Change validation method on pfsense

This is using pfsense acme plugin. All on latest version.

I tried search but can’t find any answer. I also posted on pfsense forum but seems no answer/comments yet.

The initial configuration was done when port 80 was blocked. I managed to get it working with ‘tls-alpn-01’.

Yesterday the port 80 was open. I update the config to use ‘Standalone HTTP Server’. Added the rule to allow port 80.

However I got the error message “Error, can not get domain token entry …”
“The supported validation types are: tls-alpn-01 , but you specified: http-01”.

Still new to this. Are there anything I can do to switch the new validation method? Assuming waiting for the expiration of the cert is not the option.

Thank you very much.

Is there a reason you want to change?

Yes, since port 80 is available now. Port 443 has been designed for other purpose

Is it a feature/constraint from LE? Can anyone confirm it?

Thanks,

Is what a feature or constraint?

Let’s Encrypt doesn’t mind if you change validation methods, but ACME clients can have bugs or be difficult to configure.

Change validation method before the cert expires. It seems once it is expired than everything works.

Also the client does not know the previous validation method, or does it? I thought only LES server knows that.

From Let’s Encrypt’s perspective, a certificate expiring has no relationship with or effect on anything like that.

Well, the client can choose to remember it.


Let’s Encrypt normally caches authorizations for 30 days. If a client validates a name, and tries to validate it again within that time period, Let’s Encrypt will return the prior authorization, which includes which validation method was used. What, if anything, a client might do with that information is up to it.

Some clients have had bugs where they react badly when the user says “I want to use validation method X” and Let’s Encrypt says “here, you already have an authorization which used method Y”.

“What validation method to use next time” is just some information in your local client’s software or configuration files.

3 Likes

Thank you very much.

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.