Topics

I cannot seem to be able to be able to get the ACME script Lets Encrypt DNS-01 method to work. 

Code Select Expand

2023-08-10T00:00:02-05:00 acme.sh [Thu Aug 10 00:00:02 CDT 2023] Error add txt for domain:_acme-challenge.mydomain.com
2023-08-10T00:00:02-05:00 acme.sh [Thu Aug 10 00:00:02 CDT 2023] invalid domain
2023-08-10T00:00:01-05:00 acme.sh [Thu Aug 10 00:00:01 CDT 2023] Adding txt value: 5Kp3S8Hg-------------------------h8cVZ_3CU0 for domain: _acme-challenge.mydomain.com
2023-08-10T00:00:01-05:00 acme.sh [Thu Aug 10 00:00:01 CDT 2023] Getting webroot for domain='*.mydomain.com'
2023-08-10T00:00:00-05:00 acme.sh [Thu Aug 10 00:00:00 CDT 2023] Getting domain auth token for each domain
2023-08-10T00:00:00-05:00 acme.sh [Thu Aug 10 00:00:00 CDT 2023] Single domain='*.mydomain.com'
2023-08-10T00:00:00-05:00 acme.sh [Thu Aug 10 00:00:00 CDT 2023] Using CA: https://acme-staging-v02.api.letsencrypt.org/directory

I don't know if I have entered my cloudflare credentials in the correct slots in the OPNSENSE config

I have mapped the credentials in my Cloudflaraccount as outlined in the attached image

I would like to know if I am mapping the credentials correctly.  Also there is a line in the ACME logs

Code Select Expand

2023-08-10T00:00:02-05:00 acme.sh [Thu Aug 10 00:00:02 CDT 2023] Please add '--debug' or '--log' to check more details.

How do I add this to get more detailed logs?

I am on my third DNS provider trying to find a provider that will work with both the new ddclient and also the new ACME client.
I am now working to get Dynu DNS after I was able to get NameCheap DYN DNS working but then found that NameCheap requires a history and more domains hosted than I need to enable my access to the API for use with ACME client.

I have an issue with DYNU setup in OPNSENSE as follows:
debug ddclient log:

Code Select Expand

2023-07-15T10:02:58-05:00 Notice ddclient[32333] 92754 - [meta sequenceId="7"] SUCCESS: wg.mydomain.com: skipped: IPv4 address was already set to 66.69.---.---.
2023-07-15T10:02:58-05:00 Notice ddclient[32333] 90378 - [meta sequenceId="6"] SUCCESS: synology.mydomain.com: skipped: IPv4 address was already set to 66.69.---.---.
2023-07-15T10:02:58-05:00 Notice ddclient[32333] 89244 - [meta sequenceId="5"] SUCCESS: plex.mydomain.com: skipped: IPv4 address was already set to 66.69.---.---.
2023-07-15T10:02:58-05:00 Notice ddclient[32333] 87399 - [meta sequenceId="4"] SUCCESS: ha.mydomain.com: skipped: IPv4 address was already set to 66.69.---.---.
2023-07-15T10:02:58-05:00 Notice ddclient[32333] 85050 - [meta sequenceId="3"] SUCCESS: fw.mydomain.com: skipped: IPv4 address was already set to 66.69.---.---.
2023-07-15T10:02:58-05:00 Notice ddclient[32333] 83060 - [meta sequenceId="2"] SUCCESS: dc.mydomain.com: skipped: IPv4 address was already set to 66.69.---.---.
2023-07-15T10:02:58-05:00 Notice ddclient[32333] 80525 - [meta sequenceId="1"] WARNING: 'if-skip' is deprecated and does nothing for IPv4

I dont know where OPENSENSE is finding that the IP it needs to update is already set.  All the DNS records that I have created at the other providers were changed to other IP addresses before I then deletes said accounts.
I also made sure the TTL for these records were set to 10 minutes then they were created while testing.
I have waited now 24 hours and it will is producing the same IP is already set message.

I have the ddclient logging set to debug but I am missing where the process is querying these A hosts for the current IP address.

Can anyone assist me to troubleshoot this?

We had our primary internet service and while attempting to get a backup circuit activated and connected, I lost access to the Webgui from outside and inside the network.  It it appears to have happened when I disabled the down WAN interface.

I was still able to get the network up and working with our new circuit after I completed the provider's circuit activation but still cannot gain access to the webgui.

I tried accessing the webgui from the new WAN2 interface (I had setup all the access rules before I realized that the circuit had not yet been activated)

The root password isn't working so I am going to have to wait until I can boot into single user mode so I can try to rollback the config to before I made the change but I need help.

• Where is the auto-created backups stored in the file system?
• How can I roll it back from the console so I can go back to before i disabled the interface? My last backup is over a year old)
• How can I identify why this happened?

This is not the first time this has occurred and I still cannot figure out how I can lock myself out of the Webgui.  I have the anti-lockout rules in place and active on ALL internal LAN segments

I have never seen a firewall that essential can break itself with no warning like this.  Is there a failsafe way to ensure this cannot occur in the future?

Once I get access to the filesystem, I can backup the change versions of the xml and try to provide more details of what change was made that killed this.

I would really like the ability to apply changes in RAM instead of writing to disk as a default.  This way if something breaks, a simple reboot will restore to the most recently saved config like most other routers.

My Default Hostname and domain is getting registered to the wrong internal NIC on my opnsense firewall.  How can I assign the default host name being registered to the correct NIC on the firewall?

I lost access to the web GUI after an unknown change on our FW.  Is there a way to roll back to a system state prior to the change from the CONSOLE?