Bug #10642

ACME certificate renewal with DNS-Gandi method fails when using multiple Gandi keys

Added by Oriane Tury 8 months ago. Updated 8 months ago.

Target version:
Start date:
Due date:
% Done:


Estimated time:
Affected Version:
Affected Architecture:


With the ACME service, when trying to issue/renew a certificate on 2 domain names (or more) using the DNS-Gandi Live DNS validation method, with each domain name using a distinct Gandi LiveDNS API Key, pfSense will only use the API key registered for the last domain in the Domain SAN list of the certificate. Thus the validation for the first domain fails unexpectedly.

(The whole setup is intended for a HTTPS reverse proxy in front of multiple webservers whose domain names pertain to different people.)

Here is the report printed after trying to issue/renew a certificate with and (in this order) in the Domain SAN list. Validation method for both is DNS-Gandi LiveDNS, but API keys are distinct.

Renewing certificate 
account: TEST 
server: letsencrypt-staging-2 

/usr/local/pkg/acme/  --issue  -d '' --dns 'dns_gandi_livedns'  -d '' --dns 'dns_gandi_livedns'  --home '/tmp/acme/certificat_bug_reproductible/' --accountconf '/tmp/acme/certificat_bug_reproductible/accountconf.conf' --force --reloadCmd '/tmp/acme/certificat_bug_reproductible/' --log-level 3 --log '/tmp/acme/certificat_bug_reproductible/acme_issuecert.log'
    [path] => /etc:/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/bin/
    [PATH] => /etc:/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/bin/
[Mon Jun  8 21:46:41 CEST 2020] Multi domain=','
[Mon Jun  8 21:46:41 CEST 2020] Getting domain auth token for each domain
[Mon Jun  8 21:46:45 CEST 2020] Getting webroot for domain=''
[Mon Jun  8 21:46:45 CEST 2020] Getting webroot for domain=''
[Mon Jun  8 21:46:45 CEST 2020] Adding txt value: 6fwWiw6znabab0nuzw4MUHPOo1l8_qftNOZvWXXXXXX for domain:
[Mon Jun  8 21:46:46 CEST 2020] Error add txt for
[Mon Jun  8 21:46:46 CEST 2020] Please check log file for more details: /tmp/acme/certificat_bug_reproductible/acme_issuecert.log


#1 Updated by Jim Pingle 8 months ago

  • Project changed from pfSense to pfSense Packages
  • Category set to ACME
  • Affected Version deleted (2.4.5)

Have you tried doing this with on its own (not through pfSense)? It may be a problem in the Gandi script, it may not support multiple domains like that.

You should probably be using separate cert files for each domain anyhow. That wouldn't be a problem for haproxy, it should let you use a different certificate for each hostname it covers.

#2 Updated by Oriane Tury 8 months ago

I don't have SSH access to the router, so unfortunately I cannot run outside pfSense. I suppose the answer lies in the accountconf.conf generated through pfSense, which might rely on the Gandi script.

Anyway I went with your suggestion to use separate certs for each domain. I'd forgotten that you could do that these days, thanks to the SNI extension for TLS. It's properly implemented in the HAProxy module and worked as expected. Thanks for the advice!

Also available in: Atom PDF