Issues with ACME and Caddy; cannot delete certs - endpoint not found.

[cribbageSTARSHIP]

Good day everyone,

I have self hosted things in the past with nginx proxy manager and a few other containers in one deb server. I stopped the wan access side a while back but the need has risen again. I've been trying to get ACME and Caddy (the os plugins not external containers) to work and am having a hell of a time. At some point I remembered that prod certs have a rate limit and that I used to use staging to get around that.

Last night I got an acme cert to work for the OPNSense Web UI using a sub domain of a .ca that I own (although I had to block wan access with a rule that blocks wan traffic to the web ui port on the opnsense machine). I then created another subdomain to test hosting another docker service, and ACME kept throwing authentication issues. I tried redoing the cloudflare api setup which did not work. it was noticed that TXT files were showing up in my cloudflare DNS section with a TTL of 2 min. I had read that sometimes cloudflare needs more time so i deleted all the TXTs and tried to register the cert via ACME. As soon as the TXT showed up in cloudflare I changed it to 5 min and ACME was able to register it!

The test site will not load (connection timeout), and the subdomain for the Web UI now throws a 502 error.  :-\

After trying to diagnose I came upon some posts that bring up having unused SANs can cause issues. I know I had used production certs earlier by mistake so I tried to delete them but it doesnt work. Looking in the trust section -> authorities I have 4 items; Staging and prod R11 & R10. Certificates show that both my subdomains are using Staging R10. The Revocation area has 5:

• 1. This row is completely blank
  2. R10
  3. R11
  4. R11 Staging
  5. R10 Staging

When I try to revoke a cert it states "Danger - Endpoint not found"

Any ideas?

Thought I should add, I have unbound enabled with DNS over TLS connected to Cloudflare. There are no DNS entries in settings, and my DNS cannot be set by my ISP.

[Monviech (Cedrik)]

Probably related:

https://github.com/opnsense/plugins/issues/4178

When using DNS over TLS this option is needed. I have to add it sometime when theres time.

Also you do not need to use the ACME plugin, caddy gets its own certificates.

[cribbageSTARSHIP]

Thank you for taking the time to respond.

I thought I needed ACME to get self signed certs for all my self hosted items so that I could have https names on the LAN vice having to use ip addresses, while also not having to "accept the risk" each time.

Are you saying that I can delete ACME from OPNsense, and use the os-caddy plugin to manage my certs? I remember this process being way easier two years ago lol.

How do I make it so that when clients on my LAN use the subdomains it connects right to the server via the LAN?

EDIT: are you the author of this? https://www.youtube.com/watch?v=1IykZemclVA is this what I should be doing?

[Monviech (Cedrik)]

Yes I am the author.

Just use the documentation I wrote to set up the plugin. Reading through it will help you.

Also enabling the help in the plugin reveals lots of useful help texts.

https://docs.opnsense.org/manual/how-tos/caddy.html

And yes you do not need the ACME plugin for Caddy.

And no you do not use the Layer4 mode in the video, thats for very special usecases. You want to follow the normal docs.

[cribbageSTARSHIP]

I think my frustration goggles stopped me from reading

ACME clients on reverse proxied upstream destinations will not be able to issue certificates. Caddy intercepts /.well-known/acme-challenge. This can be solved by using the HTTP-01 Challenge Redirection option in the advanced mode of domains. Please check the tutorial section for an example.

Thank you so much for the nudge in the right direction.