status":"pending","token":"_TOKEN_"},{"type":"dns-01","url":"https://acme-v02.api.letsencrypt.org/acme/chall/_letsencrypt_NR_/497168054957/_2mW1Q","status":"pending","token":"_TOKEN_"}]}'
        }'
        ]
        }
        "token": "_TOKEN_"
        "status": "pending",
        "url": "https://acme-v02.api.letsencrypt.org/acme/chall/_letsencrypt_NR_/497168054957/_2mW1Q",
        "type": "dns-01",
        {
        },
        "token": "_TOKEN_"
        "status": "pending",
        "url": "https://acme-v02.api.letsencrypt.org/acme/chall/_letsencrypt_NR_/497168054957/tXyqiA",
        "type": "http-01",
        {
        },
        "token": "_TOKEN_"
        "status": "pending",
        "url": "https://acme-v02.api.letsencrypt.org/acme/chall/_letsencrypt_NR_/497168054957/7B84Kg",
        "type": "tls-alpn-01",
        {
        "challenges": [
        "expires": "2025-04-05T08:34:46Z",
        "status": "pending",
        },
        "value": "OPNSENSE.XXX.ovh"
        "type": "dns",
        "identifier": {
2025-03-29T09:34:47   acme.sh   [Sat Mar 29 09:34:47 CET 2025] original='{
2025-03-29T09:34:47   acme.sh   [Sat Mar 29 09:34:47 CET 2025] code='200'
        '
        strict-transport-security: max-age=604800
        x-frame-options: DENY
        replay-nonce: _NONCE_
        link: <https://acme-v02.api.letsencrypt.org/directory>;rel="index"
        cache-control: public, max-age=0, no-cache
        boulder-requester: _letsencrypt_NR_
        content-length: 824
        content-type: application/json
        date: Sat, 29 Mar 2025 08:34:46 GMT
        server: nginx
2025-03-29T09:34:47   acme.sh   [Sat Mar 29 09:34:47 CET 2025] responseHeaders='HTTP/2 200
2025-03-29T09:34:47   acme.sh   [Sat Mar 29 09:34:47 CET 2025] _ret='0'
2025-03-29T09:34:46   acme.sh   [Sat Mar 29 09:34:46 CET 2025] _CURL='curl --silent --dump-header /var/etc/acme-client/home/http.header -L --trace-ascii /tmp/tmp.WyXmRcxuSn -g '
2025-03-29T09:34:46   acme.sh   [Sat Mar 29 09:34:46 CET 2025] Http already initialized.
2025-03-29T09:34:46   acme.sh   [Sat Mar 29 09:34:46 CET 2025] _postContentType='application/jose+json'
2025-03-29T09:34:46   acme.sh   [Sat Mar 29 09:34:46 CET 2025] body='{"protected": "XXXBCVlY0TzFBc1FmcnVUd0plQlFPNkllc2h0UF9FQXBkV1RnOEozc1h5a3MiLCAidXJsIjogImh0dHBzOi8vYWNtZS12MDIuYXBpLmxldHNlbmNyeXB0Lm9yZy9hY21lL2F1dGh6LzEwMTg4NjI1MC80OTcxNjgwNTQ5NTciLCAiYWxnIjogIlJTMjU2IiwgImtpZCI6ICJodHRwczovL2FjbWUtdjAyLmFwaS5sZXRzZW5jcnlwdC5vcmcvYWNtZS9hY2N0LzEwMTg4NjI1MCJ9", "payload": "", "signature": "kpcT33ruKKbyvH5CIxBQV-SV2trS74pnwmRZV00yM-YVuWQmrCLv8gcwmE2OFftdK4mRCZ0mphHC_XieCjrvcRksA7jSpMAVmmM0fxwngEbVDlHjbPHBrvsMM-AHr4Z82j9gV4-cH0laC1JprjWgCg5L6CMMA6TX1_O-v2G8mTxV4G-_AgYizPwxhv1nDf587fkLUGs4EjeCS145o6Xn8Z4BUGbUkELagL9oK-lMvuH6iHGkh6nMkRHyBiCTfN-bchO19REakDOx2CPDQEIYhnrAK6f3XONT0xOAXEr_VSyxiKYp9FBs-mADHK3iX6yHYkA0-xNIANjpD0QSQyD3tXqoq8TzsccghcxU7EGqsibl1QJoCTLq1b7_ksKFlG84TDb7TiT_IgLjuPA0FPwCYMIQ26VIVQZcrSa22SFOPoWlQ2203Zklz95lG-HgO3APof5Nk2JaYmEYTyfdHGZ85fWeA3HeQ3RrzCxX5mnvem-WPyCY-xIZsVRLTvhVTvMpbmJp9t1VEkNBM5_zXaY9cL2S06Y_sfUk3gfoa1hLwRlEYzWyQMeib5xjY-gOjPXeMMtdQElY8nN_oKTFWz6CQIegFctjC6WBLD4UbNZM_VAn-hEZdNxpeEEUlaPh5FOntCe4uw8IJzk1DIvE9_KTzZCQD-uzHI5HgKS2BipNYqo"}'
2025-03-29T09:34:46   acme.sh   [Sat Mar 29 09:34:46 CET 2025] _post_url='https://acme-v02.api.letsencrypt.org/acme/authz/_letsencrypt_NR_/497168054957';
2025-03-29T09:34:46   acme.sh   [Sat Mar 29 09:34:46 CET 2025] POST
2025-03-29T09:34:46   acme.sh   [Sat Mar 29 09:34:46 CET 2025] nonce='pwlyUh7gPBVV4O1AsQfruTwJeBQO6IeshtP_EApdWTg8J3sXyks'
2025-03-29T09:34:46   acme.sh   [Sat Mar 29 09:34:46 CET 2025] Use _CACHED_NONCE='pwlyUh7gPBVV4O1AsQfruTwJeBQO6IeshtP_EApdWTg8J3sXyks'
2025-03-29T09:34:46   acme.sh   [Sat Mar 29 09:34:46 CET 2025] Use cached jwk for file: /var/etc/acme-client/accounts/5faaa839612575.44326968_prod/account.key
2025-03-29T09:34:46   acme.sh   [Sat Mar 29 09:34:46 CET 2025] payload
2025-03-29T09:34:46   acme.sh   [Sat Mar 29 09:34:46 CET 2025] url='https://acme-v02.api.letsencrypt.org/acme/authz/_letsencrypt_NR_/497168054957';
2025-03-29T09:34:46   acme.sh   [Sat Mar 29 09:34:46 CET 2025] =======Sending Signed Request=======
2025-03-29T09:34:46   acme.sh   [Sat Mar 29 09:34:46 CET 2025] _authz_url='https://acme-v02.api.letsencrypt.org/acme/authz/_letsencrypt_NR_/497168054957';
2025-03-29T09:34:46   acme.sh   [Sat Mar 29 09:34:46 CET 2025] STEP 2, Get the authorizations of each domain
2025-03-29T09:34:46   acme.sh   [Sat Mar 29 09:34:46 CET 2025] _authorizations_seg='https://acme-v02.api.letsencrypt.org/acme/authz/_letsencrypt_NR_/497168054957';
2025-03-29T09:34:46   acme.sh   [Sat Mar 29 09:34:46 CET 2025] Le_OrderFinalize='https://acme-v02.api.letsencrypt.org/acme/finalize/_letsencrypt_NR_/368536016037';
2025-03-29T09:34:46   acme.sh   [Sat Mar 29 09:34:46 CET 2025] Le_LinkOrder='https://acme-v02.api.letsencrypt.org/acme/order/_letsencrypt_NR_/368536016037';
2025-03-29T09:34:46   acme.sh   [Sat Mar 29 09:34:46 CET 2025] response='{"status":"pending","expires":"2025-04-05T08:34:46Z","identifiers":[{"type":"dns","value":"OPNSENSE.XXX.ovh"}],"authorizations":["https://acme-v02.api.letsencrypt.org/acme/authz/_letsencrypt_NR_/497168054957"],"finalize":"https://acme-v02.api.letsencrypt.org/acme/finalize/_letsencrypt_NR_/368536016037"}'
        }'
        "finalize": "https://acme-v02.api.letsencrypt.org/acme/finalize/_letsencrypt_NR_/368536016037"
        ],
        "https://acme-v02.api.letsencrypt.org/acme/authz/_letsencrypt_NR_/497168054957"
        "authorizations": [
        ],
        }
        "value": "OPNSENSE.XXX.ovh"
        "type": "dns",
        {
        "identifiers": [
        "expires": "2025-04-05T08:34:46Z",
        "status": "pending",
2025-03-29T09:34:46   acme.sh   [Sat Mar 29 09:34:46 CET 2025] original='{
2025-03-29T09:34:46   acme.sh   [Sat Mar 29 09:34:46 CET 2025] code='201'
        '
        strict-transport-security: max-age=604800
        x-frame-options: DENY
        replay-nonce: pwlyUh7gPBVV4O1AsQfruTwJeBQO6IeshtP_EApdWTg8J3sXyks
        location: https://acme-v02.api.letsencrypt.org/acme/order/_letsencrypt_NR_/368536016037
        link: <https://acme-v02.api.letsencrypt.org/directory>;rel="index"
        cache-control: public, max-age=0, no-cache
        boulder-requester: _letsencrypt_NR_
        content-length: 351
        content-type: application/json
        date: Sat, 29 Mar 2025 08:34:46 GMT
        server: nginx
2025-03-29T09:34:46   acme.sh   [Sat Mar 29 09:34:46 CET 2025] responseHeaders='HTTP/2 201
2025-03-29T09:34:46   acme.sh   [Sat Mar 29 09:34:46 CET 2025] _ret='0'
2025-03-29T09:34:45   acme.sh   [Sat Mar 29 09:34:45 CET 2025] _CURL='curl --silent --dump-header /var/etc/acme-client/home/http.header -L --trace-ascii /tmp/tmp.WyXmRcxuSn -g '
2025-03-29T09:34:45   acme.sh   [Sat Mar 29 09:34:45 CET 2025] Http already initialized.
2025-03-29T09:34:45   acme.sh   [Sat Mar 29 09:34:45 CET 2025] _postContentType='application/jose+json'
2025-03-29T09:34:45   acme.sh   [Sat Mar 29 09:34:45 CET 2025] body='{"protected": "XXXXFNR2JRNWFJS3NRUDNkREVheHhnT0t0M0tLbGJrbzY3eV8zZVN4TzF2aHJ0Z3ZjWlEiLCAidXJsIjogImh0dHBzOi8vYWNtZS12MDIuYXBpLmxldHNlbmNyeXB0Lm9yZy9hY21lL25ldy1vcmRlciIsICJhbGciOiAiUlMyNTYiLCAia2lkIjogImh0dHBzOi8vYWNtZS12MDIuYXBpLmxldHNlbmNyeXB0Lm9yZy9hY21lL2FjY3QvMTAxODg2MjUwIn0", "payload": "eyJpZGVudGlmaWVycyI6IFt7InR5cGUiOiJkbnMiLCJ2YWx1ZSI6Ik9QTlNFTlNFLm5lc3Njby5vdmgifV19", "signature": "Y9kfawJVzSuKYZpBfo28LZH_A5nLG3nX2s_sWS9uXU_twxKUY9K9tK9OSo2MYUQ5Nv0hEMHmWQkMy-Piy83J087mMBthzkcNa2BJynnEUo6EUcL34VDYrC5EA2gv1kYIaSlMcl6cJpj9TWxFb4xVniOLutqY3cBfqGUFQrmowlKfF6U2z5p9RUbnztm0XmsxsKpzsmEFOWQa_7AXacAJUZhwvO5ds0LASOh0fHLjdKD2txys-WY4BKsu69k2kJ0Wrxre6ymdVqU1YMspH-uRoRpwVBFB8xlWJITsRZLt3ZMDGuJJxm_FSTAlIj5aPqy-azTBfVBchlm5yV8pSPvCVSqGuIkKkdbWCygD8-mVgK0-0DP1mEXuF-df126ivJjS97_0twnQWQWC7G2OGdSLjlzsMwdbzhdqgnd2hnUge-RfJd995YZHi2ARpbdtTSRVtFEA2FmWfsQjbuALBgS1Q08OLQEK985MJUZZ_oqsHd26vDhQxArMuw3zYNbl0uCOZ4oWXWAwOiPfpUAoPtFfs9bt2YfB3f5_dSrNRY33Se0N4Ib5Mfag5ipFCCWQrIWeYQvMko9Rl627Yg7RhEkuW9PHCNdTxukHzwmXn6IPmjEOHpesB6bHdegq575vLTdl5eUdd76sqpett_hvKsEXQ29ZoWWX1y5rNSAfT_geZJw"}'
2025-03-29T09:34:45   acme.sh   [Sat Mar 29 09:34:45 CET 2025] _post_url='https://acme-v02.api.letsencrypt.org/acme/new-order';
2025-03-29T09:34:45   acme.sh   [Sat Mar 29 09:34:45 CET 2025] POST
2025-03-29T09:34:45   acme.sh   [Sat Mar 29 09:34:45 CET 2025] nonce='KQqMGbQ5aIKsQP3dDEaxxgOKt3KKlbko67y_3eSxO1vhrtgvcZQ'
        '
        strict-transport-security: max-age=604800
        x-frame-options: DENY
        replay-nonce: KQqMGbQ5aIKsQP3dDEaxxgOKt3KKlbko67y_3eSxO1vhrtgvcZQ
        link: <https://acme-v02.api.letsencrypt.org/directory>;rel="index"
        cache-control: public, max-age=0, no-cache
        date: Sat, 29 Mar 2025 08:34:45 GMT
        server: nginx
2025-03-29T09:34:45   acme.sh   [Sat Mar 29 09:34:45 CET 2025] _headers='HTTP/2 200
2025-03-29T09:34:45   acme.sh   [Sat Mar 29 09:34:45 CET 2025] _ret='0'
2025-03-29T09:34:45   acme.sh   [Sat Mar 29 09:34:45 CET 2025] _CURL='curl --silent --dump-header /var/etc/acme-client/home/http.header -L --trace-ascii /tmp/tmp.WyXmRcxuSn -g -I '
2025-03-29T09:34:44   acme.sh   [Sat Mar 29 09:34:44 CET 2025] _postContentType='application/jose+json'
2025-03-29T09:34:44   acme.sh   [Sat Mar 29 09:34:44 CET 2025] body
2025-03-29T09:34:44   acme.sh   [Sat Mar 29 09:34:44 CET 2025] _post_url='https://acme-v02.api.letsencrypt.org/acme/new-nonce';
2025-03-29T09:34:44   acme.sh   [Sat Mar 29 09:34:44 CET 2025] HEAD
2025-03-29T09:34:44   acme.sh   [Sat Mar 29 09:34:44 CET 2025] Get nonce with HEAD. ACME_NEW_NONCE='https://acme-v02.api.letsencrypt.org/acme/new-nonce';
2025-03-29T09:34:44   acme.sh   [Sat Mar 29 09:34:44 CET 2025] _URGLY_PRINTF='1'
2025-03-29T09:34:44   acme.sh   [Sat Mar 29 09:34:44 CET 2025] _URGLY_PRINTF='1'
2025-03-29T09:34:44   acme.sh   [Sat Mar 29 09:34:44 CET 2025] RSA key
2025-03-29T09:34:44   acme.sh   [Sat Mar 29 09:34:44 CET 2025] payload='{"identifiers": [{"type":"dns","value":"OPNSENSE.XXX.ovh"}]}'
2025-03-29T09:34:44   acme.sh   [Sat Mar 29 09:34:44 CET 2025] url='https://acme-v02.api.letsencrypt.org/acme/new-order';
2025-03-29T09:34:44   acme.sh   [Sat Mar 29 09:34:44 CET 2025] =======Sending Signed Request=======
2025-03-29T09:34:44   acme.sh   [Sat Mar 29 09:34:44 CET 2025] STEP 1, Ordering a Certificate
2025-03-29T09:34:44   acme.sh   [Sat Mar 29 09:34:44 CET 2025] _notAfter
2025-03-29T09:34:44   acme.sh   [Sat Mar 29 09:34:44 CET 2025] _notBefore
2025-03-29T09:34:44   acme.sh   [Sat Mar 29 09:34:44 CET 2025] _identifiers='{"type":"dns","value":"OPNSENSE.XXX.ovh"}'
2025-03-29T09:34:44   acme.sh   [Sat Mar 29 09:34:44 CET 2025] d
2025-03-29T09:34:44   acme.sh   [Sat Mar 29 09:34:44 CET 2025] _idn_temp
2025-03-29T09:34:44   acme.sh   [Sat Mar 29 09:34:44 CET 2025] _is_idn_d='OPNSENSE.XXX.ovh'
2025-03-29T09:34:44   acme.sh   [Sat Mar 29 09:34:44 CET 2025] seg='OPNSENSE'
2025-03-29T09:34:44   acme.sh   [Sat Mar 29 09:34:44 CET 2025] Getting domain auth token for each domain
2025-03-29T09:34:44   acme.sh   [Sat Mar 29 09:34:44 CET 2025] seg='OPNSENSE'
2025-03-29T09:34:44   acme.sh   [Sat Mar 29 09:34:44 CET 2025] _csr_cn='OPNSENSE.XXX.ovh'
2025-03-29T09:34:44   acme.sh   [Sat Mar 29 09:34:44 CET 2025] _idn_temp
2025-03-29T09:34:44   acme.sh   [Sat Mar 29 09:34:44 CET 2025] _is_idn_d='OPNSENSE.XXX.ovh'
2025-03-29T09:34:44   acme.sh   [Sat Mar 29 09:34:44 CET 2025] _idn_temp
2025-03-29T09:34:44   acme.sh   [Sat Mar 29 09:34:44 CET 2025] _is_idn_d='OPNSENSE.XXX.ovh'
2025-03-29T09:34:44   acme.sh   [Sat Mar 29 09:34:44 CET 2025] seg='OPNSENSE'
2025-03-29T09:34:44   acme.sh   [Sat Mar 29 09:34:44 CET 2025] Single domain='OPNSENSE.XXX.ovh'
2025-03-29T09:34:44   acme.sh   [Sat Mar 29 09:34:44 CET 2025] csrconf='/var/etc/acme-client/cert-home/63e75569887183.36451555/OPNSENSE.XXX.ovh/OPNSENSE.XXX.ovh.csr.conf'
2025-03-29T09:34:44   acme.sh   [Sat Mar 29 09:34:44 CET 2025] csr='/var/etc/acme-client/cert-home/63e75569887183.36451555/OPNSENSE.XXX.ovh/OPNSENSE.XXX.ovh.csr'
2025-03-29T09:34:44   acme.sh   [Sat Mar 29 09:34:44 CET 2025] csrkey='/var/etc/acme-client/cert-home/63e75569887183.36451555/OPNSENSE.XXX.ovh/OPNSENSE.XXX.ovh.key'
2025-03-29T09:34:44   acme.sh   [Sat Mar 29 09:34:44 CET 2025] domainlist
2025-03-29T09:34:44   acme.sh   [Sat Mar 29 09:34:44 CET 2025] domain='OPNSENSE.XXX.ovh'
2025-03-29T09:34:44   acme.sh   [Sat Mar 29 09:34:44 CET 2025] _createcsr
2025-03-29T09:34:44   acme.sh   [Sat Mar 29 09:34:44 CET 2025] Read key length: 2048
2025-03-29T09:34:44   acme.sh   [Sat Mar 29 09:34:44 CET 2025] _saved_account_key_hash was not changed, skipping account registration.
2025-03-29T09:34:43   acme.sh   [Sat Mar 29 09:34:43 CET 2025] _saved_account_key_hash='HASH_KEY'
2025-03-29T09:34:43   acme.sh   [Sat Mar 29 09:34:43 CET 2025] 'dns_lua' does not contain 'apache'
2025-03-29T09:34:43   acme.sh   [Sat Mar 29 09:34:43 CET 2025] d
2025-03-29T09:34:43   acme.sh   [Sat Mar 29 09:34:43 CET 2025] _currentRoot='dns_lua'
2025-03-29T09:34:43   acme.sh   [Sat Mar 29 09:34:43 CET 2025] Checking for domain='OPNSENSE.XXX.ovh'
2025-03-29T09:34:43   acme.sh   [Sat Mar 29 09:34:43 CET 2025] d='OPNSENSE.XXX.ovh'
2025-03-29T09:34:43   acme.sh   [Sat Mar 29 09:34:43 CET 2025] Le_LocalAddress
2025-03-29T09:34:43   acme.sh   [Sat Mar 29 09:34:43 CET 2025] 'dns_lua' does not contain 'no'
2025-03-29T09:34:43   acme.sh   [Sat Mar 29 09:34:43 CET 2025] _chk_alt_domains
2025-03-29T09:34:43   acme.sh   [Sat Mar 29 09:34:43 CET 2025] _chk_main_domain='OPNSENSE.XXX.ovh'
2025-03-29T09:34:43   acme.sh   [Sat Mar 29 09:34:43 CET 2025] _on_before_issue
2025-03-29T09:34:43   acme.sh   [Sat Mar 29 09:34:43 CET 2025] Using CA: https://acme-v02.api.letsencrypt.org/directory
2025-03-29T09:34:43   acme.sh   [Sat Mar 29 09:34:43 CET 2025] ACME_NEW_NONCE='https://acme-v02.api.letsencrypt.org/acme/new-nonce';
2025-03-29T09:34:43   acme.sh   [Sat Mar 29 09:34:43 CET 2025] ACME_AGREEMENT='https://letsencrypt.org/documents/LE-SA-v1.5-February-24-2025.pdf';
2025-03-29T09:34:43   acme.sh   [Sat Mar 29 09:34:43 CET 2025] ACME_REVOKE_CERT='https://acme-v02.api.letsencrypt.org/acme/revoke-cert';
2025-03-29T09:34:43   acme.sh   [Sat Mar 29 09:34:43 CET 2025] ACME_NEW_ACCOUNT='https://acme-v02.api.letsencrypt.org/acme/new-acct';
2025-03-29T09:34:43   acme.sh   [Sat Mar 29 09:34:43 CET 2025] ACME_NEW_ORDER='https://acme-v02.api.letsencrypt.org/acme/new-order';
2025-03-29T09:34:43   acme.sh   [Sat Mar 29 09:34:43 CET 2025] ACME_NEW_AUTHZ
2025-03-29T09:34:43   acme.sh   [Sat Mar 29 09:34:43 CET 2025] ACME_KEY_CHANGE='https://acme-v02.api.letsencrypt.org/acme/key-change';
        }'
        "revokeCert": "https://acme-v02.api.letsencrypt.org/acme/revoke-cert"
        "renewalInfo": "https://acme-v02.api.letsencrypt.org/draft-ietf-acme-ari-03/renewalInfo",
        "newOrder": "https://acme-v02.api.letsencrypt.org/acme/new-order",
        "newNonce": "https://acme-v02.api.letsencrypt.org/acme/new-nonce",
        "newAccount": "https://acme-v02.api.letsencrypt.org/acme/new-acct",
        },
        "website": "https://letsencrypt.org"
        "termsOfService": "https://letsencrypt.org/documents/LE-SA-v1.5-February-24-2025.pdf",
        },
        "tlsserver": "https://letsencrypt.org/docs/profiles#tlsserver (not yet generally available)"
        "shortlived": "https://letsencrypt.org/docs/profiles#shortlived (not yet generally available)",
        "classic": "https://letsencrypt.org/docs/profiles#classic",
        "profiles": {
        ],
        "letsencrypt.org"
        "caaIdentities": [
        "meta": {
        "keyChange": "https://acme-v02.api.letsencrypt.org/acme/key-change",
        "1KWa47XgJBE": "https://community.letsencrypt.org/t/adding-random-entries-to-the-directory/33417",
2025-03-29T09:34:43   acme.sh   [Sat Mar 29 09:34:43 CET 2025] response='{
2025-03-29T09:34:43   acme.sh   [Sat Mar 29 09:34:43 CET 2025] ret='0'
2025-03-29T09:34:43   acme.sh   [Sat Mar 29 09:34:43 CET 2025] _CURL='curl --silent --dump-header /var/etc/acme-client/home/http.header -L --trace-ascii /tmp/tmp.rv8M2k8w6s -g '
2025-03-29T09:34:43   acme.sh   [Sat Mar 29 09:34:43 CET 2025] timeout=
2025-03-29T09:34:43   acme.sh   [Sat Mar 29 09:34:43 CET 2025] url='https://acme-v02.api.letsencrypt.org/directory';
2025-03-29T09:34:43   acme.sh   [Sat Mar 29 09:34:43 CET 2025] GET
2025-03-29T09:34:43   acme.sh   [Sat Mar 29 09:34:43 CET 2025] _init API for server: https://acme-v02.api.letsencrypt.org/directory
2025-03-29T09:34:43   acme.sh   [Sat Mar 29 09:34:43 CET 2025] Using ACME_DIRECTORY: https://acme-v02.api.letsencrypt.org/directory
2025-03-29T09:34:43   acme.sh   [Sat Mar 29 09:34:43 CET 2025] Le_NextRenewTime='1736377207'
2025-03-29T09:34:43   acme.sh   [Sat Mar 29 09:34:43 CET 2025] 'dns_lua' does not contain 'dns'
2025-03-29T09:34:43   acme.sh   [Sat Mar 29 09:34:43 CET 2025] DOMAIN_PATH='/var/etc/acme-client/cert-home/63e75569887183.36451555/OPNSENSE.XXX.ovh'
2025-03-29T09:34:43   acme.sh   [Sat Mar 29 09:34:43 CET 2025] _ACME_SERVER_PATH='directory'
2025-03-29T09:34:43   acme.sh   [Sat Mar 29 09:34:43 CET 2025] _ACME_SERVER_HOST='acme-v02.api.letsencrypt.org'
2025-03-29T09:34:43   acme.sh   [Sat Mar 29 09:34:43 CET 2025] ACME_DIRECTORY='https://acme-v02.api.letsencrypt.org/directory';
2025-03-29T09:34:43   acme.sh   [Sat Mar 29 09:34:43 CET 2025] Using config home: /var/etc/acme-client/home
2025-03-29T09:34:43   acme.sh   [Sat Mar 29 09:34:43 CET 2025] _alt_domains='no'
2025-03-29T09:34:43   acme.sh   [Sat Mar 29 09:34:43 CET 2025] _main_domain='OPNSENSE.XXX.ovh'
2025-03-29T09:34:43   acme.sh   [Sat Mar 29 09:34:43 CET 2025] Running cmd: issue
2025-03-29T09:34:43   acme.sh   [Sat Mar 29 09:34:43 CET 2025] Using server: https://acme-v02.api.letsencrypt.org/directory
2025-03-29T09:34:43   acme.sh   [Sat Mar 29 09:34:43 CET 2025] LE_WORKING_DIR='/var/etc/acme-client/home'



system log

2025-03-29T09:34:50   opnsense   AcmeClient: validation for certificate failed: OPNSENSE.XXX.ovh
2025-03-29T09:34:50   opnsense   AcmeClient: domain validation failed (dns01)
2025-03-29T09:34:50   opnsense   AcmeClient: AcmeClient: The shell command returned exit code '1': '/usr/local/sbin/acme.sh --issue --syslog 8 --debug 2 --server 'letsencrypt' --dns 'dns_lua' --home '/var/etc/acme-client/home' --cert-home '/var/etc/acme-client/cert-home/63e75569887183.36451555' --certpath '/var/etc/acme-client/certs/63e75569887183.36451555/cert.pem' --keypath '/var/etc/acme-client/keys/63e75569887183.36451555/private.key' --capath '/var/etc/acme-client/certs/63e75569887183.36451555/chain.pem' --fullchainpath '/var/etc/acme-client/certs/63e75569887183.36451555/fullchain.pem' --domain 'OPNSENSE.XXX.ovh' --days '1' --force --keylength '2048' --accountconf '/var/etc/acme-client/accounts/5faaa839612575.44326968_prod/account.conf''
2025-03-29T09:34:42   opnsense   AcmeClient: running acme.sh command: /usr/local/sbin/acme.sh --issue --syslog 8 --debug 2 --server 'letsencrypt' --dns 'dns_lua' --home '/var/etc/acme-client/home' --cert-home '/var/etc/acme-client/cert-home/63e75569887183.36451555' --certpath '/var/etc/acme-client/certs/63e75569887183.36451555/cert.pem' --keypath '/var/etc/acme-client/keys/63e75569887183.36451555/private.key' --capath '/var/etc/acme-client/certs/63e75569887183.36451555/chain.pem' --fullchainpath '/var/etc/acme-client/certs/63e75569887183.36451555/fullchain.pem' --domain 'OPNSENSE.XXX.ovh' --days '1' --force --keylength '2048' --accountconf '/var/etc/acme-client/accounts/5faaa839612575.44326968_prod/account.conf'
2025-03-29T09:34:42   opnsense   AcmeClient: using challenge type: LuaDNS
2025-03-29T09:34:42   opnsense   AcmeClient: account is registered: Jakub SURNAME
2025-03-29T09:34:42   opnsense   AcmeClient: using CA: letsencrypt
2025-03-29T09:34:42   opnsense   AcmeClient: issue certificate: OPNSENSE.XXX.ovh

Other domain:
Interesting is that other two domains are fine, there is 5 minutes break and that works well. I start thinking if that not related to dns name of appliance itself as its only one failing, maybe it ask local dns (cache) instead of public dns that is asked, other two domains were completed correctly. example below:

Quote2025-03-28T00:15:31    acme.sh    [Fri Mar 28 00:15:31 CET 2025] And the full-chain cert is in: /var/etc/acme-client/cert-home/653e92d5467220.29286476/pi.XXX.ovh_ecc/fullchain.cer
2025-03-28T00:15:31    acme.sh    [Fri Mar 28 00:15:31 CET 2025] The intermediate CA cert is in: /var/etc/acme-client/cert-home/653e92d5467220.29286476/pi.XXX.ovh_ecc/ca.cer
2025-03-28T00:15:31    acme.sh    [Fri Mar 28 00:15:31 CET 2025] Your cert key is in: /var/etc/acme-client/cert-home/653e92d5467220.29286476/pi.nessco.ovh_ecc/pi.XXX.ovh.key
2025-03-28T00:15:31    acme.sh    [Fri Mar 28 00:15:31 CET 2025] Your cert is in: /var/etc/acme-client/cert-home/653e92d5467220.29286476/pi.XXX.ovh_ecc/pi.XXX.ovh.cer
2025-03-28T00:15:28    acme.sh    [Fri Mar 28 00:15:28 CET 2025] Removing txt: p6lf1xHKCdzWtL0W1-hC5QsPxZMmCLByxxbQ_KTPfKQ for domain: _acme-challenge.pi.XXX.ovh
2025-03-28T00:15:25    acme.sh    [Fri Mar 28 00:15:25 CET 2025] Verifying: pi.XXX.ovh
2025-03-28T00:10:24    acme.sh    [Fri Mar 28 00:10:24 CET 2025] Adding TXT value: p6lf1xHKCdzWtL0W1-hC5QsPxZMmCLByxxbQ_KTPfKQ for domain: _acme-challenge.pi.XXX.ovh
2025-03-28T00:10:24    acme.sh    [Fri Mar 28 00:10:24 CET 2025] Getting webroot for domain='pi.XXX.ovh'
2025-03-28T00:10:21    acme.sh    [Fri Mar 28 00:10:21 CET 2025] Single domain='pi.XXX.ovh'
2025-03-28T00:10:20    acme.sh    [Fri Mar 28 00:10:20 CET 2025] Renewing: 'pi.XXX.ovh'


Quote from: meyergru on March 28, 2025, 10:07:36 PMBTW: If you set the DNS sleep time on the challenge to a value > 0, you will force to use normal DNS requests. Otherwise, DOH is used, which sometimes fails.

If I try use "0" or value like "900" in the log I can see there is no difference, it's reporting error right away. Above error is when sleep was setup to "0"


Thank you
Jakub
#3
25.1, 25.4 Series / Re: acme broken?
March 28, 2025, 08:44:03 PM
Hi,

thank you for coming back to me.

the domain name im using is FQDN name that I don't want to post and it's why all beside hostname was deleted. It's recognized by public dns.

Quote2025-03-28T20:39:50   acme.sh   [Fri Mar 28 20:39:50 CET 2025] See: https://github.com/acmesh-official/acme.sh/wiki/How-to-debug-acme.sh
2025-03-28T20:39:50   acme.sh   [Fri Mar 28 20:39:50 CET 2025] Please add '--debug' or '--log' to see more information.
2025-03-28T20:39:50   acme.sh   [Fri Mar 28 20:39:50 CET 2025] Error adding TXT record to domain: _acme-challenge.OPNSENSE.XXX.ovh
2025-03-28T20:39:50   acme.sh   [Fri Mar 28 20:39:50 CET 2025] Add txt record error.
2025-03-28T20:39:50   acme.sh   [Fri Mar 28 20:39:50 CET 2025] Adding record
2025-03-28T20:39:49   acme.sh   [Fri Mar 28 20:39:49 CET 2025] Adding TXT value: dSrNFANja1EiimgW_5B3AeQ5EraUJeK3GbEZWw7ylrg for domain: _acme-challenge.OPNSENSE.XXX.ovh
2025-03-28T20:39:49   acme.sh   [Fri Mar 28 20:39:49 CET 2025] Getting webroot for domain='OPNSENSE.XXX.ovh'
2025-03-28T20:39:46   acme.sh   [Fri Mar 28 20:39:46 CET 2025] Single domain='OPNSENSE.XXX.ovh'
2025-03-28T20:39:46   acme.sh   [Fri Mar 28 20:39:46 CET 2025] Using CA: https://acme-v02.api.letsencrypt.org/directory

few seconds later in luadns i can see record is present:
_acme-challenge.opnsense.XXX.ovh.   TXT   dSrNFANja1EiimgW_5B3AeQ5EraUJeK3GbEZWw7ylrg   300


if you look on time please notice there is no any wait time, after 1 second he say's error, instead of checking periodicly untill 20 minutes when you setup dns sleep time to 0 like in documentation for public dns.


hope its more clear now

thank you
jakub
#4
25.1, 25.4 Series / Re: acme broken?
March 28, 2025, 12:00:27 PM
I was running 25.1.3 and updated to 25.1.4, rebooted router but still can see that my validation (luadns) is being ignored?

QuoteDate
Process
Line
2025-03-28T11:49:57   acme.sh   [Fri Mar 28 11:49:57 CET 2025] See: https://github.com/acmesh-official/acme.sh/wiki/How-to-debug-acme.sh
2025-03-28T11:49:57   acme.sh   [Fri Mar 28 11:49:57 CET 2025] Please add '--debug' or '--log' to see more information.
2025-03-28T11:49:57   acme.sh   [Fri Mar 28 11:49:57 CET 2025] Error adding TXT record to domain: _acme-challenge.OPNSENSE.
2025-03-28T11:49:57   acme.sh   [Fri Mar 28 11:49:57 CET 2025] Add txt record error.
2025-03-28T11:49:57   acme.sh   [Fri Mar 28 11:49:57 CET 2025] Adding record
2025-03-28T11:49:56   acme.sh   [Fri Mar 28 11:49:56 CET 2025] Adding TXT value: k2S8diRcEzt8 for domain: _acme-challenge.OPNSENSE.
2025-03-28T11:49:56   acme.sh   [Fri Mar 28 11:49:56 CET 2025] Getting webroot for domain='OPNSENSE.'
2025-03-28T11:49:54   acme.sh   [Fri Mar 28 11:49:54 CET 2025] Single domain='OPNSENSE.'
2025-03-28T11:49:54   acme.sh   [Fri Mar 28 11:49:54 CET 2025] Using CA: https://acme-v02.api.letsencrypt.org/directory

record is being added to Lua DNS but time is being ignored from Challenge type, i did try to setup 0, 30, 300 or more.

is something you face with after 25 version? I didn't have issue with 24.

Thank you,
jakub
Pages1