Error while creating TXT Record on pfSense ACME

Hello everyone, first of all here my crt.sh list:

My domain is: *.safh.de, safh.de

I ran this command: ACME Challenge Issue / Renew

It produced this output:

safhde
Renewing certificate 
account: ACMEAcc 
server: letsencrypt-production-2 

/usr/local/pkg/acme/acme.sh  --issue  --domain '*.safh.de' --dns 'dns_inwx'  --domain 'safh.de' --dns 'dns_inwx'  --home '/tmp/acme/safhde/' --accountconf '/tmp/acme/safhde/accountconf.conf' --force --always-force-new-domain-key --reloadCmd '/tmp/acme/safhde/reloadcmd.sh' --log-level 3 --log '/tmp/acme/safhde/acme_issuecert.log'
Array
(
    [path] => /etc:/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/bin/
    [PATH] => /etc:/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/bin/
    [INWX_User] => MYUSER
    [INWX_Password] => ***
    [INWX_Shared_Secret] => 
)
[Fri Oct  6 17:57:35 CEST 2023] Using CA: https://acme-v02.api.letsencrypt.org/directory
[Fri Oct  6 17:57:35 CEST 2023] Using pre generated key: /tmp/acme/safhde/*.safh.de/*.safh.de.key.next
[Fri Oct  6 17:57:35 CEST 2023] Generate next pre-generate key.
[Fri Oct  6 17:57:35 CEST 2023] Multi domain='DNS:*.safh.de,DNS:safh.de'
[Fri Oct  6 17:57:35 CEST 2023] Getting domain auth token for each domain
[Fri Oct  6 17:57:38 CEST 2023] Getting webroot for domain='*.safh.de'
[Fri Oct  6 17:57:38 CEST 2023] Getting webroot for domain='safh.de'
[Fri Oct  6 17:57:38 CEST 2023] Adding txt value: xkktHxgkJBiUmDWjBmEhFB-OngXVhYGG9phth03iw4M for domain:  _acme-challenge.safh.de
[Fri Oct  6 17:57:38 CEST 2023] Adding record
[Fri Oct  6 17:57:38 CEST 2023] Error
[Fri Oct  6 17:57:38 CEST 2023] Error add txt for domain:_acme-challenge.safh.de
[Fri Oct  6 17:57:38 CEST 2023] Please check log file for more details: /tmp/acme/safhde/acme_issuecert.log

In the log I found this additionally:

[Fri Oct  6 17:53:14 CEST 2023] _postContentType
[Fri Oct  6 17:53:14 CEST 2023] Http already initialized.
[Fri Oct  6 17:53:14 CEST 2023] _CURL='curl --silent --dump-header /tmp/acme/safhde/http.header  -L  -g '
[Fri Oct  6 17:53:14 CEST 2023] _ret='0'
[Fri Oct  6 17:53:14 CEST 2023] Error
[Fri Oct  6 17:53:14 CEST 2023] Error add txt for domain:_acme-challenge.safh.de
[Fri Oct  6 17:53:14 CEST 2023] _on_issue_err
[Fri Oct  6 17:53:14 CEST 2023] Please check log file for more details: /tmp/acme/safhde/acme_issuecert.log

The latest try with the results: https://acme-v02.api.letsencrypt.org/acme/chall-v3/271316493996/4Hn3Bg

I tried creating a A oder AAAA or CNAME Record for _acme-challenge.safh.de but it wont change a thing. If I, on the other hand, create a TXT Record the error is "404 wrong TXT Record" (or something like this). In the past the ACME created the right txt record and I didnt need to create one. The _acme-challange is now empty (not existing) but still its the same result.

My web server is (include version): None used, used DNS Validation

The operating system my web server runs on is (include version): pfSense 23.05.1 (latest, today) ACME Version: 0.7.5 (History for security/pfSense-pkg-acme - pfsense/FreeBSD-ports · GitHub)

My hosting provider, if applicable, is: Myself

I can login to a root shell on my machine (yes or no, or I don't know): For Sure, its my Firewall

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): THe ACME Service options under Services.

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): I assume 0.7.5 but cant tell

It stopped working a long time ago, so after my holidays I tried to "fix it" for good and created a new ACME and deleted the old one, but no luck. I use INWX as a DNS Provider and the submitted Username and password are mine and working.

Yes, the inwx script for acme.sh is failing to add the correct TXT record

I have no experience with inwx so not sure why that would fail. But, I found below item at github for acme.sh. Could this be related to your problem?

If that doesn't help, you might get better response by posting a new issue on the acme.sh github. It's not directly a Let's Encrypt problem. It is some fault with the API method used by acme.sh to update your DNS.

This link includes an answer by an inwx developer so posting there should help or contact inwx support directly.

3 Likes

Thank you very much, the fix provided in the first link works directly. As written there it is fixed in the next upcomming version for pfsense.
THANK YOU! <3

2 Likes

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.