Error using DNS Challenge with Staging and HAProxy on OPNsense

Hello all,

I am trying to setup HAProxy on my OPNsense firewall, so I can have consolidated issuance of certs to multiple web servers/websites. I have a tutorial on setting up the Acme client but am receiving an error back from staging. I have added the CNAME to my Cloudflare DNS as it asked but still receiving the error.

My domain is: opcotest1.regulatoryintelligence.com

I ran this command:

It produced this output:

|2024-06-08T11:15:41-04:00|acme.sh|[Sat Jun 8 11:15:41 EDT 2024] Error add txt for domain:_acme-challenge.opcotest1.regulatoryintelligence.com|
|2024-06-08T11:15:41-04:00|acme.sh|[Sat Jun 8 11:15:41 EDT 2024] invalid domain|
|2024-06-08T11:15:40-04:00|acme.sh|[Sat Jun 8 11:15:40 EDT 2024] Adding txt value: wsGbNDMyvogumrYfRcM7zwMWru9twVbcZJl0pGgfoA8 for domain: _acme-challenge.opcotest1.regulatoryintelligence.com|
|2024-06-08T11:15:40-04:00|acme.sh|[Sat Jun 8 11:15:40 EDT 2024] Getting webroot for domain='opcotest1.regulatoryintelligence.com'|
|2024-06-08T11:15:39-04:00|acme.sh|[Sat Jun 8 11:15:39 EDT 2024] Getting domain auth token for each domain|
|2024-06-08T11:15:39-04:00|acme.sh|[Sat Jun 8 11:15:39 EDT 2024] Single domain='opcotest1.regulatoryintelligence.com'|
|2024-06-08T11:15:39-04:00|acme.sh|[Sat Jun 8 11:15:39 EDT 2024] Using CA: https://acme-staging-v02.api.letsencrypt.org/directory|

My web server is (include version): Apache 2.4

The operating system my web server runs on is (include version): Ubuntu 22.04.4

My hosting provider, if applicable, is: TierPoint

I can login to a root shell on my machine (yes or no, or I don't know): yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): Plesk 18.0.61 update 5

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): version 4.3 of the Acme plugin

What asked you to add the CNAME? Usually you just use a TXT record.

A CNAME is allowed but then acme.sh must be told to add the TXT record value at the CNAME destination. That may be with its alias option but I don't recall exactly off-hand.

Can you show what instructions you are following to do this?

I had read another post where the user talked about adding the cname. I changed it to a txt record with the following:
Name: _acme-challenge.opcotest1
Content: 0qlbozjknoc0qmt63bfnasfocc9q2cczvi_t0nqz6j0

The tutorial I am using is this: Tutorial 2024/02: HAProxy + Let's Encrypt Wildcard Certificates + 100% A+ Rating

FYI - here is the DNS-01 challenge of the Challenge Types - Let's Encrypt.

Thats really interesting...thanks Bruce.

I am using Cloudflare as DNS and I have setup an API token for the API gateway of CF. Maybe that is my issue. I could use the global key, to see if that works.

Using the Global Key is not recommended. A restricted API key is best practice.

I don't know if that is your issue. Just wanted to point this out.

Yes Mike I def want to use a restricted key but the global key failed also...weird.

Try try try...and you will succeed...or kill yourself trying!

I went back to the API token I created and I created it with DNS read, not edit....duh! Works perfectly now! Thanks everyone!

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.