1
23.1 Production Series / [SOLVED] ACME plugin with Gandi LiveDNS
« on: April 10, 2023, 06:16:52 am »
Prior to 23.1, the ACME plugin seemed to work fine, and I had automatically renewed certificates for several months.
Somewhere around the change to 23.1, however, it no longer works via OPNSense, even though I can use Gandi's LiveDNS and API key from "letsencrypt" on a Pi just fine (so the issue is not Gandi, and not the API key).
My logs appear as such (with debug logging enabled for the ACME Settings):
Obviously, this is in reverse chronological order.
I've obfuscated a few things, but, I do not think they are relevant to the issue. The domain has the Gandi API enabled, the key works fine, etc etc.
What I do notice, however, is that the "dnssleep" option passed to the ACME shell script is being ignored. I've tried various values here, 120 seconds, 240, 0 (default) - however, as you can see from the logs, within 2 seconds OPNSense records the attempt as a failure, and gives up.
Interestingly, even with "0" set as the value, the OPNSense plugin does not seem to re-try as per the on-screen note of:
Does anyone have ACME working with 23.1 series and Gandi LiveDNS?
Somewhere around the change to 23.1, however, it no longer works via OPNSense, even though I can use Gandi's LiveDNS and API key from "letsencrypt" on a Pi just fine (so the issue is not Gandi, and not the API key).
My logs appear as such (with debug logging enabled for the ACME Settings):
Code: [Select]
2023-04-10T14:02:33 Error opnsense AcmeClient: validation for certificate failed: host.mydomain.com
2023-04-10T14:02:33 Error opnsense AcmeClient: domain validation failed (dns01)
2023-04-10T14:02:25 Notice opnsense AcmeClient: running acme.sh command: /usr/local/sbin/acme.sh --issue --syslog 7 --debug --server 'letsencrypt' --dns 'dns_gandi_livedns' --dnssleep '90' --home '/var/etc/acme-client/home' --certpath '/var/etc/acme-client/certs/whatever.07307279/cert.pem' --keypath '/var/etc/acme-client/keys/whatever.07307279/private.key' --capath '/var/etc/acme-client/certs/whatever.07307279/chain.pem' --fullchainpath '/var/etc/acme-client/certs/whatever.07307279/fullchain.pem' --domain 'host.mydomain.com' --days '1' --force --keylength '4096' --accountconf '/var/etc/acme-client/accounts/whatever.40506586_prod/account.conf'
2023-04-10T14:02:25 Notice opnsense AcmeClient: using challenge type: GandiV5
2023-04-10T14:02:25 Notice opnsense AcmeClient: account is registered: Let's Encrypt
2023-04-10T14:02:25 Notice opnsense AcmeClient: using CA: letsencrypt
2023-04-10T14:02:25 Notice opnsense AcmeClient: issue certificate: host.mydomain.com
2023-04-10T14:02:25 Notice opnsense AcmeClient: certificate must be issued/renewed: host.mydomain.com
Obviously, this is in reverse chronological order.
I've obfuscated a few things, but, I do not think they are relevant to the issue. The domain has the Gandi API enabled, the key works fine, etc etc.
What I do notice, however, is that the "dnssleep" option passed to the ACME shell script is being ignored. I've tried various values here, 120 seconds, 240, 0 (default) - however, as you can see from the logs, within 2 seconds OPNSense records the attempt as a failure, and gives up.
Interestingly, even with "0" set as the value, the OPNSense plugin does not seem to re-try as per the on-screen note of:
Quote
The time in seconds to wait for all the TXT records to take effect after adding them to the DNS API. Defaults to 0 seconds, which causes Acme Client to check public DNS services every 10 seconds for up to 20 minutes. If set to a non-zero value, a fixed DNS sleep time will be used and the local DNS servers will be queried instead. A DNS sleep time of 120 seconds or more is recommended for some DNS APIs.
Does anyone have ACME working with 23.1 series and Gandi LiveDNS?