<solved> ACME - after 24.1.4 update >> Cloudflare - validation failed

[opnsenseuser]

I´m using cloudflare too.
After the latest update OPNsense 24.1.4 i get a validation failed error.
Before the update it worked without any problems.
i tried to uninstall acme and reinstall it - revoke it - reset it - nothing helps

system log:

Code Select Expand

/usr/local/opnsense/scripts/OPNsense/AcmeClient/lecert.php: AcmeClient: The shell command returned exit code '1': '/usr/local/sbin/acme.sh --issue --syslog 6 --log-level 1 --server 'letsencrypt' --dns 'dns_cf' --dnssleep '120' --home '/var/etc/acme-client/home' --cert-home '/var/etc/acme-client/cert-home/5c59d476abb1e9.86147455' --certpath '/var/etc/ac

Code Select Expand

AcmeClient: domain validation failed (dns01)

Code Select Expand

AcmeClient: validation for certificate failed

acme log:

Code Select Expand

Please refer to https://curl.haxx.se/libcurl/c/libcurl-errors.html for error code: 2

issue >> https://github.com/opnsense/plugins/issues/3871

[opnsenseuser]

ok, i figured out what the problem was. i had to manual create a TXT entry on cloudflare for _acme-challenge.subdomain.
now it works as before

[ad1m]

I'm encountering the same situation. Surely this isn't the desired behavior, right? I mean, what's the point of putting in the Cloudflare API key if you have to manually create the TXT record?

I'm on:

OPNsense 24.1.6-amd64
FreeBSD 13.2-RELEASE-p11
OpenSSL 3.0.13

[FingerlessGloves]

I'm also getting the issue, even when I updated the latest 24.1.8.

Been working fine for years, but now has issues. I've tried giving the token more permissions and rotating the token too.

[Monviech (Cedrik)]

https://forum.opnsense.org/index.php?topic=39390.msg200042#msg200042

[ThyOnlySandman]

Encountering this exit code 1 error with Godaddy.  So first tried manually adding sub domain txt record suggested here.  No go.

Then discovered Godaddy recently killed API https://www.reddit.com/r/PFSENSE/comments/1cwuwdo/psa_godaddy_has_changed_its_api_access_affects/

Not Ok.  Deal breaker.  Demanding Godaddy restore API.  See where that goes...
Did not receive any notification from Godaddy about this and API keys still in place...

As temp workaround I am attempted to manually create txt record but it appears the script just aborts upon failure of adding txt record and then won't proceed to validate if txt record exists.

I was hoping by setting DNS delay 0 or 600 I could reference the acme log for the txt data value it wanted to create / validate and create the txt record manually and the script would proceed.

Seems it must be done via custom CLI run of /usr/local/sbin/acme.sh script?

[Monviech (Cedrik)]

You should rather transfer your domains to a different provider. Why stay with godaddy if they pull stunts like that? When they loose their customers they learn.

[FingerlessGloves]

I'm also getting the issue, even when I updated the latest 24.1.8.

Been working fine for years, but now has issues. I've tried giving the token more permissions and rotating the token too.

It was the SANs, I removed the common name from the SAN, and that fixed it. can now issue my certs again.

[Patrick M. Hausen]

But today the CN must also be in a SAN attribute or browsers won't accept the certificate. So what's going on here?

[ThyOnlySandman]

You should rather transfer your domains to a different provider. Why stay with godaddy if they pull stunts like that? When they loose their customers they learn.

Yes 100% will soon be transferring 2 separate go daddy accounts.  They will lose 4 .com domains.

But I'm needing to get temp solution for now as I've got several certificates expiring on the 6th and haven't had time to refresh my memory of certbot / ZeroSSL tools to manually get certs and import .p12 into opnsense + separate Nginx proxy manager.

I googled around briefly yesterday to find if possible syntax with acme.sh to manually do dns01 validation but not seeing anything where the script will generate txt for you to manually create and then proceed to check for txt record.  Script fails and stops the moment it cannot create txt.

I remember I've done the manual DNS validation before but it was years ago.

[Monviech (Cedrik)]

Why not use TLS-ALPN-01 or HTTP-01 challenge instead? On the OPNsense, os-acme-client and os-caddy can do those for you just fine, with IPv4 and IPv6, so if CGNAT not an issue if you have IPv6 too.

[ThyOnlySandman]

Why not use TLS-ALPN-01 or HTTP-01 challenge instead? On the OPNsense, os-acme-client and os-caddy can do those for you just fine, with IPv4 and IPv6, so if CGNAT not an issue if you have IPv6 too.

Well I've yet to learn about newer TLS-ALPN-01 method since DNS01 been working.
HTTP-01 I know I need port 80.  None of my NGINX reverse proxy sites are currently public nor http enabled.  Just rules set to allow specific known WAN IPs.  Yes - I suppose I could temporarily open up port 80 to all or identify lets encrypt IPs to allow inbound.  Just thought manually creating txt would be the simplest but seems not as acme.sh insists on using API and doing it itself.

[Styx13]

Same issue here with GoDaddy ... discovered today that they modified their API in deed...

I will definitively spend some time on figuring out a plan to get rid of them and move to a proper name registrar service.

In the meantime, I am using certbot in manual mode to manually generate my certificates using the DNS challenge : https://eff-certbot.readthedocs.io/en/latest/using.html#manual @ThyOnlySandman