Show Posts

This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.

Messages - hansdampf

Pages: 1 [2]

German - Deutsch / Hostnamen Auflösung vom dhcpv4 mit IPv6...

« on: January 18, 2024, 08:14:26 pm »

Eine neue Frage zu IPv6:
Die hosts in meinem Netzwerk haben alle via DHCP eine statische IP vergeben bekommen.
Gibt es eine (hoffentlich) einfache Lösung, damit die hosts auch via IPv6 mittels ihres Namens erreichbar sind?
Muß ich hierfür im DHCP6 auch alle einzeln zuweisen, oder gibt es eine andere Möglichkeit, die Zuordnungen zu bekommen?

German - Deutsch / Re: ntpdate: Port 123 (UDP) blocked? Wie muss die FW-Regel aussehen?

« on: January 18, 2024, 06:17:05 pm »

Hier ist eine Super Anleitung: https://forum.opnsense.org/index.php?topic=9245.0
Ich hoffe, das hilft...

German - Deutsch / Re: IPv6 hinter Fritzbox mit netcologne

« on: January 18, 2024, 05:55:49 pm »

Zu eins: Super!
Zum DNS6: Unbound ist der einzige Resolver, keine anderen DNS-Server sind aktiv. (Ergibt für mich in meinem Setup keinen Sinn.)
Ich sah eben, daß DNS4 + IP6 sowie DNS6 + IP4 jetzt beide grün sind. Fallback & DNS6 + IP6 sind noch rot.

Aktualisierung: Alle DNS-Einträge sind grün. Es fehlte noch ein Port-Forwarding fürs interne Netz zum Router.

Nochmal Danke für die Hilfe!!!

German - Deutsch / Re: IPv6 hinter Fritzbox mit netcologne

« on: January 18, 2024, 04:43:32 pm »

Oh nein, Knoten im Kopf! Jetzt ist beim IPv6-Test vorne alles grün, nur bei SLAC zeigt er NO, allerdings in grün.
Fallback ist noch rot bei Browsers und DNS6 + IP4 sowie DNS6 + IP6 sind noch rot.
Wie kann ich die erledigen?

Nochmal allerbesten Dank für diese superschnelle Hilfe!!!

German - Deutsch / Re: IPv6 hinter Fritzbox mit netcologne

« on: January 18, 2024, 04:24:10 pm »

Hallo Maurice,
zu eins: ja, das sah ich in den Netzwerkeinstellungen am Mac: Die IPv6 des Routers beginnt mit fb80.
zu zwei: ja, im LAN ist alles grün bei RA eingeschaltet. Nur nach extern ist alles timeout, solange ich die Hosts nicht irgendwie im lokalen Cache habe.
Ich habe auch schon bei unbound gesucht, ich finde nur keine explizite IPv6-Einstellungen, außer der DNS64-Einstellung in Allgemein. Unterstützung für DNS64 ist an, der DNS64-Präfix ist 64:ff9b::/96.
Register Leases und static mappings sind an.
Enable AAAA-only mode ist aus.
Do not register IPv6 Link-Local addresses ist an,
Zonentyp transparent.
Schnittstellen sind LAN, OVPN, WG.
Query forwarding und DNS over TLS sind aus.
Keine Domain-Überschreibungen aktiv,
Zugriffsliste ist nur Lokale Netzwerke, habe ich nichts geändert.
Von daher bin ich echt überfragt, aber ich rechne mit etwas völlig unerwartetem...

Aber schonmal Vielen Dank für die schnelle Hilfe!

German - Deutsch / (Gelöst) IPv6 hinter Fritzbox mit netcologne

« on: January 18, 2024, 01:28:49 am »

Ich versuche seit Tagen, IPv6 ans Laufen zu bekommen, ich habe das ganze nach Anleitung der opnsense-Hilfe durchprobiert.
Die FB ist eingerichtet: Freigabe Exposed Host zum opnsense (sie bekommt eine IPv4-Adresse via DHCP mit fest zugewiesener Adresse).
Bei IPv6 Einstellungen sind alle 3 Haken gesetzt.
Bei Netzwerk - Einstellungen - IPv6 ist eingestellt:
ULA immer zuweisen,
Auch IPv6-Präfixe zulassen angehakt,
Diese FRITZ!Box stellt den Standard-Internetzugang zur Verfügung angehakt,
RA-Präferenz mittel,
DNSv6 Server angehakt,
im DNS-Server-Feld steht eine von der FB zugewiesene Adresse: fd09:0:0:0:xxx:xxx:xxx:ffc9,
DHCP-Server aktivieren ist an,
DNS-Server und IA_PD zuweisen.
Bei Präfixe zeigt er an:
WAN2001:4dd0:xxxx:xxxx::/64
Delegiert2a0a:axxx:xxxx:80::/57
Nichts bei Heim- oder Gastnetz.

Bei der opnsense ist beim WAN-Interface
IPv6 Konfigurationstyp DHCPv6,
Konfig-Typ einfach,
Präfix anfordern an,
Präfixdelegationsgröße 57,
Sende Präfix-Hinweis an.

Das LAN-Interface ist gesetzt:
IPv6 Schnittstelle WAN,
IPv6-Präfix-ID 0x1,
Manuelle Konfiguration an.

Router Advertisements LAN: Assistiert, Prio normal, Stelle Standardgateway zur Verfügung ist an, Rest wie Vorgabe: Also alles leer.
DHCPv6-Server ist an.
Subnetz: 2a0a:xxxx:xxxx:81::
Verfügbarer Bereich: 2a0a:xxxx:xxxx:81:: - 2a0a:xxxx:xxxx:81:ffff:ffff:ffff:ffff
Bereich: 2a0a:xxxx:xxxx:81::2:0:0 - 2a0a:xxxx:xxxx:81:2:0:0:ffff
Verfügbare Größe zeigt er 58
Rest ist leer, nur ein Haken bei Ändere Zeit...

Zusätzlich habe ich ein Port-Forwarding für IPv6 ICMP eingefügt mit Ziel LAN-Netz, damit die Erreichbarkeit vom ping6 gegeben ist (der ipv6-test.com zeigte unter IPv6 sonst "filtered" an.

Mein Problem: In dem Moment, wenn ich die RA einschalte, egal welchen Wert (unmanaged, managed, assistiert usw.), ist meine Inetrnet-Verbindung weg. Ich kann IPs via ping und ping6 erreichen, aber der Browser findet nichts mehr. RA aus, und alles ist wieder da.
Bei IPv6-Test.com sieht das so aus:
Bild 1: Router Advertisements aus
Bild 2: Router Advertisements an

Was kann da falsch laufen? Ich habe die letzten Tage alles mögliche probiert, auch mal die automatische RA-Konfiguration getestet (LAN-Interface Haken bei "Manuelle Konfiguration" raus)
An meinem Mac sah ich, daß der Router nicht via IPv6 angegeben wurde bei DHCPv6, wenn ich den auf manuell stelle und die IPv6 LAN-Adresse der opnsense angebe und eine Adresse aus dem verfügbaren Bereich eintrage, dann sind alle 3 DNS-Ergebnisse beim IPv6-test.com grün. Nur IPv4 bleibt aus.
Ich wäre über jedwede Hilfe sehr dankbar. - Meine IPv6-Kenntnisse sind sehr rudimentär...

23.7 Legacy Series / Re: Strange Letsencrypt problem

« on: January 16, 2024, 08:41:50 pm »

Ok, tried again, this time with debug-level 3 (I didnt see that i can change log-level before: sorry)
Log is here, again with changed private parts:

Upper part of the log was a new try by adding the TXT-record manually inside my ddnss.de account. The TXT-record i extracted from the log; was arjxxx. After the fail i revoked the cert and removed it, started the Cert-section of the acme-client of opnsense from scratch.

Code: [Select]

openssl:openssl
OpenSSL 1.1.1t-freebsd  7 Feb 2023
apache:
apache doesn't exist.
nginx:
nginx doesn't exist.
socat:
socat by Gerhard Rieger and contributors - see www.dest-unreach.org
socat version 1.8.0.0 on Dec 12 2023 01:40:08
   running on FreeBSD version FreeBSD 13.2-RELEASE-p7 stable/23.7-n254871-d5ec322cffc SMP, release 13.2-RELEASE-p7, machine amd64
features:
  #define WITH_HELP 1
  #define WITH_STATS 1
  #define WITH_STDIO 1
  #define WITH_FDNUM 1
  #define WITH_FILE 1
  #define WITH_CREAT 1
  #define WITH_GOPEN 1
  #define WITH_TERMIOS 1
  #define WITH_PIPE 1
  #define WITH_SOCKETPAIR 1
  #define WITH_UNIX 1
  #undef WITH_ABSTRACT_UNIXSOCKET
  #define WITH_IP4 1
  #define WITH_IP6 1
  #define WITH_RAWIP 1
  #define WITH_GENERICSOCKET 1
  #undef WITH_INTERFACE
  #define WITH_TCP 1
  #define WITH_UDP 1
  #define WITH_SCTP 1
  #define WITH_DCCP 1
  #define WITH_UDPLITE 1
  #define WITH_LISTEN 1
  #undef WITH_POSIXMQ
  #define WITH_SOCKS4 1
  #define WITH_SOCKS4A 1
  #define WITH_SOCKS5 1
  #undef WITH_VSOCK
  #undef WITH_NAMESPACES
  #define WITH_PROXY 1
  #define WITH_SYSTEM 1
  #define WITH_SHELL 1
  #define WITH_EXEC 1
  #undef WITH_READLINE
  #undef WITH_TUN
  #define WITH_PTY 1
  #define WITH_OPENSSL 1
  #undef WITH_FIPS
  #define WITH_LIBWRAP 1
  #define WITH_SYCLS 1
  #define WITH_FILAN 1
  #define WITH_RETRY 1
  #define WITH_MSGLEVEL 0 /*debug*/
  #define WITH_DEFAULT_IPV 4
pid
No need to restore nginx, skip.
_clearupdns
dns_entries
skip dns.
Using server: https://acme-v02.api.letsencrypt.org/directory
Running cmd: remove
Using config home:/var/etc/acme-client/home
ACME_DIRECTORY='https://acme-v02.api.letsencrypt.org/directory'
DOMAIN_PATH='/var/etc/acme-client/home/_name_.ddnss.de_ecc'
_name_.ddnss.de is removed, the key and cert files are in /var/etc/acme-client/home/_name_.ddnss.de_ecc
You can remove them by yourself.
Using server: https://acme-v02.api.letsencrypt.org/directory
Running cmd: issue
_main_domain='_name_.ddnss.de'
_alt_domains='ovpn._name_.ddnss.de,wg._name_.ddnss.de'
Using config home:/var/etc/acme-client/home
ACME_DIRECTORY='https://acme-v02.api.letsencrypt.org/directory'
DOMAIN_PATH='/var/etc/acme-client/home/_name_.ddnss.de_ecc'
Using ACME_DIRECTORY: https://acme-v02.api.letsencrypt.org/directory
_init api for server: https://acme-v02.api.letsencrypt.org/directory
GET
url='https://acme-v02.api.letsencrypt.org/directory'
timeout=
_CURL='curl --silent --dump-header /var/etc/acme-client/home/http.header  -L  --trace-ascii /tmp/tmp.K6JJsuj0  -g '
ret='0'
ACME_KEY_CHANGE='https://acme-v02.api.letsencrypt.org/acme/key-change'
ACME_NEW_AUTHZ
ACME_NEW_ORDER='https://acme-v02.api.letsencrypt.org/acme/new-order'
ACME_NEW_ACCOUNT='https://acme-v02.api.letsencrypt.org/acme/new-acct'
ACME_REVOKE_CERT='https://acme-v02.api.letsencrypt.org/acme/revoke-cert'
ACME_AGREEMENT='https://letsencrypt.org/documents/LE-SA-v1.3-September-21-2022.pdf'
ACME_NEW_NONCE='https://acme-v02.api.letsencrypt.org/acme/new-nonce'
Using CA: https://acme-v02.api.letsencrypt.org/directory
_on_before_issue
_chk_main_domain='_name_.ddnss.de'
_chk_alt_domains='ovpn._name_.ddnss.de,wg._name_.ddnss.de'
Le_LocalAddress
d='_name_.ddnss.de'
Check for domain='_name_.ddnss.de'
_currentRoot='dns_ddnss'
d='ovpn._name_.ddnss.de'
Check for domain='ovpn._name_.ddnss.de'
_currentRoot='dns_ddnss'
d='wg._name_.ddnss.de'
Check for domain='wg._name_.ddnss.de'
_currentRoot='dns_ddnss'
d
_saved_account_key_hash is not changed, skip register account.
Read key length:2048
Creating domain key
Using config home:/var/etc/acme-client/home
ACME_DIRECTORY='https://acme-v02.api.letsencrypt.org/directory'
Use length 384
Using ec name: secp384r1
The domain key is here: /var/etc/acme-client/home/_name_.ddnss.de_ecc/_name_.ddnss.de.key
_createcsr
Multi domain='DNS:_name_.ddnss.de,DNS:ovpn._name_.ddnss.de,DNS:wg._name_.ddnss.de'
Getting domain auth token for each domain
d='ovpn._name_.ddnss.de'
d='wg._name_.ddnss.de'
d
=======Begin Send Signed Request=======
url='https://acme-v02.api.letsencrypt.org/acme/new-order'
payload='{"identifiers": [{"type":"dns","value":"_name_.ddnss.de"},{"type":"dns","value":"ovpn._name_.ddnss.de"},{"type":"dns","value":"wg._name_.ddnss.de"}]}'
RSA key
HEAD
_post_url='https://acme-v02.api.letsencrypt.org/acme/new-nonce'
_CURL='curl --silent --dump-header /var/etc/acme-client/home/http.header  -L  --trace-ascii /tmp/tmp.VYzGoqve  -g  -I  '
_ret='0'
POST
_post_url='https://acme-v02.api.letsencrypt.org/acme/new-order'
_CURL='curl --silent --dump-header /var/etc/acme-client/home/http.header  -L  --trace-ascii /tmp/tmp.VYzGoqve  -g '
_ret='0'
code='201'
Le_LinkOrder='https://acme-v02.api.letsencrypt.org/acme/order/1499440536/237161386366'
Le_OrderFinalize='https://acme-v02.api.letsencrypt.org/acme/finalize/1499440536/237161386366'
=======Begin Send Signed Request=======
url='https://acme-v02.api.letsencrypt.org/acme/authz-v3/304869393246'
payload
POST
_post_url='https://acme-v02.api.letsencrypt.org/acme/authz-v3/304869393246'
_CURL='curl --silent --dump-header /var/etc/acme-client/home/http.header  -L  --trace-ascii /tmp/tmp.VYzGoqve  -g '
_ret='0'
code='200'
=======Begin Send Signed Request=======
url='https://acme-v02.api.letsencrypt.org/acme/authz-v3/304869393256'
payload
POST
_post_url='https://acme-v02.api.letsencrypt.org/acme/authz-v3/304869393256'
_CURL='curl --silent --dump-header /var/etc/acme-client/home/http.header  -L  --trace-ascii /tmp/tmp.VYzGoqve  -g '
_ret='0'
code='200'
=======Begin Send Signed Request=======
url='https://acme-v02.api.letsencrypt.org/acme/authz-v3/304869393266'
payload
POST
_post_url='https://acme-v02.api.letsencrypt.org/acme/authz-v3/304869393266'
_CURL='curl --silent --dump-header /var/etc/acme-client/home/http.header  -L  --trace-ascii /tmp/tmp.VYzGoqve  -g '
_ret='0'
code='200'
d='_name_.ddnss.de'
Getting webroot for domain='_name_.ddnss.de'
_w='dns_ddnss'
_currentRoot='dns_ddnss'
_authz_url='https://acme-v02.api.letsencrypt.org/acme/authz-v3/304869393246'
entry='"type":"dns-01","status":"pending","url":"https://acme-v02.api.letsencrypt.org/acme/chall-v3/304869393246/Rz2ICQ","token":"JIGxxx"'
token='JIGxxx'
uri='https://acme-v02.api.letsencrypt.org/acme/chall-v3/304869393246/Rz2ICQ'
keyauthorization='JIGxxx.06Iu9clXcEohd1PEgIHzB6LWoFJIlIXqNYKD8acPD3s'
dvlist='_name_.ddnss.de#JIGxxx.06Iu9clXcEohd1PEgIHzB6LWoFJIlIXqNYKD8acPD3s#https://acme-v02.api.letsencrypt.org/acme/chall-v3/304869393246/Rz2ICQ#dns-01#dns_ddnss#https://acme-v02.api.letsencrypt.org/acme/authz-v3/304869393246'
d='ovpn._name_.ddnss.de'
Getting webroot for domain='ovpn._name_.ddnss.de'
_w='dns_ddnss'
_currentRoot='dns_ddnss'
_authz_url='https://acme-v02.api.letsencrypt.org/acme/authz-v3/304869393256'
entry='"type":"dns-01","status":"pending","url":"https://acme-v02.api.letsencrypt.org/acme/chall-v3/304869393256/Ax3gTg","token":"klmxxx"'
token='klmxxx'
uri='https://acme-v02.api.letsencrypt.org/acme/chall-v3/304869393256/Ax3gTg'
keyauthorization='klmxxx.06Iu9clXcEohd1PEgIHzB6LWoFJIlIXqNYKD8acPD3s'
dvlist='ovpn._name_.ddnss.de#klmxxx.06Iu9clXcEohd1PEgIHzB6LWoFJIlIXqNYKD8acPD3s#https://acme-v02.api.letsencrypt.org/acme/chall-v3/304869393256/Ax3gTg#dns-01#dns_ddnss#https://acme-v02.api.letsencrypt.org/acme/authz-v3/304869393256'
d='wg._name_.ddnss.de'
Getting webroot for domain='wg._name_.ddnss.de'
_w='dns_ddnss'
_currentRoot='dns_ddnss'
_authz_url='https://acme-v02.api.letsencrypt.org/acme/authz-v3/304869393266'
entry='"type":"dns-01","status":"pending","url":"https://acme-v02.api.letsencrypt.org/acme/chall-v3/304869393266/of851Q","token":"mQSxxx"'
token='mQSxxx'
uri='https://acme-v02.api.letsencrypt.org/acme/chall-v3/304869393266/of851Q'
keyauthorization='mQSxxx.06Iu9clXcEohd1PEgIHzB6LWoFJIlIXqNYKD8acPD3s'
dvlist='wg._name_.ddnss.de#mQSxxx.06Iu9clXcEohd1PEgIHzB6LWoFJIlIXqNYKD8acPD3s#https://acme-v02.api.letsencrypt.org/acme/chall-v3/304869393266/of851Q#dns-01#dns_ddnss#https://acme-v02.api.letsencrypt.org/acme/authz-v3/304869393266'
d
vlist='_name_.ddnss.de#JIGxxx.06Iu9clXcEohd1PEgIHzB6LWoFJIlIXqNYKD8acPD3s#https://acme-v02.api.letsencrypt.org/acme/chall-v3/304869393246/Rz2ICQ#dns-01#dns_ddnss#https://acme-v02.api.letsencrypt.org/acme/authz-v3/304869393246,ovpn._name_.ddnss.de#klmxxx.06Iu9clXcEohd1PEgIHzB6LWoFJIlIXqNYKD8acPD3s#https://acme-v02.api.letsencrypt.org/acme/chall-v3/304869393256/Ax3gTg#dns-01#dns_ddnss#https://acme-v02.api.letsencrypt.org/acme/authz-v3/304869393256,wg._name_.ddnss.de#mQSxxx.06Iu9clXcEohd1PEgIHzB6LWoFJIlIXqNYKD8acPD3s#https://acme-v02.api.letsencrypt.org/acme/chall-v3/304869393266/of851Q#dns-01#dns_ddnss#https://acme-v02.api.letsencrypt.org/acme/authz-v3/304869393266,'
d='_name_.ddnss.de'
_d_alias='=_name_.ddnss.de'
txtdomain='_name_.ddnss.de'
txt='arjxxx'
d_api='/usr/local/share/examples/acme.sh/dnsapi/dns_ddnss.sh'
Found domain api file: /usr/local/share/examples/acme.sh/dnsapi/dns_ddnss.sh
Adding txt value: arjxxx for domain:  _name_.ddnss.de
Error extracting the domain.
Error add txt for domain:_name_.ddnss.de
_on_issue_err
Please add '--debug' or '--log' to check more details.
See: https://github.com/acmesh-official/acme.sh/wiki/How-to-debug-acme.sh
=======Begin Send Signed Request=======
url='https://acme-v02.api.letsencrypt.org/acme/chall-v3/304869393246/Rz2ICQ'
payload='{}'
POST
_post_url='https://acme-v02.api.letsencrypt.org/acme/chall-v3/304869393246/Rz2ICQ'
_CURL='curl --silent --dump-header /var/etc/acme-client/home/http.header  -L  --trace-ascii /tmp/tmp.VYzGoqve  -g '
_ret='0'
code='200'
=======Begin Send Signed Request=======
url='https://acme-v02.api.letsencrypt.org/acme/chall-v3/304869393256/Ax3gTg'
payload='{}'
POST
_post_url='https://acme-v02.api.letsencrypt.org/acme/chall-v3/304869393256/Ax3gTg'
_CURL='curl --silent --dump-header /var/etc/acme-client/home/http.header  -L  --trace-ascii /tmp/tmp.VYzGoqve  -g '
_ret='0'
code='200'
=======Begin Send Signed Request=======
url='https://acme-v02.api.letsencrypt.org/acme/chall-v3/304869393266/of851Q'
payload='{}'
POST
_post_url='https://acme-v02.api.letsencrypt.org/acme/chall-v3/304869393266/of851Q'
_CURL='curl --silent --dump-header /var/etc/acme-client/home/http.header  -L  --trace-ascii /tmp/tmp.VYzGoqve  -g '
_ret='0'
code='200'
Diagnosis versions: 
openssl:openssl
OpenSSL 1.1.1t-freebsd  7 Feb 2023
apache:
apache doesn't exist.
nginx:
nginx doesn't exist.
socat:
socat by Gerhard Rieger and contributors - see www.dest-unreach.org
socat version 1.8.0.0 on Dec 12 2023 01:40:08
   running on FreeBSD version FreeBSD 13.2-RELEASE-p7 stable/23.7-n254871-d5ec322cffc SMP, release 13.2-RELEASE-p7, machine amd64
features:
  #define WITH_HELP 1
  #define WITH_STATS 1
  #define WITH_STDIO 1
  #define WITH_FDNUM 1
  #define WITH_FILE 1
  #define WITH_CREAT 1
  #define WITH_GOPEN 1
  #define WITH_TERMIOS 1
  #define WITH_PIPE 1
  #define WITH_SOCKETPAIR 1
  #define WITH_UNIX 1
  #undef WITH_ABSTRACT_UNIXSOCKET
  #define WITH_IP4 1
  #define WITH_IP6 1
  #define WITH_RAWIP 1
  #define WITH_GENERICSOCKET 1
  #undef WITH_INTERFACE
  #define WITH_TCP 1
  #define WITH_UDP 1
  #define WITH_SCTP 1
  #define WITH_DCCP 1
  #define WITH_UDPLITE 1
  #define WITH_LISTEN 1
  #undef WITH_POSIXMQ
  #define WITH_SOCKS4 1
  #define WITH_SOCKS4A 1
  #define WITH_SOCKS5 1
  #undef WITH_VSOCK
  #undef WITH_NAMESPACES
  #define WITH_PROXY 1
  #define WITH_SYSTEM 1
  #define WITH_SHELL 1
  #define WITH_EXEC 1
  #undef WITH_READLINE
  #undef WITH_TUN
  #define WITH_PTY 1
  #define WITH_OPENSSL 1
  #undef WITH_FIPS
  #define WITH_LIBWRAP 1
  #define WITH_SYCLS 1
  #define WITH_FILAN 1
  #define WITH_RETRY 1
  #define WITH_MSGLEVEL 0 /*debug*/
  #define WITH_DEFAULT_IPV 4
pid
No need to restore nginx, skip.
_clearupdns
dns_entries
skip dns.
Using server: https://acme-v02.api.letsencrypt.org/directory
Running cmd: remove
Using config home:/var/etc/acme-client/home
ACME_DIRECTORY='https://acme-v02.api.letsencrypt.org/directory'
DOMAIN_PATH='/var/etc/acme-client/home/_name_.ddnss.de_ecc'
_name_.ddnss.de is removed, the key and cert files are in /var/etc/acme-client/home/_name_.ddnss.de_ecc
You can remove them by yourself.
Using server: https://acme-v02.api.letsencrypt.org/directory
Running cmd: issue
_main_domain='_name_.ddnss.de'
_alt_domains='ovpn._name_.ddnss.de,wg._name_.ddnss.de'
Using config home:/var/etc/acme-client/home
ACME_DIRECTORY='https://acme-v02.api.letsencrypt.org/directory'
DOMAIN_PATH='/var/etc/acme-client/home/_name_.ddnss.de'
Using ACME_DIRECTORY: https://acme-v02.api.letsencrypt.org/directory
_init api for server: https://acme-v02.api.letsencrypt.org/directory
GET
url='https://acme-v02.api.letsencrypt.org/directory'
timeout=
_CURL='curl --silent --dump-header /var/etc/acme-client/home/http.header  -L  --trace-ascii /tmp/tmp.f4YHeerM  -g '
ret='0'
ACME_KEY_CHANGE='https://acme-v02.api.letsencrypt.org/acme/key-change'
ACME_NEW_AUTHZ
ACME_NEW_ORDER='https://acme-v02.api.letsencrypt.org/acme/new-order'
ACME_NEW_ACCOUNT='https://acme-v02.api.letsencrypt.org/acme/new-acct'
ACME_REVOKE_CERT='https://acme-v02.api.letsencrypt.org/acme/revoke-cert'
ACME_AGREEMENT='https://letsencrypt.org/documents/LE-SA-v1.3-September-21-2022.pdf'
ACME_NEW_NONCE='https://acme-v02.api.letsencrypt.org/acme/new-nonce'
Using CA: https://acme-v02.api.letsencrypt.org/directory
_on_before_issue
_chk_main_domain='_name_.ddnss.de'
_chk_alt_domains='ovpn._name_.ddnss.de,wg._name_.ddnss.de'
Le_LocalAddress
d='_name_.ddnss.de'
Check for domain='_name_.ddnss.de'
_currentRoot='dns_ddnss'
d='ovpn._name_.ddnss.de'
Check for domain='ovpn._name_.ddnss.de'
_currentRoot='dns_ddnss'
d='wg._name_.ddnss.de'
Check for domain='wg._name_.ddnss.de'
_currentRoot='dns_ddnss'
d
_saved_account_key_hash is not changed, skip register account.
Read key length:2048
Creating domain key
Using config home:/var/etc/acme-client/home
ACME_DIRECTORY='https://acme-v02.api.letsencrypt.org/directory'
Use length 4096
Using RSA: 4096
The domain key is here: /var/etc/acme-client/home/_name_.ddnss.de/_name_.ddnss.de.key
_createcsr
Multi domain='DNS:_name_.ddnss.de,DNS:ovpn._name_.ddnss.de,DNS:wg._name_.ddnss.de'
Getting domain auth token for each domain
d='ovpn._name_.ddnss.de'
d='wg._name_.ddnss.de'
d
=======Begin Send Signed Request=======
url='https://acme-v02.api.letsencrypt.org/acme/new-order'
payload='{"identifiers": [{"type":"dns","value":"_name_.ddnss.de"},{"type":"dns","value":"ovpn._name_.ddnss.de"},{"type":"dns","value":"wg._name_.ddnss.de"}]}'
RSA key
HEAD
_post_url='https://acme-v02.api.letsencrypt.org/acme/new-nonce'
_CURL='curl --silent --dump-header /var/etc/acme-client/home/http.header  -L  --trace-ascii /tmp/tmp.s1L8dAIJ  -g  -I  '
_ret='0'
POST
_post_url='https://acme-v02.api.letsencrypt.org/acme/new-order'
_CURL='curl --silent --dump-header /var/etc/acme-client/home/http.header  -L  --trace-ascii /tmp/tmp.s1L8dAIJ  -g '
_ret='0'
code='201'
Le_LinkOrder='https://acme-v02.api.letsencrypt.org/acme/order/1499440536/237166762976'
Le_OrderFinalize='https://acme-v02.api.letsencrypt.org/acme/finalize/1499440536/237166762976'
=======Begin Send Signed Request=======
url='https://acme-v02.api.letsencrypt.org/acme/authz-v3/304877000766'
payload
POST
_post_url='https://acme-v02.api.letsencrypt.org/acme/authz-v3/304877000766'
_CURL='curl --silent --dump-header /var/etc/acme-client/home/http.header  -L  --trace-ascii /tmp/tmp.s1L8dAIJ  -g '
_ret='0'
code='200'
=======Begin Send Signed Request=======
url='https://acme-v02.api.letsencrypt.org/acme/authz-v3/304877000776'
payload
POST
_post_url='https://acme-v02.api.letsencrypt.org/acme/authz-v3/304877000776'
_CURL='curl --silent --dump-header /var/etc/acme-client/home/http.header  -L  --trace-ascii /tmp/tmp.s1L8dAIJ  -g '
_ret='0'
code='200'
=======Begin Send Signed Request=======
url='https://acme-v02.api.letsencrypt.org/acme/authz-v3/304877000786'
payload
POST
_post_url='https://acme-v02.api.letsencrypt.org/acme/authz-v3/304877000786'
_CURL='curl --silent --dump-header /var/etc/acme-client/home/http.header  -L  --trace-ascii /tmp/tmp.s1L8dAIJ  -g '
_ret='0'
code='200'
d='_name_.ddnss.de'
Getting webroot for domain='_name_.ddnss.de'
_w='dns_ddnss'
_currentRoot='dns_ddnss'
_authz_url='https://acme-v02.api.letsencrypt.org/acme/authz-v3/304877000766'
entry='"type":"dns-01","status":"pending","url":"https://acme-v02.api.letsencrypt.org/acme/chall-v3/304877000766/zkr5bQ","token":"ffnxxx"'
token='ffnxxx'
uri='https://acme-v02.api.letsencrypt.org/acme/chall-v3/304877000766/zkr5bQ'
keyauthorization='ffnxxx.06Iu9clXcEohd1PEgIHzB6LWoFJIlIXqNYKD8acPD3s'
dvlist='_name_.ddnss.de#ffnxxx.06Iu9clXcEohd1PEgIHzB6LWoFJIlIXqNYKD8acPD3s#https://acme-v02.api.letsencrypt.org/acme/chall-v3/304877000766/zkr5bQ#dns-01#dns_ddnss#https://acme-v02.api.letsencrypt.org/acme/authz-v3/304877000766'
d='ovpn._name_.ddnss.de'
Getting webroot for domain='ovpn._name_.ddnss.de'
_w='dns_ddnss'
_currentRoot='dns_ddnss'
_authz_url='https://acme-v02.api.letsencrypt.org/acme/authz-v3/304877000776'
entry='"type":"dns-01","status":"pending","url":"https://acme-v02.api.letsencrypt.org/acme/chall-v3/304877000776/6tBmxw","token":"8vDxxx"'
token='8vDxxx'
uri='https://acme-v02.api.letsencrypt.org/acme/chall-v3/304877000776/6tBmxw'
keyauthorization='8vDxxx.06Iu9clXcEohd1PEgIHzB6LWoFJIlIXqNYKD8acPD3s'
dvlist='ovpn._name_.ddnss.de#8vDxxx.06Iu9clXcEohd1PEgIHzB6LWoFJIlIXqNYKD8acPD3s#https://acme-v02.api.letsencrypt.org/acme/chall-v3/304877000776/6tBmxw#dns-01#dns_ddnss#https://acme-v02.api.letsencrypt.org/acme/authz-v3/304877000776'
d='wg._name_.ddnss.de'
Getting webroot for domain='wg._name_.ddnss.de'
_w='dns_ddnss'
_currentRoot='dns_ddnss'
_authz_url='https://acme-v02.api.letsencrypt.org/acme/authz-v3/304877000786'
entry='"type":"dns-01","status":"pending","url":"https://acme-v02.api.letsencrypt.org/acme/chall-v3/304877000786/LBZXZQ","token":"19xxxx"'
token='19xxxx'
uri='https://acme-v02.api.letsencrypt.org/acme/chall-v3/304877000786/LBZXZQ'
keyauthorization='19xxxx.06Iu9clXcEohd1PEgIHzB6LWoFJIlIXqNYKD8acPD3s'
dvlist='wg._name_.ddnss.de#19xxxx.06Iu9clXcEohd1PEgIHzB6LWoFJIlIXqNYKD8acPD3s#https://acme-v02.api.letsencrypt.org/acme/chall-v3/304877000786/LBZXZQ#dns-01#dns_ddnss#https://acme-v02.api.letsencrypt.org/acme/authz-v3/304877000786'
d
vlist='_name_.ddnss.de#ffnxxx.06Iu9clXcEohd1PEgIHzB6LWoFJIlIXqNYKD8acPD3s#https://acme-v02.api.letsencrypt.org/acme/chall-v3/304877000766/zkr5bQ#dns-01#dns_ddnss#https://acme-v02.api.letsencrypt.org/acme/authz-v3/304877000766,ovpn._name_.ddnss.de#8vDxxx.06Iu9clXcEohd1PEgIHzB6LWoFJIlIXqNYKD8acPD3s#https://acme-v02.api.letsencrypt.org/acme/chall-v3/304877000776/6tBmxw#dns-01#dns_ddnss#https://acme-v02.api.letsencrypt.org/acme/authz-v3/304877000776,wg._name_.ddnss.de#19xxxx.06Iu9clXcEohd1PEgIHzB6LWoFJIlIXqNYKD8acPD3s#https://acme-v02.api.letsencrypt.org/acme/chall-v3/304877000786/LBZXZQ#dns-01#dns_ddnss#https://acme-v02.api.letsencrypt.org/acme/authz-v3/304877000786,'
d='_name_.ddnss.de'
_d_alias
txtdomain='_acme-challenge._name_.ddnss.de'
txt='vDXxxxx'
d_api='/usr/local/share/examples/acme.sh/dnsapi/dns_ddnss.sh'
Found domain api file: /usr/local/share/examples/acme.sh/dnsapi/dns_ddnss.sh
Adding txt value: vDXxxxx for domain:  _acme-challenge._name_.ddnss.de
Trying to add TXT record
param='key=6axxxx&host=_name_.ddnss.de&txtm=1&txt=vDXxxxx'
url='https://ddnss.de/upd.php?key=6axxxx&host=_name_.ddnss.de&txtm=1&txt=vDXxxxx'
GET
url='https://ddnss.de/upd.php?key=6axxxx&host=_name_.ddnss.de&txtm=1&txt=vDXxxxx'
timeout=
_CURL='curl --silent --dump-header /var/etc/acme-client/home/http.header  -L  --trace-ascii /tmp/tmp.s1L8dAIJ  -g '
ret='0'
TXT record has been successfully added to your DDNSS domain.
Note that all subdomains under this domain uses the same TXT record.
The txt record is added: Success.
d='ovpn._name_.ddnss.de'
_d_alias
txtdomain='_acme-challenge.ovpn._name_.ddnss.de'
txt='1FTxxx'
d_api='/usr/local/share/examples/acme.sh/dnsapi/dns_ddnss.sh'
Found domain api file: /usr/local/share/examples/acme.sh/dnsapi/dns_ddnss.sh
Adding txt value: 1FTxxx for domain:  _acme-challenge.ovpn._name_.ddnss.de
Trying to add TXT record
param='key=6axxxx&host=_name_.ddnss.de&txtm=1&txt=1FTxxx'
url='https://ddnss.de/upd.php?key=6axxxx&host=_name_.ddnss.de&txtm=1&txt=1FTxxx'
GET
url='https://ddnss.de/upd.php?key=6axxxx&host=_name_.ddnss.de&txtm=1&txt=1FTxxx'
timeout=
_CURL='curl --silent --dump-header /var/etc/acme-client/home/http.header  -L  --trace-ascii /tmp/tmp.s1L8dAIJ  -g '
ret='0'
TXT record has been successfully added to your DDNSS domain.
Note that all subdomains under this domain uses the same TXT record.
The txt record is added: Success.
d='wg._name_.ddnss.de'
_d_alias
txtdomain='_acme-challenge.wg._name_.ddnss.de'
txt='zaHxxx'
d_api='/usr/local/share/examples/acme.sh/dnsapi/dns_ddnss.sh'
Found domain api file: /usr/local/share/examples/acme.sh/dnsapi/dns_ddnss.sh
Adding txt value: zaHxxx for domain:  _acme-challenge.wg._name_.ddnss.de
Trying to add TXT record
param='key=6axxxx&host=_name_.ddnss.de&txtm=1&txt=zaHxxx'
url='https://ddnss.de/upd.php?key=6axxxx&host=_name_.ddnss.de&txtm=1&txt=zaHxxx'
GET
url='https://ddnss.de/upd.php?key=6axxxx&host=_name_.ddnss.de&txtm=1&txt=zaHxxx'
timeout=
_CURL='curl --silent --dump-header /var/etc/acme-client/home/http.header  -L  --trace-ascii /tmp/tmp.s1L8dAIJ  -g '
ret='0'
TXT record has been successfully added to your DDNSS domain.
Note that all subdomains under this domain uses the same TXT record.
The txt record is added: Success.
Sleep 120 seconds for the txt records to take effect
ok, let's start to verify
Verifying: _name_.ddnss.de
d='_name_.ddnss.de'
keyauthorization='ffnxxx.06Iu9clXcEohd1PEgIHzB6LWoFJIlIXqNYKD8acPD3s'
uri='https://acme-v02.api.letsencrypt.org/acme/chall-v3/304877000766/zkr5bQ'
_authz_url='https://acme-v02.api.letsencrypt.org/acme/authz-v3/304877000766'
_currentRoot='dns_ddnss'
=======Begin Send Signed Request=======
url='https://acme-v02.api.letsencrypt.org/acme/chall-v3/304877000766/zkr5bQ'
payload='{}'
POST
_post_url='https://acme-v02.api.letsencrypt.org/acme/chall-v3/304877000766/zkr5bQ'
_CURL='curl --silent --dump-header /var/etc/acme-client/home/http.header  -L  --trace-ascii /tmp/tmp.s1L8dAIJ  -g '
_ret='0'
code='200'
trigger validation code: 200
Lets check the status of the authz
Pending, The CA is processing your order, please just wait. (1/30)
sleep 2 secs to verify again
checking
=======Begin Send Signed Request=======
url='https://acme-v02.api.letsencrypt.org/acme/authz-v3/304877000766'
payload
POST
_post_url='https://acme-v02.api.letsencrypt.org/acme/authz-v3/304877000766'
_CURL='curl --silent --dump-header /var/etc/acme-client/home/http.header  -L  --trace-ascii /tmp/tmp.s1L8dAIJ  -g '
_ret='0'
code='200'
Invalid status, _name_.ddnss.de:Verify error detail:Incorrect TXT record 
Skip for removelevel:
pid
No need to restore nginx, skip.
_clearupdns
dns_entries='_name_.ddnss.de,_acme-challenge._name_.ddnss.de,,dns_ddnss,vDXxxxx,/usr/local/share/examples/acme.sh/dnsapi/dns_ddnss.sh
ovpn._name_.ddnss.de,_acme-challenge.ovpn._name_.ddnss.de,,dns_ddnss,1FTxxx,/usr/local/share/examples/acme.sh/dnsapi/dns_ddnss.sh
wg._name_.ddnss.de,_acme-challenge.wg._name_.ddnss.de,,dns_ddnss,zaHxxx,/usr/local/share/examples/acme.sh/dnsapi/dns_ddnss.sh
'
Removing DNS records.
d='_name_.ddnss.de'
txtdomain='_acme-challenge._name_.ddnss.de'
aliasDomain='_acme-challenge._name_.ddnss.de'
_currentRoot='dns_ddnss'
txt='vDXxxxx'
d_api='/usr/local/share/examples/acme.sh/dnsapi/dns_ddnss.sh'
Removing txt: vDXxxxx for domain: _acme-challenge._name_.ddnss.de
Trying to remove TXT record
param='key=6axxxx&host=_name_.ddnss.de&txtm=2'
url='https://ddnss.de/upd.php?key=6axxxx&host=_name_.ddnss.de&txtm=2'
GET
url='https://ddnss.de/upd.php?key=6axxxx&host=_name_.ddnss.de&txtm=2'
timeout=
_CURL='curl --silent --dump-header /var/etc/acme-client/home/http.header  -L  --trace-ascii /tmp/tmp.s1L8dAIJ  -g '
ret='0'
TXT record has been successfully removed from your DDNSS domain.
Removed: Success
d='ovpn._name_.ddnss.de'
txtdomain='_acme-challenge.ovpn._name_.ddnss.de'
aliasDomain='_acme-challenge.ovpn._name_.ddnss.de'
_currentRoot='dns_ddnss'
txt='1FTxxx'
d_api='/usr/local/share/examples/acme.sh/dnsapi/dns_ddnss.sh'
Removing txt: 1FTxxx for domain: _acme-challenge.ovpn._name_.ddnss.de
Trying to remove TXT record
param='key=6axxxx&host=_name_.ddnss.de&txtm=2'
url='https://ddnss.de/upd.php?key=6axxxx&host=_name_.ddnss.de&txtm=2'
GET
url='https://ddnss.de/upd.php?key=6axxxx&host=_name_.ddnss.de&txtm=2'
timeout=
_CURL='curl --silent --dump-header /var/etc/acme-client/home/http.header  -L  --trace-ascii /tmp/tmp.s1L8dAIJ  -g '
ret='0'
TXT record has been successfully removed from your DDNSS domain.
Removed: Success
d='wg._name_.ddnss.de'
txtdomain='_acme-challenge.wg._name_.ddnss.de'
aliasDomain='_acme-challenge.wg._name_.ddnss.de'
_currentRoot='dns_ddnss'
txt='zaHxxx'
d_api='/usr/local/share/examples/acme.sh/dnsapi/dns_ddnss.sh'
Removing txt: zaHxxx for domain: _acme-challenge.wg._name_.ddnss.de
Trying to remove TXT record
param='key=6axxxx&host=_name_.ddnss.de&txtm=2'
url='https://ddnss.de/upd.php?key=6axxxx&host=_name_.ddnss.de&txtm=2'
GET
url='https://ddnss.de/upd.php?key=6axxxx&host=_name_.ddnss.de&txtm=2'
timeout=
_CURL='curl --silent --dump-header /var/etc/acme-client/home/http.header  -L  --trace-ascii /tmp/tmp.s1L8dAIJ  -g '
ret='0'
TXT record has been successfully removed from your DDNSS domain.
Removed: Success
_on_issue_err
Please add '--debug' or '--log' to check more details.
See: https://github.com/acmesh-official/acme.sh/wiki/How-to-debug-acme.sh
=======Begin Send Signed Request=======
url='https://acme-v02.api.letsencrypt.org/acme/chall-v3/304877000766/zkr5bQ'
payload='{}'
POST
_post_url='https://acme-v02.api.letsencrypt.org/acme/chall-v3/304877000766/zkr5bQ'
_CURL='curl --silent --dump-header /var/etc/acme-client/home/http.header  -L  --trace-ascii /tmp/tmp.s1L8dAIJ  -g '
_ret='0'
code='400'
=======Begin Send Signed Request=======
url='https://acme-v02.api.letsencrypt.org/acme/chall-v3/304877000776/6tBmxw'
payload='{}'
POST
_post_url='https://acme-v02.api.letsencrypt.org/acme/chall-v3/304877000776/6tBmxw'
_CURL='curl --silent --dump-header /var/etc/acme-client/home/http.header  -L  --trace-ascii /tmp/tmp.s1L8dAIJ  -g '
_ret='0'
code='200'
=======Begin Send Signed Request=======
url='https://acme-v02.api.letsencrypt.org/acme/chall-v3/304877000786/LBZXZQ'
payload='{}'
POST
_post_url='https://acme-v02.api.letsencrypt.org/acme/chall-v3/304877000786/LBZXZQ'
_CURL='curl --silent --dump-header /var/etc/acme-client/home/http.header  -L  --trace-ascii /tmp/tmp.s1L8dAIJ  -g '
_ret='0'
code='200'
Diagnosis versions: 
openssl:openssl
OpenSSL 1.1.1t-freebsd  7 Feb 2023
apache:
apache doesn't exist.
nginx:
nginx doesn't exist.
socat:
socat by Gerhard Rieger and contributors - see www.dest-unreach.org
socat version 1.8.0.0 on Dec 12 2023 01:40:08
   running on FreeBSD version FreeBSD 13.2-RELEASE-p7 stable/23.7-n254871-d5ec322cffc SMP, release 13.2-RELEASE-p7, machine amd64
features:
  #define WITH_HELP 1
  #define WITH_STATS 1
  #define WITH_STDIO 1
  #define WITH_FDNUM 1
  #define WITH_FILE 1
  #define WITH_CREAT 1
  #define WITH_GOPEN 1
  #define WITH_TERMIOS 1
  #define WITH_PIPE 1
  #define WITH_SOCKETPAIR 1
  #define WITH_UNIX 1
  #undef WITH_ABSTRACT_UNIXSOCKET
  #define WITH_IP4 1
  #define WITH_IP6 1
  #define WITH_RAWIP 1
  #define WITH_GENERICSOCKET 1
  #undef WITH_INTERFACE
  #define WITH_TCP 1
  #define WITH_UDP 1
  #define WITH_SCTP 1
  #define WITH_DCCP 1
  #define WITH_UDPLITE 1
  #define WITH_LISTEN 1
  #undef WITH_POSIXMQ
  #define WITH_SOCKS4 1
  #define WITH_SOCKS4A 1
  #define WITH_SOCKS5 1
  #undef WITH_VSOCK
  #undef WITH_NAMESPACES
  #define WITH_PROXY 1
  #define WITH_SYSTEM 1
  #define WITH_SHELL 1
  #define WITH_EXEC 1
  #undef WITH_READLINE
  #undef WITH_TUN
  #define WITH_PTY 1
  #define WITH_OPENSSL 1
  #undef WITH_FIPS
  #define WITH_LIBWRAP 1
  #define WITH_SYCLS 1
  #define WITH_FILAN 1
  #define WITH_RETRY 1
  #define WITH_MSGLEVEL 0 /*debug*/
  #define WITH_DEFAULT_IPV 4

I did a revoke and delete of the previous certs and started a new try by adding a completely new Cert-Entry, entered the dom and the sub-doms, set challenge-type and the rest of the entries as default.
Now i saw a new TXT-record, was set automatically inside the account at ddnss.de.
So far so good.
But wait, it entered 3 TXT-records, but i only saw 1 TXT-record inside my ddnss.de account. And now at checking the whole thing acme found "Invalid status, _name_.ddnss.de:Verify error detail:Incorrect TXT record" and removed the whole thing. At the ddnss.de "TXT records" and "ACME DNS" was unchecked after.
So i seem to have made a wrong setting somewhere.
At ddnss.de i checked "TXT Record" and "ACME DNS". --> was removed by acme.sh

See the screenshot of the setting "Certs":

23.7 Legacy Series / Re: Strange Letsencrypt problem

« on: January 12, 2024, 08:51:05 pm »

ok!
So i added the creation-log, where i tested the HTTP-01 and DNS-01 via the "Test CA". I had created that thing that night, so its the only "old" log i have. The new log is from today, when i switched from "Test CA" to "Standard CA". Both logs are complete, only private parts removed/changed.

Hope that helps...

acmeclient logs:

Code: [Select]

New log:
<14>1 2024-01-12T16:27:29+01:00 opnsense.localdomain acme.sh 39529 - [meta sequenceId="1"] [Fri Jan 12 16:27:29 CET 2024] Using CA: https://acme-v02.api.letsencrypt.org/directory
<14>1 2024-01-12T16:27:29+01:00 opnsense.localdomain acme.sh 82610 - [meta sequenceId="2"] [Fri Jan 12 16:27:29 CET 2024] Multi domain='DNS:_name_.ddnss.de,DNS:ovpn._name_.ddnss.de,DNS:wg._name_.ddnss.de'
<14>1 2024-01-12T16:27:29+01:00 opnsense.localdomain acme.sh 93894 - [meta sequenceId="3"] [Fri Jan 12 16:27:29 CET 2024] Getting domain auth token for each domain
<14>1 2024-01-12T16:27:32+01:00 opnsense.localdomain acme.sh 96060 - [meta sequenceId="4"] [Fri Jan 12 16:27:32 CET 2024] Getting webroot for domain='_name_.ddnss.de'
<14>1 2024-01-12T16:27:32+01:00 opnsense.localdomain acme.sh 17876 - [meta sequenceId="5"] [Fri Jan 12 16:27:32 CET 2024] Getting webroot for domain='ovpn._name_.ddnss.de'
<14>1 2024-01-12T16:27:32+01:00 opnsense.localdomain acme.sh 36573 - [meta sequenceId="6"] [Fri Jan 12 16:27:32 CET 2024] Getting webroot for domain='wg._name_.ddnss.de'
<14>1 2024-01-12T16:27:32+01:00 opnsense.localdomain acme.sh 67922 - [meta sequenceId="7"] [Fri Jan 12 16:27:32 CET 2024] Adding txt value: KPxxx for domain:  _acme-challenge._name_.ddnss.de
<14>1 2024-01-12T16:27:32+01:00 opnsense.localdomain acme.sh 75458 - [meta sequenceId="8"] [Fri Jan 12 16:27:32 CET 2024] Trying to add TXT record
<11>1 2024-01-12T16:27:32+01:00 opnsense.localdomain acme.sh 80690 - [meta sequenceId="9"] [Fri Jan 12 16:27:32 CET 2024] Errors happened during adding the TXT record, response=- badauth : Invalid username or password.  Authentication failed.
<11>1 2024-01-12T16:27:32+01:00 opnsense.localdomain acme.sh 82718 - [meta sequenceId="10"] [Fri Jan 12 16:27:32 CET 2024] Error add txt for domain:_acme-challenge._name_.ddnss.de
<11>1 2024-01-12T16:27:32+01:00 opnsense.localdomain acme.sh 85754 - [meta sequenceId="11"] [Fri Jan 12 16:27:32 CET 2024] Please add '--debug' or '--log' to check more details.
<11>1 2024-01-12T16:27:32+01:00 opnsense.localdomain acme.sh 88343 - [meta sequenceId="12"] [Fri Jan 12 16:27:32 CET 2024] See: https://github.com/acmesh-official/acme.sh/wiki/How-to-debug-acme.sh
<14>1 2024-01-12T16:28:32+01:00 opnsense.localdomain acme.sh 98426 - [meta sequenceId="1"] [Fri Jan 12 16:28:32 CET 2024] Using CA: https://acme-staging-v02.api.letsencrypt.org/directory
<14>1 2024-01-12T16:28:32+01:00 opnsense.localdomain acme.sh 40034 - [meta sequenceId="2"] [Fri Jan 12 16:28:32 CET 2024] Multi domain='DNS:_name_.ddnss.de,DNS:ovpn._name_.ddnss.de,DNS:wg._name_.ddnss.de'
<14>1 2024-01-12T16:28:32+01:00 opnsense.localdomain acme.sh 55875 - [meta sequenceId="3"] [Fri Jan 12 16:28:32 CET 2024] Getting domain auth token for each domain
<14>1 2024-01-12T16:28:36+01:00 opnsense.localdomain acme.sh 55450 - [meta sequenceId="4"] [Fri Jan 12 16:28:36 CET 2024] Getting webroot for domain='_name_.ddnss.de'
<14>1 2024-01-12T16:28:36+01:00 opnsense.localdomain acme.sh 72617 - [meta sequenceId="5"] [Fri Jan 12 16:28:36 CET 2024] Getting webroot for domain='ovpn._name_.ddnss.de'
<14>1 2024-01-12T16:28:36+01:00 opnsense.localdomain acme.sh 86034 - [meta sequenceId="6"] [Fri Jan 12 16:28:36 CET 2024] Getting webroot for domain='wg._name_.ddnss.de'
<14>1 2024-01-12T16:28:36+01:00 opnsense.localdomain acme.sh 24513 - [meta sequenceId="7"] [Fri Jan 12 16:28:36 CET 2024] _name_.ddnss.de is already verified, skip dns-01.
<14>1 2024-01-12T16:28:36+01:00 opnsense.localdomain acme.sh 33294 - [meta sequenceId="8"] [Fri Jan 12 16:28:36 CET 2024] ovpn._name_.ddnss.de is already verified, skip dns-01.
<14>1 2024-01-12T16:28:36+01:00 opnsense.localdomain acme.sh 41728 - [meta sequenceId="9"] [Fri Jan 12 16:28:36 CET 2024] wg._name_.ddnss.de is already verified, skip dns-01.
<14>1 2024-01-12T16:28:36+01:00 opnsense.localdomain acme.sh 45285 - [meta sequenceId="10"] [Fri Jan 12 16:28:36 CET 2024] Verify finished, start to sign.
<14>1 2024-01-12T16:28:36+01:00 opnsense.localdomain acme.sh 52187 - [meta sequenceId="11"] [Fri Jan 12 16:28:36 CET 2024] Lets finalize the order.
<14>1 2024-01-12T16:28:36+01:00 opnsense.localdomain acme.sh 54630 - [meta sequenceId="12"] [Fri Jan 12 16:28:36 CET 2024] Le_OrderFinalize='https://acme-staging-v02.api.letsencrypt.org/acme/finalize/13xxyy/13yyxx'
<14>1 2024-01-12T16:28:37+01:00 opnsense.localdomain acme.sh 84901 - [meta sequenceId="13"] [Fri Jan 12 16:28:37 CET 2024] Order status is processing, lets sleep and retry.
<14>1 2024-01-12T16:28:37+01:00 opnsense.localdomain acme.sh 88687 - [meta sequenceId="14"] [Fri Jan 12 16:28:37 CET 2024] Retry after: 3
<14>1 2024-01-12T16:28:40+01:00 opnsense.localdomain acme.sh 92984 - [meta sequenceId="15"] [Fri Jan 12 16:28:40 CET 2024] Polling order status: https://acme-staging-v02.api.letsencrypt.org/acme/order/13xxyy/13yyxx
<14>1 2024-01-12T16:28:41+01:00 opnsense.localdomain acme.sh 22191 - [meta sequenceId="16"] [Fri Jan 12 16:28:41 CET 2024] Downloading cert.
<14>1 2024-01-12T16:28:41+01:00 opnsense.localdomain acme.sh 25018 - [meta sequenceId="17"] [Fri Jan 12 16:28:41 CET 2024] Le_LinkCert='https://acme-staging-v02.api.letsencrypt.org/acme/cert/2bxxx'
<14>1 2024-01-12T16:28:41+01:00 opnsense.localdomain acme.sh 57945 - [meta sequenceId="18"] [Fri Jan 12 16:28:41 CET 2024] Cert success.
<14>1 2024-01-12T16:28:41+01:00 opnsense.localdomain acme.sh 61303 - [meta sequenceId="19"] [Fri Jan 12 16:28:41 CET 2024] Your cert is in: /var/etc/acme-client/home/_name_.ddnss.de_ecc/_name_.ddnss.de.cer
<14>1 2024-01-12T16:28:41+01:00 opnsense.localdomain acme.sh 64291 - [meta sequenceId="20"] [Fri Jan 12 16:28:41 CET 2024] Your cert key is in: /var/etc/acme-client/home/_name_.ddnss.de_ecc/_name_.ddnss.de.key
<14>1 2024-01-12T16:28:41+01:00 opnsense.localdomain acme.sh 71541 - [meta sequenceId="21"] [Fri Jan 12 16:28:41 CET 2024] The intermediate CA cert is in: /var/etc/acme-client/home/_name_.ddnss.de_ecc/ca.cer
<14>1 2024-01-12T16:28:41+01:00 opnsense.localdomain acme.sh 73801 - [meta sequenceId="22"] [Fri Jan 12 16:28:41 CET 2024] And the full chain certs is there: /var/etc/acme-client/home/_name_.ddnss.de_ecc/fullchain.cer
<14>1 2024-01-12T16:28:41+01:00 opnsense.localdomain acme.sh 24683 - [meta sequenceId="23"] [Fri Jan 12 16:28:41 CET 2024] Installing cert to: /var/etc/acme-client/certs/6597xxx/cert.pem
<14>1 2024-01-12T16:28:42+01:00 opnsense.localdomain acme.sh 28976 - [meta sequenceId="24"] [Fri Jan 12 16:28:42 CET 2024] Installing CA to: /var/etc/acme-client/certs/6597xxx/chain.pem
<14>1 2024-01-12T16:28:42+01:00 opnsense.localdomain acme.sh 33089 - [meta sequenceId="25"] [Fri Jan 12 16:28:42 CET 2024] Installing key to: /var/etc/acme-client/keys/6597xxx/private.key
<14>1 2024-01-12T16:28:42+01:00 opnsense.localdomain acme.sh 36157 - [meta sequenceId="26"] [Fri Jan 12 16:28:42 CET 2024] Installing full chain to: /var/etc/acme-client/certs/6597xxx/fullchain.pem
<14>1 2024-01-12T18:03:02+01:00 opnsense.localdomain acme.sh 77180 - [meta sequenceId="1"] [Fri Jan 12 18:03:02 CET 2024] Using CA: https://acme-v02.api.letsencrypt.org/directory
<14>1 2024-01-12T18:03:02+01:00 opnsense.localdomain acme.sh 21686 - [meta sequenceId="2"] [Fri Jan 12 18:03:02 CET 2024] Multi domain='DNS:_name_.ddnss.de,DNS:ovpn._name_.ddnss.de,DNS:wg._name_.ddnss.de'
<14>1 2024-01-12T18:03:02+01:00 opnsense.localdomain acme.sh 36101 - [meta sequenceId="3"] [Fri Jan 12 18:03:02 CET 2024] Getting domain auth token for each domain
<14>1 2024-01-12T18:03:05+01:00 opnsense.localdomain acme.sh 45712 - [meta sequenceId="4"] [Fri Jan 12 18:03:05 CET 2024] Getting webroot for domain='_name_.ddnss.de'
<14>1 2024-01-12T18:03:05+01:00 opnsense.localdomain acme.sh 69730 - [meta sequenceId="5"] [Fri Jan 12 18:03:05 CET 2024] Getting webroot for domain='ovpn._name_.ddnss.de'
<14>1 2024-01-12T18:03:05+01:00 opnsense.localdomain acme.sh 87669 - [meta sequenceId="6"] [Fri Jan 12 18:03:05 CET 2024] Getting webroot for domain='wg._name_.ddnss.de'
<14>1 2024-01-12T18:03:05+01:00 opnsense.localdomain acme.sh 18339 - [meta sequenceId="7"] [Fri Jan 12 18:03:05 CET 2024] Adding txt value: 1Zxxx for domain:  _acme-challenge._name_.ddnss.de
<14>1 2024-01-12T18:03:05+01:00 opnsense.localdomain acme.sh 25213 - [meta sequenceId="8"] [Fri Jan 12 18:03:05 CET 2024] Trying to add TXT record
<11>1 2024-01-12T18:03:05+01:00 opnsense.localdomain acme.sh 31429 - [meta sequenceId="9"] [Fri Jan 12 18:03:05 CET 2024] Errors happened during adding the TXT record, response=- badauth : Invalid username or password.  Authentication failed.
<11>1 2024-01-12T18:03:05+01:00 opnsense.localdomain acme.sh 34119 - [meta sequenceId="10"] [Fri Jan 12 18:03:05 CET 2024] Error add txt for domain:_acme-challenge._name_.ddnss.de
<11>1 2024-01-12T18:03:05+01:00 opnsense.localdomain acme.sh 35533 - [meta sequenceId="11"] [Fri Jan 12 18:03:05 CET 2024] Please add '--debug' or '--log' to check more details.
<11>1 2024-01-12T18:03:05+01:00 opnsense.localdomain acme.sh 38325 - [meta sequenceId="12"] [Fri Jan 12 18:03:05 CET 2024] See: https://github.com/acmesh-official/acme.sh/wiki/How-to-debug-acme.sh

old log (Creation):
<14>1 2024-01-05T00:54:05+01:00 opnsense.localdomain acme.sh 88909 - [meta sequenceId="1"] [Fri Jan  5 00:54:05 CET 2024] Using CA: https://acme-staging-v02.api.letsencrypt.org/directory
<14>1 2024-01-05T00:54:05+01:00 opnsense.localdomain acme.sh 31713 - [meta sequenceId="2"] [Fri Jan  5 00:54:05 CET 2024] Multi domain='DNS:_name_.ddnss.de,DNS:ovpn._name_.ddnss.de,DNS:wg._name_.ddnss.de'
<14>1 2024-01-05T00:54:05+01:00 opnsense.localdomain acme.sh 46005 - [meta sequenceId="3"] [Fri Jan  5 00:54:05 CET 2024] Getting domain auth token for each domain
<14>1 2024-01-05T00:54:08+01:00 opnsense.localdomain acme.sh 23868 - [meta sequenceId="4"] [Fri Jan  5 00:54:08 CET 2024] Getting webroot for domain='_name_.ddnss.de'
<14>1 2024-01-05T00:54:08+01:00 opnsense.localdomain acme.sh 47366 - [meta sequenceId="5"] [Fri Jan  5 00:54:08 CET 2024] Getting webroot for domain='ovpn._name_.ddnss.de'
<14>1 2024-01-05T00:54:08+01:00 opnsense.localdomain acme.sh 69674 - [meta sequenceId="6"] [Fri Jan  5 00:54:08 CET 2024] Getting webroot for domain='wg._name_.ddnss.de'
<14>1 2024-01-05T00:54:08+01:00 opnsense.localdomain acme.sh 16624 - [meta sequenceId="7"] [Fri Jan  5 00:54:08 CET 2024] _name_.ddnss.de is already verified, skip http-01.
<14>1 2024-01-05T00:54:08+01:00 opnsense.localdomain acme.sh 27362 - [meta sequenceId="8"] [Fri Jan  5 00:54:08 CET 2024] Verifying: ovpn._name_.ddnss.de
<14>1 2024-01-05T00:54:09+01:00 opnsense.localdomain acme.sh 63299 - [meta sequenceId="9"] [Fri Jan  5 00:54:09 CET 2024] Pending, The CA is processing your order, please just wait. (1/30)
<14>1 2024-01-05T00:54:12+01:00 opnsense.localdomain acme.sh 98641 - [meta sequenceId="10"] [Fri Jan  5 00:54:12 CET 2024] Pending, The CA is processing your order, please just wait. (2/30)
<14>1 2024-01-05T00:54:14+01:00 opnsense.localdomain acme.sh 36071 - [meta sequenceId="11"] [Fri Jan  5 00:54:14 CET 2024] Pending, The CA is processing your order, please just wait. (3/30)
<14>1 2024-01-05T00:54:17+01:00 opnsense.localdomain acme.sh 76477 - [meta sequenceId="12"] [Fri Jan  5 00:54:17 CET 2024] Pending, The CA is processing your order, please just wait. (4/30)
<14>1 2024-01-05T00:54:19+01:00 opnsense.localdomain acme.sh 9650 - [meta sequenceId="13"] [Fri Jan  5 00:54:19 CET 2024] Pending, The CA is processing your order, please just wait. (5/30)
<14>1 2024-01-05T00:54:22+01:00 opnsense.localdomain acme.sh 49599 - [meta sequenceId="14"] [Fri Jan  5 00:54:22 CET 2024] Success
<14>1 2024-01-05T00:54:22+01:00 opnsense.localdomain acme.sh 60251 - [meta sequenceId="15"] [Fri Jan  5 00:54:22 CET 2024] Verifying: wg._name_.ddnss.de
<14>1 2024-01-05T00:54:22+01:00 opnsense.localdomain acme.sh 97693 - [meta sequenceId="16"] [Fri Jan  5 00:54:22 CET 2024] Pending, The CA is processing your order, please just wait. (1/30)
<14>1 2024-01-05T00:54:25+01:00 opnsense.localdomain acme.sh 39852 - [meta sequenceId="17"] [Fri Jan  5 00:54:25 CET 2024] Pending, The CA is processing your order, please just wait. (2/30)
<14>1 2024-01-05T00:54:27+01:00 opnsense.localdomain acme.sh 79634 - [meta sequenceId="18"] [Fri Jan  5 00:54:27 CET 2024] Pending, The CA is processing your order, please just wait. (3/30)
<14>1 2024-01-05T00:54:30+01:00 opnsense.localdomain acme.sh 14412 - [meta sequenceId="19"] [Fri Jan  5 00:54:30 CET 2024] Pending, The CA is processing your order, please just wait. (4/30)
<14>1 2024-01-05T00:54:33+01:00 opnsense.localdomain acme.sh 51798 - [meta sequenceId="20"] [Fri Jan  5 00:54:33 CET 2024] Pending, The CA is processing your order, please just wait. (5/30)
<14>1 2024-01-05T00:54:35+01:00 opnsense.localdomain acme.sh 4226 - [meta sequenceId="21"] [Fri Jan  5 00:54:35 CET 2024] Success
<14>1 2024-01-05T00:54:35+01:00 opnsense.localdomain acme.sh 9650 - [meta sequenceId="22"] [Fri Jan  5 00:54:35 CET 2024] Verify finished, start to sign.
<14>1 2024-01-05T00:54:35+01:00 opnsense.localdomain acme.sh 17316 - [meta sequenceId="23"] [Fri Jan  5 00:54:35 CET 2024] Lets finalize the order.
<14>1 2024-01-05T00:54:35+01:00 opnsense.localdomain acme.sh 20026 - [meta sequenceId="24"] [Fri Jan  5 00:54:35 CET 2024] Le_OrderFinalize='https://acme-staging-v02.api.letsencrypt.org/acme/finalize/13xxx/13443807974'
<14>1 2024-01-05T00:54:36+01:00 opnsense.localdomain acme.sh 59744 - [meta sequenceId="25"] [Fri Jan  5 00:54:36 CET 2024] Order status is processing, lets sleep and retry.
<14>1 2024-01-05T00:54:36+01:00 opnsense.localdomain acme.sh 65402 - [meta sequenceId="26"] [Fri Jan  5 00:54:36 CET 2024] Retry after: 3
<14>1 2024-01-05T00:54:39+01:00 opnsense.localdomain acme.sh 7080 - [meta sequenceId="27"] [Fri Jan  5 00:54:39 CET 2024] Polling order status: https://acme-staging-v02.api.letsencrypt.org/acme/order/13xxx/13443807974
<14>1 2024-01-05T00:54:39+01:00 opnsense.localdomain acme.sh 36971 - [meta sequenceId="28"] [Fri Jan  5 00:54:39 CET 2024] Downloading cert.
<14>1 2024-01-05T00:54:39+01:00 opnsense.localdomain acme.sh 39554 - [meta sequenceId="29"] [Fri Jan  5 00:54:39 CET 2024] Le_LinkCert='https://acme-staging-v02.api.letsencrypt.org/acme/cert/2b5xxx'
<14>1 2024-01-05T00:54:40+01:00 opnsense.localdomain acme.sh 77721 - [meta sequenceId="30"] [Fri Jan  5 00:54:40 CET 2024] Cert success.
<14>1 2024-01-05T00:54:40+01:00 opnsense.localdomain acme.sh 80950 - [meta sequenceId="31"] [Fri Jan  5 00:54:40 CET 2024] Your cert is in: /var/etc/acme-client/home/_name_.ddnss.de_ecc/_name_.ddnss.de.cer
<14>1 2024-01-05T00:54:40+01:00 opnsense.localdomain acme.sh 83360 - [meta sequenceId="32"] [Fri Jan  5 00:54:40 CET 2024] Your cert key is in: /var/etc/acme-client/home/_name_.ddnss.de_ecc/_name_.ddnss.de.key
<14>1 2024-01-05T00:54:40+01:00 opnsense.localdomain acme.sh 91871 - [meta sequenceId="33"] [Fri Jan  5 00:54:40 CET 2024] The intermediate CA cert is in: /var/etc/acme-client/home/_name_.ddnss.de_ecc/ca.cer
<14>1 2024-01-05T00:54:40+01:00 opnsense.localdomain acme.sh 95700 - [meta sequenceId="34"] [Fri Jan  5 00:54:40 CET 2024] And the full chain certs is there: /var/etc/acme-client/home/_name_.ddnss.de_ecc/fullchain.cer
<14>1 2024-01-05T00:54:40+01:00 opnsense.localdomain acme.sh 47639 - [meta sequenceId="35"] [Fri Jan  5 00:54:40 CET 2024] Installing cert to: /var/etc/acme-client/certs/65yyy/cert.pem
<14>1 2024-01-05T00:54:40+01:00 opnsense.localdomain acme.sh 51984 - [meta sequenceId="36"] [Fri Jan  5 00:54:40 CET 2024] Installing CA to: /var/etc/acme-client/certs/65yyy/chain.pem
<14>1 2024-01-05T00:54:40+01:00 opnsense.localdomain acme.sh 55374 - [meta sequenceId="37"] [Fri Jan  5 00:54:40 CET 2024] Installing key to: /var/etc/acme-client/keys/65yyy/private.key
<14>1 2024-01-05T00:54:40+01:00 opnsense.localdomain acme.sh 59461 - [meta sequenceId="38"] [Fri Jan  5 00:54:40 CET 2024] Installing full chain to: /var/etc/acme-client/certs/65yyy/fullchain.pem
<14>1 2024-01-05T00:56:16+01:00 opnsense.localdomain acme.sh 26225 - [meta sequenceId="1"] [Fri Jan  5 00:56:16 CET 2024] Using CA: https://acme-staging-v02.api.letsencrypt.org/directory
<14>1 2024-01-05T00:56:16+01:00 opnsense.localdomain acme.sh 71501 - [meta sequenceId="2"] [Fri Jan  5 00:56:16 CET 2024] Multi domain='DNS:_name_.ddnss.de,DNS:ovpn._name_.ddnss.de,DNS:wg._name_.ddnss.de'
<14>1 2024-01-05T00:56:16+01:00 opnsense.localdomain acme.sh 87697 - [meta sequenceId="3"] [Fri Jan  5 00:56:16 CET 2024] Getting domain auth token for each domain
<14>1 2024-01-05T00:56:19+01:00 opnsense.localdomain acme.sh 81826 - [meta sequenceId="4"] [Fri Jan  5 00:56:19 CET 2024] Getting webroot for domain='_name_.ddnss.de'
<14>1 2024-01-05T00:56:19+01:00 opnsense.localdomain acme.sh 895 - [meta sequenceId="5"] [Fri Jan  5 00:56:19 CET 2024] Getting webroot for domain='ovpn._name_.ddnss.de'
<14>1 2024-01-05T00:56:19+01:00 opnsense.localdomain acme.sh 18687 - [meta sequenceId="6"] [Fri Jan  5 00:56:19 CET 2024] Getting webroot for domain='wg._name_.ddnss.de'
<14>1 2024-01-05T00:56:19+01:00 opnsense.localdomain acme.sh 64574 - [meta sequenceId="7"] [Fri Jan  5 00:56:19 CET 2024] _name_.ddnss.de is already verified, skip dns-01.
<14>1 2024-01-05T00:56:19+01:00 opnsense.localdomain acme.sh 75070 - [meta sequenceId="8"] [Fri Jan  5 00:56:19 CET 2024] ovpn._name_.ddnss.de is already verified, skip dns-01.
<14>1 2024-01-05T00:56:19+01:00 opnsense.localdomain acme.sh 86496 - [meta sequenceId="9"] [Fri Jan  5 00:56:19 CET 2024] wg._name_.ddnss.de is already verified, skip dns-01.
<14>1 2024-01-05T00:56:19+01:00 opnsense.localdomain acme.sh 90662 - [meta sequenceId="10"] [Fri Jan  5 00:56:19 CET 2024] Verify finished, start to sign.
<14>1 2024-01-05T00:56:19+01:00 opnsense.localdomain acme.sh 139 - [meta sequenceId="11"] [Fri Jan  5 00:56:19 CET 2024] Lets finalize the order.
<14>1 2024-01-05T00:56:19+01:00 opnsense.localdomain acme.sh 2483 - [meta sequenceId="12"] [Fri Jan  5 00:56:19 CET 2024] Le_OrderFinalize='https://acme-staging-v02.api.letsencrypt.org/acme/finalize/13xxx/13yyy'
<14>1 2024-01-05T00:56:20+01:00 opnsense.localdomain acme.sh 38212 - [meta sequenceId="13"] [Fri Jan  5 00:56:20 CET 2024] Order status is processing, lets sleep and retry.
<14>1 2024-01-05T00:56:20+01:00 opnsense.localdomain acme.sh 43236 - [meta sequenceId="14"] [Fri Jan  5 00:56:20 CET 2024] Retry after: 3
<14>1 2024-01-05T00:56:23+01:00 opnsense.localdomain acme.sh 49446 - [meta sequenceId="15"] [Fri Jan  5 00:56:23 CET 2024] Polling order status: https://acme-staging-v02.api.letsencrypt.org/acme/order/13xxx/13yyy
<14>1 2024-01-05T00:56:24+01:00 opnsense.localdomain acme.sh 77453 - [meta sequenceId="16"] [Fri Jan  5 00:56:24 CET 2024] Downloading cert.
<14>1 2024-01-05T00:56:24+01:00 opnsense.localdomain acme.sh 80646 - [meta sequenceId="17"] [Fri Jan  5 00:56:24 CET 2024] Le_LinkCert='https://acme-staging-v02.api.letsencrypt.org/acme/cert/2b6xxx'
<14>1 2024-01-05T00:56:25+01:00 opnsense.localdomain acme.sh 19710 - [meta sequenceId="18"] [Fri Jan  5 00:56:25 CET 2024] Cert success.
<14>1 2024-01-05T00:56:25+01:00 opnsense.localdomain acme.sh 23539 - [meta sequenceId="19"] [Fri Jan  5 00:56:25 CET 2024] Your cert is in: /var/etc/acme-client/home/_name_.ddnss.de_ecc/_name_.ddnss.de.cer
<14>1 2024-01-05T00:56:25+01:00 opnsense.localdomain acme.sh 26770 - [meta sequenceId="20"] [Fri Jan  5 00:56:25 CET 2024] Your cert key is in: /var/etc/acme-client/home/_name_.ddnss.de_ecc/_name_.ddnss.de.key
<14>1 2024-01-05T00:56:25+01:00 opnsense.localdomain acme.sh 33539 - [meta sequenceId="21"] [Fri Jan  5 00:56:25 CET 2024] The intermediate CA cert is in: /var/etc/acme-client/home/_name_.ddnss.de_ecc/ca.cer
<14>1 2024-01-05T00:56:25+01:00 opnsense.localdomain acme.sh 35719 - [meta sequenceId="22"] [Fri Jan  5 00:56:25 CET 2024] And the full chain certs is there: /var/etc/acme-client/home/_name_.ddnss.de_ecc/fullchain.cer
<14>1 2024-01-05T00:56:25+01:00 opnsense.localdomain acme.sh 88122 - [meta sequenceId="23"] [Fri Jan  5 00:56:25 CET 2024] Installing cert to: /var/etc/acme-client/certs/65xxx/cert.pem
<14>1 2024-01-05T00:56:25+01:00 opnsense.localdomain acme.sh 90581 - [meta sequenceId="24"] [Fri Jan  5 00:56:25 CET 2024] Installing CA to: /var/etc/acme-client/certs/65xxx/chain.pem
<14>1 2024-01-05T00:56:25+01:00 opnsense.localdomain acme.sh 93726 - [meta sequenceId="25"] [Fri Jan  5 00:56:25 CET 2024] Installing key to: /var/etc/acme-client/keys/65xxx/private.key
<14>1 2024-01-05T00:56:25+01:00 opnsense.localdomain acme.sh 98057 - [meta sequenceId="26"] [Fri Jan  5 00:56:25 CET 2024] Installing full chain to: /var/etc/acme-client/certs/65xxx/fullchain.pem

The acme.sh.log is empty

23.7 Legacy Series / Re: Strange Letsencrypt problem

« on: January 12, 2024, 06:06:11 pm »

So my account is showing "registered", i did a reregister after setting the "standard CA".
Here nothing changed, but again the issuing failed again. So what is my fault?
Issuing with "test CA" works out of the box, only with "standard CA" it fails.
Can i provide more information?

23.7 Legacy Series / WireGuard Setup with a failure

« on: January 12, 2024, 05:17:02 pm »

Hi,
i set up wireguard the way its described at the online-help: https://docs.opnsense.org/manual/how-tos/wireguard-client.html.
But at the end i got errors when creatíng the gateway and restarting WireGuard:

/usr/local/opnsense/scripts/Wireguard/wg-service-control.php: ROUTING: not a valid interface gateway address: ''
/usr/local/opnsense/scripts/Wireguard/wg-service-control.php: plugins_configure monitor (,WG_GW)
/usr/local/opnsense/scripts/Wireguard/wg-service-control.php: plugins_configure monitor (execute task : dpinger_configure_do(,WG_GW))
/usr/local/opnsense/scripts/Wireguard/wg-service-control.php: Skipping gateway WG_GW due to empty 'gateway' property.

I have set up an OpenVPN-Instance exactly the same way regarding interface, gateway, rules, port-forwarding...
and it works out of the box like a charm. (Gateway dynamic)

Only WireGuard doesnt. I didnt get any traffic passing the tunnel.
So finally i got it working with adding the tunnel-IP xxx.xxx.xxx.1 inside the gateway, dynamic fails. I see here Priority: DEFUNCT.
When i entered the tunnel-IP, the defunct changed to the preset priority and its working like a charm too.
Is it my fault (eventually not understanding the
"When assigning interfaces, gateways can be added to them. This is useful if balancing traffic across multiple tunnels is required or in more complex routing scenarios. To do this, go to System ‣ Gateways ‣ Single and add a new gateway. Choose the relevant WireGuard interface and set the Gateway to dynamic. These scenarios are otherwise beyond the scope of this how-to"
or did i find a glitch?

23.7 Legacy Series / Strange Letsencrypt problem

« on: January 12, 2024, 05:00:46 pm »

Hello,
i installed the letsencrypt plugin and set it up to use DNS-01, i need the wildcard-option.
When i tested the whole thing, i used the Letsencrypt Test CA, everything works as expected: Certs are issued and copied to the opnsense, i see them at "Security".
So far, so good.

Now i wanted to change from Test CA to Standard CA, but here it fails:

Code: [Select]

Installing full chain to: /var/etc/acme-client/certs/65***/fullchain.pem
Installing key to: /var/etc/acme-client/keys/65***/private.key
Installing CA to: /var/etc/acme-client/certs/65***/chain.pem
Installing cert to: /var/etc/acme-client/certs/65***/cert.pem
And the full chain certs is there: /var/etc/acme-client/home/xxx.ddnss.de_ecc/fullchain.cer
The intermediate CA cert is in: /var/etc/acme-client/home/xxx.ddnss.de_ecc/ca.cer
Your cert key is in: /var/etc/acme-client/home/xxx.ddnss.de_ecc/xxx.ddnss.de.key
Your cert is in: /var/etc/acme-client/home/xxx.ddnss.de_ecc/xxx.ddnss.de.cer
Cert success.
Le_LinkCert='https://acme-staging-v02.api.letsencrypt.org/acme/cert/2bxyz'
Downloading cert.
Polling order status: https://acme-staging-v02.api.letsencrypt.org/acme/order/13xx/13xx
Retry after: 3
Order status is processing, lets sleep and retry.
Le_OrderFinalize='https://acme-staging-v02.api.letsencrypt.org/acme/finalize/13xx/13xx'
Lets finalize the order.
Verify finished, start to sign.
wg.xxx.ddnss.de is already verified, skip dns-01.
ovpn.xxx.ddnss.de is already verified, skip dns-01.
xxx.ddnss.de is already verified, skip dns-01.
Getting webroot for domain='wg.xxx.ddnss.de'
Getting webroot for domain='ovpn.xxx.ddnss.de'
Getting webroot for domain='xxx.ddnss.de'
Getting domain auth token for each domain
Multi domain='DNS:xxx.ddnss.de,DNS:ovpn.xxx.ddnss.de,DNS:wg.xxx.ddnss.de'
Using CA: https://acme-staging-v02.api.letsencrypt.org/directory
See: https://github.com/acmesh-official/acme.sh/wiki/How-to-debug-acme.sh
Please add '--debug' or '--log' to check more details.
Error add txt for domain:_acme-challenge.xxx.ddnss.de
Errors happened during adding the TXT record, response=- badauth : Invalid username or password. Authentication failed.
Trying to add TXT record
Adding txt value: ***ABCDEF*** for domain: _acme-challenge.xxx.ddnss.de
Getting webroot for domain='wg.xxx.ddnss.de'
Getting webroot for domain='ovpn.xxx.ddnss.de'
Getting webroot for domain='xxx.ddnss.de'
Getting domain auth token for each domain
Multi domain='DNS:xxx.ddnss.de,DNS:ovpn.xxx.ddnss.de,DNS:wg.xxx.ddnss.de'
Using CA: https://acme-v02.api.letsencrypt.org/directory

I added the full log (stripped private parts and times for clarity/security)
The log contains the "Standard CA" at the bottom of the log, the upper part is using the "Test CA".
I see a badauth : Invalid username or pasword.

So here my question: Do i have to reregister at letsencrypt plugin (Konten) for the Standard CA?
Or am i missing something else?

Thanks a lot for any help!

Pages: 1 [2]