You need to find a DDNS provider for which acme.sh has support, assuming acme.sh is the ACME client available on opnsense (according to the PR you mentioned earlier it should be available).
2 Likes
When you say a DDNS provider that supports acme.sh you mean that does the api handshake
Just reading
I could get a Txt record for my DDNS provider instead of using the acme method but they say its not really the best method for dns challenge
Although it is technically possible to issue and renew certificates by manually updating TXT records every 60-90 days, it is not a recommended way to use Let's Encrypt DNS validation.
No, an ACME client such as acme.sh that supports a certain DDNS provider. The other way around.
I think you don't really grasph what's involved here. Everything is "an ACME method", as the ACME protocol is the only method for acquiring a Let's Encrypt certificate. When using the dns-01 challenge, it involves using a certain TXT record indeed. However, there are other ACME challenges available, such as the http-01 challenge that doesn't involve changing DNS resource records.
2 Likes
so even http challenge is an acme method aswell as the dns challenge
but the dns challenge, method, isnt there two approaches for getting the lets encrypt cert using the dns challenge, one is via a TXT record if your DDNS provider supports it and another one is the API method aswell if your DDNS provider supports it
No, it's the same. The "API method" sets the txt record automatically instead of asking you to do it.
3 Likes
Currently, the ACME protocol and extensions of it allow three challenge types. See Challenge Types - Let's Encrypt for more info.
I'm not sure what you mean by "the API method"? Could you elaborate?
Adding and removing the TXT automatically usually requires an API at the DDNS provider. Otherwise you'd have to do it manually.
2 Likes
Ahhh that's great so I can add a Txt record manually for it as my DDNS provider doesn't do the automatic api
If your DDNS provider even offers manual adding and deleting of TXT records for subdomains.
Although automation really is the best thing to go for.
2 Likes
I understand completely, that if your DDNS offers automation ie api to update your txt record that's preferred over manual updating your txt record
May be that can be interesting for you:
3 Likes
long story why i was trying to do this, but i was trying to do away installing my self signed CA on another client, to connect to my ipsec server on my opnsense firewall
basically a standard user cant install a CA, so i was trying to get round this using a public CA, already installed on the client and lets encrypt came to mind
success!!!!!!!!!!
installed/configured the ACME client on my opnsense, it got the certs (using DNS challenge with dynu)
i then changed the cert on my ipsec server to the ACME client one instead of my self signed one
at a different location (at work) i did a test, i spinned up a vm, created a standard user, logged in as standard user
created the ikev2 vpn and i could connect straight away without installing any cert!!!!!
2 Likes
This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.