Correct. from looking around, it's what pfSense runs, Tried it in FreeBSD on a VM same error I am getting.
Regards
Correct. from looking around, it's what pfSense runs, Tried it in FreeBSD on a VM same error I am getting.
Regards
Just an update. We ended up going with a DNS provider in the end. Although Certbot works fine with the config I attached it doesn’t seem to work with Acme.sh so easiest way is to use another DNS Provider with API.
Regards.
If this is truly a LetsEncrypt problem, you should be able to follow those same steps with any other ACME CA [with success].
Please test that theory.
If you encounter the same problem with other ACME CAs, then it can't be the CAs.
It has to be on the client side.
To that end...
acme.sh
version?Problem appears to be a issue with BIND complaining about TSIG Key, when ever I implement it BIND just crashes. I am out of ideas with this.
Regards
I've made some progress, nsupdate on Linux now allows me to create TXT records to Bind9 but the problem still there with Acme.sh,
If anyone has any ideas please let me know, error I am seeing is
TSIG error with server: tsig verify failure
update failed: NOTIMP
Yet nsupdate works fine with the key and so does Certbot.
Regards
Isn't that TSIG error from previous attempts? Why would calling nsupdate
(which is also simply using RFC 2136 as far as I know) result in a TSIG error? Assuming it's called with the same options of course.
I've re-done the whole config, even did a fresh install of pfSense in a VM and the same problem, even asked ChatGPT and it's given me the same configuration and no dice.
I have no idea why this won't work, everything i try and do all I get is ,
TSIG error with server: tsig verify failure
update failed: NOTIMP
Yet I know the TSIG key is perfectly fine though.
Regards
That's generally a waste of time.
I am beginning to wonder, If I am better off running the Load Balancers in Virtual Machines then use Certbot to serve all the SSL Certificates instead of using Acme on pfSense you know.
Not only will this be a lot of work, but If i ever have to re-do the firewall I won't need to generate the SSL Certificates for all domains, what do you think?
Regards
If you have a load-balancer that can terminate [encrypt/decrypt] HTTPS quickly and it is secure within the same local network as your server(s), then that sounds like a very good thing to do.
Ive got a 3 node Cluster so I guess it's the best way to go tbh
I've put in a issue on the acme.sh github but not heard anything back yet.
Regards
Update, this can me marked as solved. I ended up going with Nginx Reverse Proxy & Certbot RFC 2136 with BIND9 in the end.
Going to move away from acme.sh on pfSense.
Regards