Pfsense ACME Cloudflare

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

Problem: I am trying to issue a cert on Pfsense using ACME. This is so I can host nextcloud using cloudflare. The actual sub domain I am trying to get the cert created for is nextcloud.geeknetit.com. I found a past post with a solution however I have already tried that solution and it did not work. See solution URL below:

My domain is: nextcloud.geeknetit.com

I ran this command: cat /tmp/acme/nextcloud/acme_issuecert.log

It produced this output:
[Mon Sep 2 16:38:20 PDT 2024] readlink exists=0
[Mon Sep 2 16:38:20 PDT 2024] dirname exists=0
[Mon Sep 2 16:38:20 PDT 2024] Lets find script dir.
[Mon Sep 2 16:38:20 PDT 2024] SCRIPT='/usr/local/pkg/acme/acme.sh'
[Mon Sep 2 16:38:20 PDT 2024] _script='/usr/local/pkg/acme/acme.sh'
[Mon Sep 2 16:38:20 PDT 2024] _script_home='/usr/local/pkg/acme'
[Mon Sep 2 16:38:20 PDT 2024] Using config home:/tmp/acme/nextcloud
[Mon Sep 2 16:38:20 PDT 2024] ACCOUNT_CONF_PATH='/tmp/acme/nextcloud/accountconf.conf'
[Mon Sep 2 16:38:20 PDT 2024] APP
[Mon Sep 2 16:38:20 PDT 2024] 3:LOG_FILE='/tmp/acme/nextcloud/acme_issuecert.log'
[Mon Sep 2 16:38:20 PDT 2024] APP
[Mon Sep 2 16:38:20 PDT 2024] 4:LOG_LEVEL='3'
[Mon Sep 2 16:38:20 PDT 2024] LE_WORKING_DIR='/tmp/acme/nextcloud'
[Mon Sep 2 16:38:20 PDT 2024] Running cmd: issue
[Mon Sep 2 16:38:20 PDT 2024] _main_domain='nextcloud.geeknetit.com'
[Mon Sep 2 16:38:20 PDT 2024] _alt_domains='no'
[Mon Sep 2 16:38:20 PDT 2024] Using config home:/tmp/acme/nextcloud
[Mon Sep 2 16:38:20 PDT 2024] ACCOUNT_CONF_PATH='/tmp/acme/nextcloud/accountconf.conf'
[Mon Sep 2 16:38:20 PDT 2024] ACME_DIRECTORY='https://acme-v02.api.letsencrypt.org/directory'
[Mon Sep 2 16:38:21 PDT 2024] _ACME_SERVER_HOST='acme-v02.api.letsencrypt.org'
[Mon Sep 2 16:38:21 PDT 2024] _ACME_SERVER_PATH='directory'
[Mon Sep 2 16:38:21 PDT 2024] CA_CONF='/tmp/acme/nextcloud/ca/acme-v02.api.letsencrypt.org/directory/ca.conf'
[Mon Sep 2 16:38:21 PDT 2024] DOMAIN_PATH='/tmp/acme/nextcloud/nextcloud.geeknetit.com'
[Mon Sep 2 16:38:21 PDT 2024] 'dns_cf' does not contain 'dns'
[Mon Sep 2 16:38:21 PDT 2024] Le_NextRenewTime
[Mon Sep 2 16:38:21 PDT 2024] Using ACME_DIRECTORY: https://acme-v02.api.letsencrypt.org/directory
[Mon Sep 2 16:38:21 PDT 2024] _init api for server: https://acme-v02.api.letsencrypt.org/directory
[Mon Sep 2 16:38:21 PDT 2024] GET
[Mon Sep 2 16:38:21 PDT 2024] url='https://acme-v02.api.letsencrypt.org/directory'
[Mon Sep 2 16:38:21 PDT 2024] timeout=
[Mon Sep 2 16:38:21 PDT 2024] curl exists=0
[Mon Sep 2 16:38:21 PDT 2024] wget exists=127
[Mon Sep 2 16:38:21 PDT 2024] _CURL='curl --silent --dump-header /tmp/acme/nextcloud/http.header -L -g '
[Mon Sep 2 16:38:21 PDT 2024] ret='0'
[Mon Sep 2 16:38:21 PDT 2024] _json_decode
[Mon Sep 2 16:38:21 PDT 2024] _j_str='{
"5JGt4f7wgKw": "Adding random entries to the directory",
"keyChange": "https://acme-v02.api.letsencrypt.org/acme/key-change",
"meta": {
"caaIdentities": [
"letsencrypt.org"
],
"termsOfService": "https://letsencrypt.org/documents/LE-SA-v1.4-April-3-2024.pdf",
"website": "https://letsencrypt.org"
},
"newAccount": "https://acme-v02.api.letsencrypt.org/acme/new-acct",
"newNonce": "https://acme-v02.api.letsencrypt.org/acme/new-nonce",
"newOrder": "https://acme-v02.api.letsencrypt.org/acme/new-order",
"renewalInfo": "https://acme-v02.api.letsencrypt.org/draft-ietf-acme-ari-03/renewalInfo",
"revokeCert": "https://acme-v02.api.letsencrypt.org/acme/revoke-cert"
}'
[Mon Sep 2 16:38:21 PDT 2024] response='{
"5JGt4f7wgKw": "Adding random entries to the directory",
"keyChange": "https://acme-v02.api.letsencrypt.org/acme/key-change",
"meta": {
"caaIdentities": [
"letsencrypt.org"
],
"termsOfService": "https://letsencrypt.org/documents/LE-SA-v1.4-April-3-2024.pdf",
"website": "https://letsencrypt.org"
},
"newAccount": "https://acme-v02.api.letsencrypt.org/acme/new-acct",
"newNonce": "https://acme-v02.api.letsencrypt.org/acme/new-nonce",
"newOrder": "https://acme-v02.api.letsencrypt.org/acme/new-order",
"renewalInfo": "https://acme-v02.api.letsencrypt.org/draft-ietf-acme-ari-03/renewalInfo",
"revokeCert": "https://acme-v02.api.letsencrypt.org/acme/revoke-cert"
}'
[Mon Sep 2 16:38:21 PDT 2024] ACME_KEY_CHANGE='https://acme-v02.api.letsencrypt.org/acme/key-change'
[Mon Sep 2 16:38:21 PDT 2024] ACME_NEW_AUTHZ
[Mon Sep 2 16:38:21 PDT 2024] ACME_NEW_ORDER='https://acme-v02.api.letsencrypt.org/acme/new-order'
[Mon Sep 2 16:38:21 PDT 2024] ACME_NEW_ACCOUNT='https://acme-v02.api.letsencrypt.org/acme/new-acct'
[Mon Sep 2 16:38:21 PDT 2024] ACME_REVOKE_CERT='https://acme-v02.api.letsencrypt.org/acme/revoke-cert'
[Mon Sep 2 16:38:21 PDT 2024] ACME_AGREEMENT='https://letsencrypt.org/documents/LE-SA-v1.4-April-3-2024.pdf'
[Mon Sep 2 16:38:21 PDT 2024] ACME_NEW_NONCE='https://acme-v02.api.letsencrypt.org/acme/new-nonce'
[Mon Sep 2 16:38:21 PDT 2024] OK
[Mon Sep 2 16:38:21 PDT 2024] 2:Le_Domain='nextcloud.geeknetit.com'
[Mon Sep 2 16:38:21 PDT 2024] OK
[Mon Sep 2 16:38:21 PDT 2024] 3:Le_Alt='no'
[Mon Sep 2 16:38:21 PDT 2024] OK
[Mon Sep 2 16:38:21 PDT 2024] 4:Le_Webroot='dns_cf'
[Mon Sep 2 16:38:21 PDT 2024] OK
[Mon Sep 2 16:38:21 PDT 2024] 5:Le_PreHook=''
[Mon Sep 2 16:38:21 PDT 2024] OK
[Mon Sep 2 16:38:21 PDT 2024] 6:Le_PostHook=''
[Mon Sep 2 16:38:21 PDT 2024] OK
[Mon Sep 2 16:38:21 PDT 2024] 7:Le_RenewHook=''
[Mon Sep 2 16:38:21 PDT 2024] OK
[Mon Sep 2 16:38:21 PDT 2024] 8:Le_API='https://acme-v02.api.letsencrypt.org/directory'
[Mon Sep 2 16:38:21 PDT 2024] Using CA: https://acme-v02.api.letsencrypt.org/directory
[Mon Sep 2 16:38:21 PDT 2024] _on_before_issue
[Mon Sep 2 16:38:21 PDT 2024] _chk_main_domain='nextcloud.geeknetit.com'
[Mon Sep 2 16:38:21 PDT 2024] _chk_alt_domains
[Mon Sep 2 16:38:21 PDT 2024] 'dns_cf' does not contain 'no'
[Mon Sep 2 16:38:21 PDT 2024] Le_LocalAddress
[Mon Sep 2 16:38:21 PDT 2024] d='nextcloud.geeknetit.com'
[Mon Sep 2 16:38:21 PDT 2024] Check for domain='nextcloud.geeknetit.com'
[Mon Sep 2 16:38:21 PDT 2024] _currentRoot='dns_cf'

My web server is (include version):

The operating system my web server runs on is (include version):

My hosting provider, if applicable, is:

I can login to a root shell on my machine (yes or no, or I don't know): yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): pfsense 2.7.2 latest build

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): command not found for either one.

Have you configured the Cloudflare API token for acme.sh? It seems odd that your log would stop where it does as it hasn't gotten to the point of outputting an error.

3 Likes

The Cloudflare API token is not configured for acme.sh its just a token that you create and then add it to the Pfsense / ACME config. I have tested the token to make sure its valid and active.

But you are going to love this I just clicked on issue to issue the cert and now it works. LOL. Thank you for taking the time to help.

2 Likes