Bug #10411
closed
ACME only uses DoH, Broken renewal
0%
Description
The issue is described on the forum here:
https://forum.netgate.com/topic/150984/doh-verification-method
DoH appears to have been added mid-February 2020, and there doesn't appear to be a way to fallback to non-DoH verification. Can ACME fallback (as an opt-in option) to using system DNS settings instead of DoH directly?
Currently, ACME renewal is broken when DoH is blocked.
Updated by Jim Pingle over 4 years ago
- Status changed from New to Needs Patch
That will need to be raised as an issue directly with acme.sh not here.
Updated by theodore adams over 4 years ago
Thank you for reviewing Jim.
I have been researching further and found closed issues on the acme.sh github:
https://github.com/acmesh-official/acme.sh/issues/2576
https://github.com/acmesh-official/acme.sh/issues/2587
Using public DoH is just because that letsencrypt CA is using public dns servers to validate.
To disable ns lool up, you can use --dnssleep 180
I have tested dnssleep of 180 in the pfsense acme GUI, and the certificate successfully generates when one manually Issue/Renews. However, the GUI reports that the issuance was unsuccessful (the broken icon appears, and there is no successful message at top). After a little while longer, a refresh of the page does show the successful issue of certificate, and the system log does show the appropriate shell commands run.
Might an update be made to the package that accounts for added dnssleep time?
Updated by Jim Pingle over 4 years ago
Still seems like acme.sh should handle that more gracefully without relying on such a long timeout, or have an option to disable DoH.
Updated by theodore adams over 4 years ago
Jim Pingle wrote:
Still seems like acme.sh should handle that more gracefully without relying on such a long timeout, or have an option to disable DoH.
I certainly agree, I'm glad to have found a workaround, but this is a pain. Unfortunately it doesn't seem that acme.sh agrees since they have closed at least two issues raising this.