Also the same domain provider. So i already did what the solution in the above topic is.
My problem is when i hit Issue in PfSense ACME it generated a TXT value. When i put this in my domain DNS (supsolit.nl) and i wait a while and hit Renew ACME generates a new TXT value.
When i hit Renew AFTER issue, it tells me:
Sat Mar 25 13:41:30 CET 2023] Renew: 'unifi.supsolit.nl'
[Sat Mar 25 13:41:30 CET 2023] Renew to Le_API=https://acme-v02.api.letsencrypt.org/directory
[Sat Mar 25 13:41:31 CET 2023] Using CA: https://acme-v02.api.letsencrypt.org/directory
[Sat Mar 25 13:41:31 CET 2023] Single domain='unifi.supsolit.nl'
[Sat Mar 25 13:41:31 CET 2023] Getting domain auth token for each domain
[Sat Mar 25 13:41:33 CET 2023] Getting webroot for domain='unifi.supsolit.nl'
[Sat Mar 25 13:41:33 CET 2023] Add the following TXT record:
[Sat Mar 25 13:41:33 CET 2023] Domain: '_acme-challenge.unifi.supsolit.nl'
[Sat Mar 25 13:41:33 CET 2023] TXT value: 'ErXlGjiZ-HATqKOiLLmfIlcFt0ZjcUD2JMWfnjefkcU'
[Sat Mar 25 13:41:33 CET 2023] Please be aware that you prepend _acme-challenge. before your domain
[Sat Mar 25 13:41:33 CET 2023] so the resulting subdomain will be: _acme-challenge.unifi.supsolit.nl
[Sat Mar 25 13:41:33 CET 2023] Please add the TXT records to the domains, and re-run with --renew.
[Sat Mar 25 13:41:33 CET 2023] Please check log file for more details:
Log output is far easier to read when you use </> Preformatted text available in the extended menu found by clicking .
Your log output suggests that you have selected a manual DNS-01 challenge. The DNS-01 challenge, like all acme challenges, is far better when automated. My pfSense ACME clients are all set to update the required DNS records via API. Did you have a DNS provider configured previously?
My provider does have an API for DNS... but this API is outdated and advice is not to use it anymore. Plus my provider is not stated in the available list.
So yes i am use DNS-Manual. But isnt this also automatic? (When it works)
Plus even if API is the better option, which i don't disagree But the DNS-manual should also work right?
I apologize, but what do you mean with this question?
I'm not sure how it could be both manual and automatic. Those sound mutually exclusive to me.
You wrote:
That made me curious if what you had changed might have been a setting that previously updated your DNS records programmatically. Based on your detailed answer, it seems that you did not have a DNS provider configured for automatic update.
I woud consider moving to another DNS provider, at least for your DNS-01 challenges. This is supported in the pfSense ACME package.
I get what you are saying, but why does ACME keeps generating new TXT? From what i read, it should not do that. I should generate one when you hit ISSUE not when hitting RENEW. Or am i wrong?
I can add as many TXT records as i want, so why would this problem be with my DNS provider?
Am so i picked the wrong one? I am trying to follow a HAPROXY + ACME howto from Lawrence on YT and he spoke about DNS-manual. And accoring to him it should work this way.
But to be honest i don't get how this works than.
I cannot add the TXT value before i see it, and when i see it it failed but when i try to redo it i come into the same circle.
The way i added to my DNS might be wrong, i hit RENEW again:
unifi.supsolit.nl:Verify error:DNS problem: NXDOMAIN looking up TXT for _acme-challenge.unifi.supsolit.nl - check that a DNS record exists for this domain
I don't feel like move my domain at the moment. I would like to get this manual way working for now. There is a manual way, so this so work right? So i am doing something wrong.
You are to use the <TOKEN> supplied each challenge run for that run, thus the _acme-challenge.<YOUR_DOMAIN> TXT Record needs updating between receiving the <TOKEN> with the <TOKEN> and DNS Propagate before the actual challenge happens.
With this issue being specific, not only to a particular client, but also an explicit procedure, the Lawrence Systems forum may be better suited to provide insight.
I suspect that if he mentions the manual method, he has some amount of familiarity.
I still recommend that you explore using CNAMES to point to a challenge domain with DNS hosted at a compatible DNS host. There are free options such as dns.he.net if cost is a concern.
No it is not costs. I live in The Netherlands so i have a Dutch provider (the largest here). Which makes it easier timezone wise when i need something.
But in the end if i really cannot get it to work in any other way than moving the domain i still probably will do it.
YES! I figured it out a couple of minutes ago.
So i issued a new one, and this worked!
My error was:
In the other topic i mentioned they said (same DNS provider):
At the NAME when you do:
_acme-challenge.unifi.supsolit.nl
It doesn't work.
So i tried:
_acme-challenge.
This didn't work. The solution was:
_acme-challenge.unifi
As NAME.
Thanks everyone, and i do get that via an API is better. But for now i am just following the HowTo and i will see in the end if i will really use this.