os-acme - DNS-01 not working with Letsencrypt production environment

[Tubs]

Hello,

On my OPNsense box 20.1 I changed Lesencrypt validation from HTTP-01 to DNS-01 using the nsupdate (RFC 2136) method. Testing with staging environment is OK. I get issued the certificate.

But when I change Letsencrypt to production environment I get the following error:

Code Select Expand

[Sat May 9 11:09:58 JST 2020] The supported validation types are: http-01 , but you specified: dns-01
[Sat May 9 11:09:58 JST 2020] Error, cannot get domain token entry abcdefgh.de

With staging environment, I also can re-issue without waiting time. So, no DNS caching or refresh issue.

Due to the fact that testing with staging environment is working I assume there is something wrong on OPNsense side. Or do I miss something?

[Tubs]

The same issue I got when changing from nsupdate method to PowerDNS API method.
Staging environment is OK but with production environment I get the error above.

I observed the logs of Letsencrypt plugin during renew. It looks like the plugin is ignoring the waiting time defined in the settings. I used standard setting of 120 s.

[Tubs]

All is fine again.

There was something set-up wrong on network side and I only checked the logs for the failed attempts. But for some reason the trials with staging did not re-verify ("already verified") and issued the cert while in production environment the verification failed.