ACME fail to create key with DNS-01 and Cloudflare

[mvdheijkant]

I'm using this version
os-acme-client (installed)   3.9   664KiB   OPNsense   ACME Client

When trying to create a certificate I receive following error:

2022-04-11T19:16:20   acme.sh   [Mon Apr 11 19:16:20 CEST 2022] Sleep 10 and retry.
2022-04-11T19:16:20   acme.sh   [Mon Apr 11 19:16:20 CEST 2022] Can not init api for: https://acme-staging-v02.api.letsencrypt.org/directory.
2022-04-11T19:16:20   acme.sh   [Mon Apr 11 19:16:20 CEST 2022] ret='35'
2022-04-11T19:16:20   acme.sh   [Mon Apr 11 19:16:20 CEST 2022] Please refer to https://curl.haxx.se/libcurl/c/libcurl-errors.html for error code: 35
2022-04-11T19:16:20   acme.sh   [Mon Apr 11 19:16:20 CEST 2022] _CURL='curl --silent --dump-header /var/etc/acme-client/home/http.header -L '
2022-04-11T19:16:20   acme.sh   [Mon Apr 11 19:16:20 CEST 2022] timeout=
2022-04-11T19:16:20   acme.sh   [Mon Apr 11 19:16:20 CEST 2022] url='https://acme-staging-v02.api.letsencrypt.org/directory'
2022-04-11T19:15:39   acme.sh   [Mon Apr 11 19:15:39 CEST 2022] GET
2022-04-11T19:15:39   acme.sh   [Mon Apr 11 19:15:39 CEST 2022] _init api for server: https://acme-staging-v02.api.letsencrypt.org/directory
2022-04-11T19:15:39   acme.sh   [Mon Apr 11 19:15:39 CEST 2022] ACME_DIRECTORY='https://acme-staging-v02.api.letsencrypt.org/directory'
2022-04-11T19:15:39   acme.sh   [Mon Apr 11 19:15:39 CEST 2022] Using config home:/var/etc/acme-client/home
2022-04-11T19:15:39   acme.sh   [Mon Apr 11 19:15:39 CEST 2022] ACME_DIRECTORY='https://acme-staging-v02.api.letsencrypt.org/directory'
2022-04-11T19:15:39   acme.sh   [Mon Apr 11 19:15:39 CEST 2022] Using config home:/var/etc/acme-client/home
2022-04-11T19:15:39   acme.sh   [Mon Apr 11 19:15:39 CEST 2022] Running cmd: registeraccount
2022-04-11T19:15:39   acme.sh   [Mon Apr 11 19:15:39 CEST 2022] Using server: letsencrypt_test

Further info Challenging Type DNS-01   CloudFlare API.
I don't know how far or where the registration is halting.
maybe someone had the same error and can tell me what to look for.

[mvdheijkant]

I moved a little bit forward by getting the account registered.
This was done by opening port 80 and 433 to my firewall (no port-forwarding)
But still the challenge still fails with follow system log (only changed my domain name):

2022-04-15T18:43:45   opnsense   AcmeClient: domain validation failed (dns01)
2022-04-15T18:42:04   opnsense   AcmeClient: running acme.sh command: /usr/local/sbin/acme.sh --issue --syslog 7 --debug 3 --server 'letsencrypt_test' --dns 'dns_cf' --dnssleep '120' --home '/var/etc/acme-client/home' --certpath '/var/etc/acme-client/certs/62587aa5374710.40301959/cert.pem' --keypath '/var/etc/acme-client/keys/62587aa5374710.40301959/private.key' --capath '/var/etc/acme-client/certs/62587aa5374710.40301959/chain.pem' --fullchainpath '/var/etc/acme-client/certs/62587aa5374710.40301959/fullchain.pem' --domain '*.mydomain.eu' --days '1' --force --ocsp --keylength '2048' --accountconf '/var/etc/acme-client/accounts/62499e810beea6.52051929_stg/account.conf'
2022-04-15T18:42:04   opnsense   AcmeClient: using challenge type: CloudFlare API
2022-04-15T18:42:04   opnsense   AcmeClient: account is registered: Let's Encrypt account
2022-04-15T18:42:04   opnsense   AcmeClient: using CA: letsencrypt_test
2022-04-15T18:42:04   opnsense   AcmeClient: issue certificate: *.mydomain.eu
2022-04-15T18:42:04   opnsense   AcmeClient: certificate must be issued/renewed: *.mydomain.eu

acme log:

2022-04-15T18:43:35   acme.sh   [Fri Apr 15 18:43:35 CEST 2022] Can not init api for: https://acme-staging-v02.api.letsencrypt.org/directory.
2022-04-15T18:43:35   acme.sh   [Fri Apr 15 18:43:35 CEST 2022] ret='35'
        == Info: Closing connection 0
        == Info: OpenSSL SSL_connect: Connection reset by peer in connection to acme-staging-v02.api.letsencrypt.org:443
        01c0: ................................................................
        0180: ................................................................
        0140: .. ....g...i3..y,.'9!..M..0`.N..................................
        0100: .......................................+............-.....3.&.$.
        00c0: ................3t.........h2.http/1.1.........1.....0..........
        0080: <.5./.....u...).'..$acme-staging-v02.api.letsencrypt.org........
        0040: VgI^.\..>.......,.0.........+./...$.(.k.#.'.g.....9.....3.....=.
        0000: ......... <Y...[.K.i....u...f......:.. ...../q.Z......n.U&...q..
        => Send SSL data, 512 bytes (0x200)
        == Info: TLSv1.3 (OUT), TLS handshake, Client hello (1):
        0000: .....
        => Send SSL data, 5 bytes (0x5)
        == Info: CApath: none
        == Info: CAfile: /usr/local/etc/ssl/cert.pem
        == Info: ALPN, offering http/1.1
        == Info: ALPN, offering h2
        == Info: Connected to acme-staging-v02.api.letsencrypt.org (2606:4700:60:0:f41b:d4fe:4325:6026) port 443 (#0)
2022-04-15T18:43:35   acme.sh   [Fri Apr 15 18:43:35 CEST 2022] == Info: Trying 2606:4700:60:0:f41b:d4fe:4325:6026:443...
2022-04-15T18:43:35   acme.sh   [Fri Apr 15 18:43:35 CEST 2022] Here is the curl dump log:
2022-04-15T18:43:35   acme.sh   [Fri Apr 15 18:43:35 CEST 2022] Please refer to https://curl.haxx.se/libcurl/c/libcurl-errors.html for error code: 35
2022-04-15T18:43:35   acme.sh   [Fri Apr 15 18:43:35 CEST 2022] _CURL='curl --silent --dump-header /var/etc/acme-client/home/http.header -L --trace-ascii /tmp/tmp.0V5CZz4y '
2022-04-15T18:43:35   acme.sh   [Fri Apr 15 18:43:35 CEST 2022] timeout=
2022-04-15T18:43:35   acme.sh   [Fri Apr 15 18:43:35 CEST 2022] url='https://acme-staging-v02.api.letsencrypt.org/directory'
2022-04-15T18:43:35   acme.sh   [Fri Apr 15 18:43:35 CEST 2022] GET
2022-04-15T18:43:25   acme.sh   [Fri Apr 15 18:43:25 CEST 2022] Sleep 10 and retry.

[mvdheijkant]

After reinstalling the error was gone.
But a new one came up.
follow at https://forum.opnsense.org/index.php?topic=28146.0