Services: ACME Client: Certificates fails to automatically update certificate

[IsaacFL]

I noticed that my acme client was failing. for the logs below I obfuscated my domain to MYDOMAIN

I use Cloudflare with DNS01 and a dns API

from logs:

acme.sh [Mon Aug  4 00:03:00 PDT 2025] 'opnsense.MYDOMAIN.com' is not an issued domain, skipping.
opnsense AcmeClient: domain validation failed (dns01)
opnsense AcmeClient: validation for certificate failed: opnsense. MYDOMAIN.com


on the router Services: ACME Client: Certificates
I clicked the red square, Issue/Renew All Certificates
I failed as it did this morning.

I clicked on the little circle arrow (Issue or Renew Certificate), that is on the same line as the existing certificate.
It updated the certificate with status OK

So there is a difference between the auto update, Issue/Renew All Certificates and the individual Renew
Only the individual Renew works

[allan]

I notice I have the same problem on 25.7.2. All 3 of my certificates failed to renew but it works when I manually click on the button to "Issue or renew certificate". Acme-client logs show the error: 'host.domain.tld' is not an issued domain, skipping.

System log for the failure says:
AcmeClient: The shell command returned exit code '2': '/usr/local/sbin/acme.sh --renew --syslog 6 --log-level 1 --serv
er 'letsencrypt' --webroot /var/etc/acme-client/challenges --home '/var/etc/acme-client/home' --cert-home '/var/etc/acme-client/cert-home/6027eeb80684e4.42843464' --certpath '/var/etc/acme-client/certs/6027eeb80684e4.4
2843464/cert.pem' --keypath '/var/etc/acme-client/keys/6027eeb80684e4.42843464/private.key' --capath '/var/etc/acme-client/certs/6027eeb80684e4.42843464/chain.pem' --fullchainpath '/var/etc/acme-client/certs/6027eeb806
84e4.42843464/fullchain.pem' --domain 'host.domain.tld' --days '60'   --keylength 'ec-384' --ecc --accountconf '/var/etc/acme-client/accounts/6027ee9e097f39.62139316_prod/account.conf''

System log for the successful says:
AcmeClient: The shell command returned exit code '0': '/usr/local/sbin/acme.sh --issue --syslog 6 --log-level 1 --server 'letsencrypt' --webroot /var/etc/acme-client/challenges --home '/var/etc/acme-client/home' --cert-home '/var/etc/acme-client/cert-home/6027eeb80684e4.42843464' --certpath '/var/etc/acme-client/certs/6027eeb80684e4.42843464/cert.pem' --keypath '/var/etc/acme-client/keys/6027eeb80684e4.42843464/private.key' --capath '/var/etc/acme-client/certs/6027eeb80684e4.42843464/chain.pem' --fullchainpath '/var/etc/acme-client/certs/6027eeb80684e4.42843464/fullchain.pem' --domain 'host.domain.tld' --days '60' --force  --keylength 'ec-384' --accountconf '/var/etc/acme-client/accounts/6027ee9e097f39.62139316_prod/account.conf''


I see 3 differences between the shell commands. Perhaps one of them is the difference between a successful and failed renewal.

• --renew (failed) vs --force
• --force (succeeds)
• --ecc (failed)

[allan]

Further searches through this forum produced the following links:

• https://forum.opnsense.org/index.php?topic=30249.msg147778#msg147778
• https://github.com/opnsense/plugins/issues/3154

The scenario made sense as I recently migrated to new hardware and imported config.xml. The recommendation is to click on Reset ACME Client. I was presented the following (emphasis mine) and I am confident this is the solution.

This will remove ALL certificates, private keys, CSRs from ACME Client and reset all certificate and account states. However, existing certificates will remain in OPNsense trust storage. The ACME Client will automatically regenerate everything on its next scheduled run. This is most useful when importing a config backup to a new firewall. Continue?

[IsaacFL]

Ok, I reset it. It implies that in the morning it will do the update at the scheduled time and I will see then.

[IsaacFL]

I Reset Acme, then changed the cron schedule and it failed again. Neither did manually pressing the Issue/Renew all certificates. Forcefully updating it did work, so just like before.

Resetting Acme did not seem to help. I guess I will see what happens in 90 days.

[allan]

My remaining certificates renewed this morning. Under "Services > ACME Client > Log Files > System Log tab", do you see a non-zero value for "AcmeClient: AcmeClient: The shell command returned exit code 'n'"? Are you able to cat out the file at the end of that line? On my error post above, it is /var/etc/acme-client/accounts/6027ee9e097f39.62139316_prod/account.conf. Until I hit Reset ACME Client, that file did not exist. You can also try increasing the ACME logging level from "normal" to "debug" before the next renewal.

[IsaacFL]

My remaining certificates renewed this morning. Under "Services > ACME Client > Log Files > System Log tab", do you see a non-zero value for "AcmeClient: AcmeClient: The shell command returned exit code 'n'"? Are you able to cat out the file at the end of that line? On my error post above, it is /var/etc/acme-client/accounts/6027ee9e097f39.62139316_prod/account.conf. Until I hit Reset ACME Client, that file did not exist. You can also try increasing the ACME logging level from "normal" to "debug" before the next renewal.

I was able to cat all of them, at least now they are there but yesterday was massively deleting stuff, and reinstalling package. So who knows?

I have had this issue over many renewal times and finally just installed an uptime kuma monitor to check the certificates and notify me when expiring within 20 days. Then I manually update.

opnsense acme experience is definitely not as smooth as my proxmox servers setup which is so much better. Not sure the difference is.

[dirtyfreebooter]

been using opnsense for years now, i never had ACME cron renewal work. if use the force option in the UI it renews. i keep meaning to look into it, but because the force works, i just move on until next time .. hah.