I have watched Lawrence three YTs about this and also Raid Owles and a few others.
So I managed to set it up once a few months back. During the Christmas-break I wanted to start from scratch. So I removed the ACME package and the certificates.
After this I am not able to create a valid certificate, I get an “broken” button and this message in the log:
I have tried everyhting now it feels like and no matter what I do, I get this error.
Please help me, I want to know what I have fxxk up to make this happen over and over.
When I create the certificate I add CFs, Account ID, Zone ID, Global API and CF Mail and the Token which I have created one for the domain as Edit. Should I add the Global API key there to?
Yeah that I know so do Cloudflare, I have created a API key for this which I am using but this seems not to be the problem. When digging into the ACME logs at /tmp/acme, I found that it complains about me missing a TXT _acme-challange record.
TXT for _acme-challenge.domain.io - check that a DNS record exists for this domain
And this error:
server: nginx
date: Wed, 04 Jan 2023 19:09:49 GMT
content-type: application/problem+json
content-length: 144
boulder-requester: 898486957
cache-control: public, max-age=0, no-cache
link: <https://acme-v02.api.letsencrypt.org/directory>;rel="index"
replay-nonce: Ytp0p-Wk6HsJ_B-nN6jeV-vQ
^M'
[Wed Jan 4 20:09:49 CET 2023] code='400'
[Wed Jan 4 20:09:49 CET 2023] original='{
"type": "urn:ietf:params:acme:error:malformed",
"detail": "Unable to update challenge :: authorization must be pending",
"status": 400
}'
[Wed Jan 4 20:09:49 CET 2023] response='{
"type": "urn:ietf:params:acme:error:malformed",
"detail": "Unable to update challenge :: authorization must be pending",
Are you trying to use the DNS alias mode? If so, I’m not sure how it is supposed to work, because I never used it. But maybe you can read here: DNS alias mode · acmesh-official/acme.sh Wiki · GitHub and try to adapt it for pfSense.
You probably don’t have to, if you choose the correct method for your DNS provider from the dropdown menu in pfSense. Because if you do so, the acme client can log in to your DNS provider via API, and create the record automatically…
Another possibility would be to issue or renew the certificate manually, you can do so by switching to the “DNS manual” method in pfSense and then click on the “Issue” button. After that the content for the TXT record will be displayed in the WebUI. It will be a randomly generated key which is only valid once. Looks something like this: “kldjasu89dsf9w83ruhjiwi8UHHHJkjéIo8i”`
Btw. I would recommend you to switch the “Acme Account” to “staging” while you are playing around, Otherwise you will hit the rate limit of Let’s Encrypt sooner or later…
I studied the issuecert log some more and I saw that it succeeds with the certificate, but on another of my cloudflare domains. I had a certificate for this domain months ago, but I have removed them from pfSense all together before I began with this.
As I wrote above it to get an certificate for a domain that is not configured under the ACME add-on. I have configured it, months ago, and I did remove it from the ACME add-on and the Cert Manager. Still the config files are present in /tmp/acme/.
I have posted in the Netgate forums asking if I safely can remove all files for those I know I don’t have in the Acme add-on.
Second, I thought all those values had to be populated, so I did.
