pfSense » pfSense Packages

I am using ACME with INWX in Germany and automatic renewal has worked up to (at least) 11 July 2023. The latest renewal, however, did no longer work despite no changes to the pfSense System. I got in contact with the INWX support and they said that their API now also supports HTTPS/2 while previosly they only offered HTTP/1 and 1.1. Their explanation for the issue was as follows:

HTTP/1 and 1.1 both support uppercase parameters, whilst HTTP/2 automatically converts those to lowercase, which results in ACME being unable to store the cookie, thus loosing access to the system.

Their initial suggestion was to update to the latest version of ACME - which I did (in one go for both pfSense to 2.7 CE and ACME to 0.7.5). Unfortunately, the problem persisted after the update, but they then provided me with a quick solution as follows:

In the dns_inwx.sh script there is one line, line 197, which slightly needs to be changed as follows:
OLD LINE: INWX_Cookie=$(printf "Cookie: %s" "$(grep "domrobot=" "$HTTP_HEADER" | grep "^Set-Cookie:" | _tail_n 1 | _egrep_o 'domrobot=[^;]*;' | tr -d ';')")
NEW LINE: INWX_Cookie=$(printf "Cookie: %s" "$(grep "domrobot=" "$HTTP_HEADER" | grep -i "^Set-Cookie:" | _tail_n 1 | _egrep_o 'domrobot=[^;]*;' | tr -d ';')")

In other words: the grep in the sequence '| grep "^Set-Cookie:" |' needs to be made case-insensitive and thus read '| grep -i "^Set-Cookie:" |'

After this small change, the renewal of certificates again works as before and the problem appears to be solved.

BTW, the (original) source code on github under https://github.com/acmesh-official/acme.sh/blob/master/dnsapi/dns_inwx.sh also contains the "grep -i" command on line 197 - though I have not checked whether there are other changes in that file.