Pfsense ACME invalid domain
Hi I am trying to issue a newly created certificate using the ACME package on Pfsense. When I click " Issue " I am getting an error invalid domain nextcloud.geeknetit.com. I have double checked that I am using the correct API , Account ID, Zone ID as well as Key and Token. The domain nextcloud.geeknetit.com is listed in my DNS on the cloudflare portal. Any help would be appreciated.
Also I can ping nextcloud.geeknetit.com
[Mon Sep 2 12:12:38 PDT 2024] invalid domain
[Mon Sep 2 12:12:38 PDT 2024] Error add txt for domain:_acme-challenge.nextcloud.geeknetit.com
7 Replies
You'd have to get more info from it, that error is from that package "Invalid domain". It might be looking for the root domain where you put
nextcloud.geeknetit.com. Other common mistakes with the API are mixing up the headers.
It doesn't make any sense for it to be asking for a "Key" and a "Token". You can create API Tokens within your account and give them specific permissions (make sure to give it what it asks), that is used with the Authorization header like Authorization Bearer <api-token>, and then you wouldn't have an API Key or API Email Address. Or you use your global API Key, in which case it would ask for your Account Email Address (X-Auth-Email hjeader) and your Global API Key (X-Auth-Key header)I do have the entire log
It cant be looking for the root domain reason is the subdomain is used to host nextcloud. The root and subdomain are resolvable by nslookup. Also I am using the global API account key and email as you will see below in more recent replies.
I also found a article where the same issue was resolved by when creating the token you select all domains vs a speciufic domain but that did not work for me. The token has the permissions edit.
This is the URL in which another had the same issue and resolved it. https://community.letsencrypt.org/t/error-adding-txt-solved/200285/2
Let's Encrypt Community Support
Error adding txt (Solved)
Is that the entire line? If so, that's missing the FQDN.
Here is the acme log :
Here is the config screenshot from ACME service in Pfsense.
Was using this guys youtube video to set this up. https://www.youtube.com/watch?v=cB6oKJjr4Ls
Raid Owl
YouTube
SSL Encryption on Your Home Server the SIMPLE WAY - Cloudflare, pfS...
Exposing your website or services to the internet can be a pain, especially if you want to do it securely. Luckily, there is a way to easily get this done in just a few steps. In this example I exposed my Nextcloud site using Cloudflare as my DNS provider, and HAProxy/ACME running on my pfSense router.
pfSense Mini PC - https://amzn.to/3uTxhkV
...
When you create the API I do not see any sort of permissions. Except for Edit or Read Only and its configured for all zones in edit mode.
I did find this using curl from my pfsense router cli :"This API Token can not be used before 2026-09-02 00:00:00+00",
Seems I have some sort of access issue
SO I fixed that issue by selecting the correct start and end dates. However when I try to issue the cert in pfsense it still fails with the same error. Also I tried for fun just geeknetit, here is the tail end of the errors " [Mon Sep 2 19:05:21 PDT 2024] Using CA: https://acme-v02.api.letsencrypt.org/directory
[Mon Sep 2 19:05:21 PDT 2024] Using pre generated key: /tmp/acme/nextcloud/geeknetit.com/geeknetit.com.key.next
[Mon Sep 2 19:05:21 PDT 2024] Generate next pre-generate key.
[Mon Sep 2 19:05:23 PDT 2024] Single domain='geeknetit.com'
[Mon Sep 2 19:05:26 PDT 2024] Getting webroot for domain='geeknetit.com'
[Mon Sep 2 19:05:26 PDT 2024] Adding txt value: L2aGsK8BGehcoNSTLDiePYXEXly1cCdslUViebqrq8g for domain: _acme-challenge.geeknetit.com
[Mon Sep 2 19:05:27 PDT 2024] invalid domain
[Mon Sep 2 19:05:27 PDT 2024] Error add txt for domain:_acme-challenge.geeknetit.com
[Mon Sep 2 19:05:27 PDT 2024] Please check log file for more details: /tmp/acme/nextcloud/acme_issuecert.log
Well for some reason it just started working. I didnt do anything different. Thanks for the help.