OPNsense
  • Home
  • Help
  • Search
  • Login
  • Register

  • OPNsense Forum »
  • Archive »
  • 20.1 Legacy Series »
  • os-acme - DNS-01 not working with Letsencrypt production environment
« previous next »
  • Print
Pages: [1]

Author Topic: os-acme - DNS-01 not working with Letsencrypt production environment  (Read 1581 times)

Tubs

  • Jr. Member
  • **
  • Posts: 91
  • Karma: 3
    • View Profile
os-acme - DNS-01 not working with Letsencrypt production environment
« on: May 09, 2020, 04:27:53 am »
Hello,

On my OPNsense box 20.1 I changed Lesencrypt validation from HTTP-01 to DNS-01 using the nsupdate (RFC 2136) method. Testing with staging environment is OK. I get issued the certificate.

But when I change Letsencrypt to production environment I get the following error:

Code: [Select]
[Sat May 9 11:09:58 JST 2020] The supported validation types are: http-01 , but you specified: dns-01
[Sat May 9 11:09:58 JST 2020] Error, cannot get domain token entry abcdefgh.de

With staging environment, I also can re-issue without waiting time. So, no DNS caching or refresh issue.

Due to the fact that testing with staging environment is working I assume there is something wrong on OPNsense side. Or do I miss something?
Logged

Tubs

  • Jr. Member
  • **
  • Posts: 91
  • Karma: 3
    • View Profile
Re: os-acme - DNS-01 not working with Letsencrypt production environment
« Reply #1 on: May 09, 2020, 05:47:20 am »
The same issue I got when changing from nsupdate method to PowerDNS API method.
Staging environment is OK but with production environment I get the error above.

I observed the logs of Letsencrypt plugin during renew. It looks like the plugin is ignoring the waiting time defined in the settings. I used standard setting of 120 s.
Logged

Tubs

  • Jr. Member
  • **
  • Posts: 91
  • Karma: 3
    • View Profile
Re: os-acme - DNS-01 not working with Letsencrypt production environment
« Reply #2 on: May 10, 2020, 08:25:27 am »
All is fine again.

There was something set-up wrong on network side and I only checked the logs for the failed attempts. But for some reason the trials with staging did not re-verify ("already verified") and issued the cert while in production environment the verification failed.
Logged

  • Print
Pages: [1]
« previous next »
  • OPNsense Forum »
  • Archive »
  • 20.1 Legacy Series »
  • os-acme - DNS-01 not working with Letsencrypt production environment
 

OPNsense is an OSS project © Deciso B.V. 2015 - 2023 All rights reserved
  • SMF 2.0.19 | SMF © 2021, Simple Machines
    Privacy Policy
    | XHTML | RSS | WAP2