Help with wildcard setup

thank you.

i been looking for something about acme.
but nothing much has shown

the configuration is different from the config i provided.

  1. Say “Hello World”
    docker run --rm neilpang/
  2. Use as an executable:
    docker run --rm -it
    -v “$(pwd)/out”:/
    neilpang/ --issue -d --standalone
    You can use any commands that supports here, other examples:

#revoke a cert
docker run --rm -it
-v “(pwd)/out":/ \ --net=host \ neilpang/ --revoke -d #use dns mode docker run --rm -it \ -v "(pwd)/out”:/
neilpang/ --issue --dns -d
#run cron job
docker run --rm -it
-v “$(pwd)/out”:/
neilpang/ --cron

I would cerate a new dedicated docker container.
Then try installing it as one would normally (while inside that container):
curl | sh

i setup the acme in pfsense.
but still getting the error

I’m not familiar with pfSense+LetsEncrypt.
I do see that
nslookup -q=txt
returns two records.
You might need to increase the DNS Sleep time.

is the information correct though ?
the sleep is default at 120 seconds.
what should i put it as ?

Two TXT records were created: text =

    "Gzre2aQLTX4CidlRFvWsilb1jK6G9splF26foY-Vq2Q" text =



Could you please double check if you've binded to a correct IP / server?

Since the hostname is not available from public, we are not sure what's going on in your server....

And do you mind to share us output of the following command?
openssl s_client -connect -showcerts

Thank you

where do i check. sorry?

Try DNS Sleep 300 (5 minutes)
Use nslookup (from any other computer) to confirm when it updates:
nslookup -q=txt
nslookup -q=txt

Although it’s not working properly, a good news is that the error message is different (from mismatch to CA not valid)

@rg305 did he get the certificate issued? (He actually should check nslookup -q=txt right?)

where do i enter that command ?

I don’t think he has been able to get a (good) cert yet.
He needs multiple wildcard entries on one cert.

You need to enter that to your CMD (command line prompt) or shell in the device that you see the error.

From a device that has access to
And that also has openssl (most Linux based system have it)

depth=1 CN = Fake LE Intermediate X1
verify error:num=20:unable to get local issuer certificate

Certificate chain
0 s:/CN=*
i:/CN=Fake LE Intermediate X1


1 s:/CN=Fake LE Intermediate X1
i:/CN=Fake LE Root X1



Server certificate
issuer=/CN=Fake LE Intermediate X1

No client certificate CA names sent
Peer signing digest: SHA512
Server Temp Key: ECDH, P-256, 256 bits

SSL handshake has read 3092 bytes and written 433 bytes

New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES256-GCM-SHA384
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
Protocol : TLSv1.2
Cipher : ECDHE-RSA-AES256-GCM-SHA384
Session-ID: 0EC86BA0E6D24129A2B89C9F94491A56456CD6BB41E618FAC8573261DDE9BF8B
Key-Arg : None
PSK identity: None
PSK identity hint: None
SRP username: None
Start Time: 1544161061
Timeout : 300 (sec)
Verify return code: 20 (unable to get local issuer certificate)


Does this need to change into Production to work ?


Two things:

  1. The certificate you binded to[the domain] is a "Staging" certificate.
    You need to issue a real certificate....


  1. Please share us the certificate file that you omitted when executing the above commands... (Since a common name does not show much and since it's staging certificate, i don't know where to find the logs to see if that certificate includes the correct SAN)

P.S. Please do not expose your Lets Encrypt Account Key. IT'S EXTREMELY DANGEROUS!

Thank you