Recent posts

#1
26.1, 26,4 Series / ACME/Certificate renewal stopp...
Last post by PotatoCarl - Today at 12:20:09 PM
Hi there.
I have installed and up and running the ACME plugin on the OPNSense community edition for some years. It refreshes a certificate for a webserver that has no external access (rocket chat) and copies it via SFTP to that system, then does a few file operations to get it installed. I used the HTTP Challenge.

Earlier this year I replaced the appliance with a new one, and wen to OPNSense business edition 25.10. That did not seem to be a problem at the time, basically everthing worked fine. Later then, it upgraded to 26.4..

*However* I noticed as of today, a couple of months later, that the certificates did not get renewed. Now, my memory is probably not the best, but I am kind of 80% sure that I checked after switching to the new appliance if the certificate was updated and believe to remember it did.

When I checked the firewall rules, I found that port 80 was not open (anymore?) at the external interfaces.

Long story short, I do not get the certificates refreshed.

I tried HTTP and TLS challenge and opening the ports, then the protocol say:

HTTP challenge:

2026-07-16T12:00:36 opnsense-business
AcmeClient: AcmeClient: The shell command returned exit code '1': '/usr/local/sbin/acme.sh --issue --syslog 6 --log-level 2 --server 'letsencrypt' --webroot /var/etc/acme-client/challenges --home '/var/etc/acme-client/home' --cert-home '/var/etc/acme-client/cert-home/616731d690b683.11437695' --certpath '/var/etc/acme-client/certs/616731d690b683.11437695/cert.pem' --keypath '/var/etc/acme-client/keys/616731d690b683.11437695/private.key' --capath '/var/etc/acme-client/certs/616731d690b683.11437695/chain.pem' --fullchainpath '/var/etc/acme-client/certs/616731d690b683.11437695/fullchain.pem' --domain 'rocket.brace.de' --days '30' --force --keylength '4096' --accountconf '/var/etc/acme-client/accounts/5eda4b1803af18.28646449_prod/account.conf''

When using the TLS Challenge:

2026-07-16T12:01:06
opnsense-business
AcmeClient: AcmeClient: The shell command returned exit code '1': '/usr/local/sbin/acme.sh --issue --syslog 6 --log-level 2 --server 'letsencrypt' --alpn --home '/var/etc/acme-client/home' --cert-home '/var/etc/acme-client/cert-home/616731d690b683.11437695' --certpath '/var/etc/acme-client/certs/616731d690b683.11437695/cert.pem' --keypath '/var/etc/acme-client/keys/616731d690b683.11437695/private.key' --capath '/var/etc/acme-client/certs/616731d690b683.11437695/chain.pem' --fullchainpath '/var/etc/acme-client/certs/616731d690b683.11437695/fullchain.pem' --domain 'rocket.brace.de' --days '30' --force --keylength '4096' --tlsport '43581' --accountconf '/var/etc/acme-client/accounts/5eda4b1803af18.28646449_prod/account.conf''


Under "Accounts" it claims the account is "OK" in the status.


I was not able to find a HOWTO for setting up the DNS-01 challenge (all of them omit how to create the nsupdate key and which exact format I need to put it into the DNS TXT records) so I gave up on that. If anybody has a howto for an idiot like me to get it created and installed I'll be greatful and will try.


In the ACME Log of OPNSense however, it seem to be working all well:

2026-07-16T12:00:35 acme.sh
[Thu Jul 16 12:00:35 CEST 2026] Single domain='rocket.brace.de'
2026-07-16T12:00:35 acme.sh
[Thu Jul 16 12:00:35 CEST 2026] Using CA: https://acme-v02.api.letsencrypt.org/directory
2026-07-16T11:50:30 acme.sh
[Thu Jul 16 11:50:30 CEST 2026] Installing full chain to: /var/etc/acme-client/certs/616731d690b683.11437695/fullchain.pem
2026-07-16T11:50:30 acme.sh
[Thu Jul 16 11:50:30 CEST 2026] Installing key to: /var/etc/acme-client/keys/616731d690b683.11437695/private.key
2026-07-16T11:50:30 acme.sh
[Thu Jul 16 11:50:30 CEST 2026] Installing CA to: /var/etc/acme-client/certs/616731d690b683.11437695/chain.pem
2026-07-16T11:50:30 acme.sh
[Thu Jul 16 11:50:30 CEST 2026] Installing cert to: /var/etc/acme-client/certs/616731d690b683.11437695/cert.pem
2026-07-16T11:50:30 acme.sh
[Thu Jul 16 11:50:30 CEST 2026] And the full-chain cert is in: /var/etc/acme-client/cert-home/616731d690b683.11437695/rocket.brace.de/fullchain.cer
2026-07-16T11:50:30 acme.sh
[Thu Jul 16 11:50:30 CEST 2026] The intermediate CA cert is in: /var/etc/acme-client/cert-home/616731d690b683.11437695/rocket.brace.de/ca.cer
2026-07-16T11:50:30 acme.sh
[Thu Jul 16 11:50:30 CEST 2026] Your cert key is in: /var/etc/acme-client/cert-home/616731d690b683.11437695/rocket.brace.de/rocket.brace.de.key
2026-07-16T11:50:30 acme.sh
[Thu Jul 16 11:50:30 CEST 2026] Your cert is in: /var/etc/acme-client/cert-home/616731d690b683.11437695/rocket.brace.de/rocket.brace.de.cer
2026-07-16T11:50:30 acme.sh
[Thu Jul 16 11:50:30 CEST 2026] Cert success.
2026-07-16T11:50:29 acme.sh
[Thu Jul 16 11:50:29 CEST 2026] Le_LinkCert='https://acme-v02.api.letsencrypt.org/acme/cert/0517aa711b64efc1671ef56cccab97cf1583';
2026-07-16T11:50:29 acme.sh
[Thu Jul 16 11:50:29 CEST 2026] Downloading cert.
2026-07-16T11:50:28 acme.sh
[Thu Jul 16 11:50:28 CEST 2026] Le_OrderFinalize='https://acme-v02.api.letsencrypt.org/acme/finalize/3539327496/532898622926';
2026-07-16T11:50:28 acme.sh
[Thu Jul 16 11:50:28 CEST 2026] Let's finalize the order.
2026-07-16T11:50:28 acme.sh
[Thu Jul 16 11:50:28 CEST 2026] Verification finished, beginning signing.
2026-07-16T11:50:28 acme.sh
[Thu Jul 16 11:50:28 CEST 2026] rocket.brace.de is already verified, skipping http-01.
2026-07-16T11:50:28 acme.sh
[Thu Jul 16 11:50:28 CEST 2026] Getting webroot for domain='rocket.brace.de'
2026-07-16T11:50:26 acme.sh
[Thu Jul 16 11:50:26 CEST 2026] Single domain='rocket.brace.de'


Shouldn't that say that the certificate was in fact renewed and should be on OPNSense? However, in the certificate section it is displayed as "überprüfung fehlgeschlagen" (renewal failed or to whatever this is translated)

Is there anything I can do to fix that?

Thanks.
#2
26.7 Series / Re: Feedback on new Widgets si...
Last post by JohnSchnee - Today at 12:09:56 PM
Hi Cedrik,

I've tested it with both mine and your settings and the VM didn't crash.

I booted and logged in with "Installer" - so I expect the crash should have occured before this point?

Curiously I wasn't able to enable Secure-Boot for this VM, but I know I had a long fight to get this working, so I better don't touch my current config. :D

I'm using Unbound cascaded with the AdGuard-Plugin as DNS, where AD-Guard is my Upstream and Unbound the "internal" DNS.

I've added a Screenshot where you can see the Kernel Version as evidence of a successfull boot.

Best regards
#3
26.7 Series / Re: [Solved] Attempt to Upgrad...
Last post by meyergru - Today at 12:09:22 PM
It seems like with the new kernel, there are now race conditions with the early microcode loading under certain conditions. For me, it was the presence of vidconsole (but I did not check if that problem would prevail if the microcode update was disabled - I still have it running).

I think that the recent kernel changes of memory layout and such is responsible for that, although at times, it even surfaced earlier than with 26.7: https://github.com/opnsense/ports/issues/230. Whatever the specific condition is, it seems that the early loading is always part of the problem, so disabling that should fix it.

Alas, since many mainboard manufacturers do not supply microcode updates in the BIOS and it seems there is no way of doing the microcode update even earlier in FreeBSD, there is currently no fix for this situation other than to disable os-cpu-microcode-intel.

P.S.: Doing the update later via cpuctl is a tough decision, because:

1. There is code in the kernel that detects certain features at boot, which might change because of the update and cause problems.
2. Race conditions may occur when the update is being applied while other code executes, which is why the preferred way was early updates in the first place.

#4
26.7 Series / Re: Cicada theme
Last post by mrzaz - Today at 12:01:25 PM
I see the same issue in mine as well.
I have sent an email to the guardian of the cicada theme and we'll see what they say.

//Dan Lundqvist
Stockholm, Sweden
#5
26.7 Series / Re: Boot hangs after upgrade a...
Last post by franco - Today at 12:01:08 PM
gerne :)
#6
26.7 Series / Re: OPNsense fails to update t...
Last post by franco - Today at 12:00:48 PM
Ok enough for me to recommend this https://forum.opnsense.org/index.php?topic=52388.msg270440#msg270440

Please remove microcode plugins if you have them as a precaution.


Cheers,
Franco
#7
26.7 Series / Re: Feedback on new Widgets si...
Last post by dseven - Today at 12:00:24 PM
Regarding the Services widget (original topic), there was some discussion about it already in https://forum.opnsense.org/index.php?topic=52380.0

I'm thinking that an "LED" (instead of the background) to show the status of each service would be more in-keeping with the "look and feel" of the UI... but, of course, at the expense of some "compactness"...
#8
26.7 Series / Re: Boot hangs after upgrade a...
Last post by reservado - Today at 12:00:19 PM
OK, in that case I'll hold off on it.

Tausend Dank, Franco.

Kind regards,
Franklin
#9
26.7 Series / Re: OPNsense fails to update t...
Last post by Seedman - Today at 11:58:03 AM
This is what I can see on the updates page:- (I do apologise incase Ive given you the wrong logs). If you could guide me to where the appropriate logs are!

***GOT REQUEST TO CHECK FOR UPDATES***
Currently running OPNsense 26.1.11_10 (amd64) at Thu Jul 16 15:22:30 IST 2026
Fetching changelog information, please wait... done
pkg: Warning: Major OS version upgrade detected.  Running "pkg bootstrap -f" recommended
Updating FreeBSD-ports repository catalogue...
Fetching meta.conf: . done
Fetching data.pkg: .......... done
Processing entries: .......... done
FreeBSD-ports repository update completed. 37821 packages processed.
Updating FreeBSD-ports-kmods repository catalogue...
Fetching meta.conf: . done
Fetching data.pkg: ..... done
Processing entries: .......... done
FreeBSD-ports-kmods repository update completed. 239 packages processed.
Updating OPNsense repository catalogue...
pkg: Repository OPNsense has a wrong packagesite, need to re-create database
Unable to update repository OPNsense
Error updating repositories!
Upgrading package manager from version '2.3.1_1' to ''
pkg: Warning: Major OS version upgrade detected.  Running "pkg bootstrap -f" recommended
Updating OPNsense repository catalogue...
pkg: Repository OPNsense has a wrong packagesite, need to re-create database
Unable to update repository OPNsense
Error updating repositories!
pkg: Warning: Major OS version upgrade detected.  Running "pkg bootstrap -f" recommended
Updating FreeBSD-ports repository catalogue...
Fetching meta.conf: . done
Fetching data.pkg: .......... done
Processing entries: .......... done
FreeBSD-ports repository update completed. 37821 packages processed.
Updating FreeBSD-ports-kmods repository catalogue...
Fetching meta.conf: . done
Fetching data.pkg: .... done
Processing entries: .......... done
FreeBSD-ports-kmods repository update completed. 239 packages processed.
Updating OPNsense repository catalogue...
pkg: Repository OPNsense has a wrong packagesite, need to re-create database
Unable to update repository OPNsense
Error updating repositories!