1
23.1 Legacy Series / ACME Cert Renewals
« on: June 12, 2023, 03:49:19 pm »
Hi Guys,
On my up to date OPNsense 23.1.9-amd64 firewall, I've noticed that my ACME certificate renewals are both now showing as failed validation in the logs as below:
2023-06-12T14:32:53 acme.sh [Mon Jun 12 14:32:53 BST 2023] Error add txt for domain:_acme-challenge.contoso.com
2023-06-12T14:32:53 acme.sh [Mon Jun 12 14:32:53 BST 2023] invalid domain
I cant see much history in the logs but it seems to have showed the same error for the last few renewal attempts which happen at midnight automatically.
The ACME renewal process uses the Cloudflare DNS validation method and no config changes have been made at all. Until recently this has always worked very well for me without issues.
I did run an update this morning and noticed a new ACME script was brought down, so wondered if there has been any changes which might have impacted?
I also tried to force renew and noted that the extra text record never appears in Cloudflare DNS as expected, so it does appear to be some change, but it's difficult to say for sure.
I've got a snapshot and rollback capability so am going to try a few different things in testing, but thought it was first worth raising to see if it's just me.
Thanks for any help.
Gareth
On my up to date OPNsense 23.1.9-amd64 firewall, I've noticed that my ACME certificate renewals are both now showing as failed validation in the logs as below:
2023-06-12T14:32:53 acme.sh [Mon Jun 12 14:32:53 BST 2023] Error add txt for domain:_acme-challenge.contoso.com
2023-06-12T14:32:53 acme.sh [Mon Jun 12 14:32:53 BST 2023] invalid domain
I cant see much history in the logs but it seems to have showed the same error for the last few renewal attempts which happen at midnight automatically.
The ACME renewal process uses the Cloudflare DNS validation method and no config changes have been made at all. Until recently this has always worked very well for me without issues.
I did run an update this morning and noticed a new ACME script was brought down, so wondered if there has been any changes which might have impacted?
I also tried to force renew and noted that the extra text record never appears in Cloudflare DNS as expected, so it does appear to be some change, but it's difficult to say for sure.
I've got a snapshot and rollback capability so am going to try a few different things in testing, but thought it was first worth raising to see if it's just me.
Thanks for any help.
Gareth