Ownership validation: Which Method for static IP@pfsense?

Hello *

I have a pfsense configured with a static public IP.
Acme Certificates is installed, the account keys (letsencrypt-production-2) are set.
My current DNS provider (world4you) does not support dns challenge.

The goal is to provide a certificate for

  1. I wonder if using ‘DNS-Manual’ is the correct way to issue/renew the certificate.
  2. There is no obvious error (see output below), but where do I add the TXT record @pfsense?

My domain is: 12bfree.com

I ran this command:
/usr/local/pkg/acme/acme.sh --issue -d ‘12bfree.com’ --yes-I-know-dns-manual-mode-enough-go-ahead-please --dns -d ‘*.12bfree.com’ --yes-I-know-dns-manual-mode-enough-go-ahead-please --dns --home ‘/tmp/acme/12bfree.com/’ --accountconf ‘/tmp/acme/12bfree.com/accountconf.conf’ --force --reloadCmd ‘/tmp/acme/12bfree.com/reloadcmd.sh’ --log-level 3 --log ‘/tmp/acme/12bfree.com/acme_issuecert.log’

It produced this output:
12bfree.com
Renewing certificate
account: 12bfree.com
server: letsencrypt-production-2

/usr/local/pkg/acme/acme.sh --issue -d ‘12bfree.com’ --yes-I-know-dns-manual-mode-enough-go-ahead-please --dns -d ‘*.12bfree.com’ --yes-I-know-dns-manual-mode-enough-go-ahead-please --dns --home ‘/tmp/acme/12bfree.com/’ --accountconf ‘/tmp/acme/12bfree.com/accountconf.conf’ --force --reloadCmd ‘/tmp/acme/12bfree.com/reloadcmd.sh’ --log-level 3 --log ‘/tmp/acme/12bfree.com/acme_issuecert.log’

Array
(
[path] => /etc:/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/bin/
[PATH] => /etc:/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/bin/
)
[Mon Oct 28 14:06:12 CET 2019] Multi domain=‘DNS:12bfree.com,DNS:.12bfree.com’
[Mon Oct 28 14:06:12 CET 2019] Getting domain auth token for each domain
[Mon Oct 28 14:06:15 CET 2019] Getting webroot for domain=‘12bfree.com
[Mon Oct 28 14:06:16 CET 2019] Getting webroot for domain=’
.12bfree.com’
[Mon Oct 28 14:06:16 CET 2019] Add the following TXT record:
[Mon Oct 28 14:06:16 CET 2019] Domain: ‘_acme-challenge.12bfree.com’
[Mon Oct 28 14:06:16 CET 2019] TXT value: ‘xmxmxmxmxmxmxmxmxmxmxmxmxmxmxmxmxmxmxmxmx’
[Mon Oct 28 14:06:16 CET 2019] Please be aware that you prepend _acme-challenge. before your domain
[Mon Oct 28 14:06:16 CET 2019] so the resulting subdomain will be: _acme-challenge.12bfree.com
[Mon Oct 28 14:06:16 CET 2019] Add the following TXT record:
[Mon Oct 28 14:06:16 CET 2019] Domain: ‘_acme-challenge.12bfree.com’
[Mon Oct 28 14:06:16 CET 2019] TXT value: ‘xmxmxmxmxmxmxmxmxmxmxmxmxmxmxmxmxmxmxmxmx’
[Mon Oct 28 14:06:16 CET 2019] Please be aware that you prepend _acme-challenge. before your domain
[Mon Oct 28 14:06:16 CET 2019] so the resulting subdomain will be: _acme-challenge.12bfree.com
[Mon Oct 28 14:06:16 CET 2019] Please add the TXT records to the domains, and re-run with --renew.
[Mon Oct 28 14:06:16 CET 2019] Please check log file for more details: /tmp/acme/12bfree.com/acme_issuecert.log

My web server is (include version):
apache2
The operating system my web server runs on is (include version):
ubuntu 18.04
My hosting provider, if applicable, is:
self-hosted
I can login to a root shell on my machine (yes or no, or I don’t know):
yes
I’m using a control panel to manage my site (no, or provide the name and version of the control panel):
pfsense
The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot):

Hi @karlre1

you must be able to create TXT entries. Then --manual is hard - but should always work.

Now, you don’t have any TXT entry - https://check-your-website.server-daten.de/?q=12bfree.com#txt

You need two entries with the same domain name and different TXT Entries.

Compare it with my main domain - there are two rows required.

1 Like

Sorry for the delay and thank you for your response. I appreciate it.
I’ve been in contact with my registrar about DNS challenge.
They won’t allow it.
Therefore I’m thinking of transfering the domain to another provider.
I’m sitting in Austria. Can you possibly recommend a decent one?

BTW: I’ll be revisiting your website. It’s definitley helpful.

1 Like

These are basic requirements, so change your domain provider.

I use Inwx. They support a lot of TLDs (I don’t use). More relevant: They have an API, TXT, CAA and DNSSEC is supported.

And clients like acme.sh have API support.

1 Like

Thanks for the suggestion. I’ll be looking into this.

2 Likes