Bug #15944
open
ACME Script Places _acme-challenge TXT Records in the Wrong Zone
0%
Description
Since the latest update to pfSense 24.11 and ACME 0.9_1, it seems there is an issue with the challenge response. When attempting to issue a certificate using the ACME integration on pfSense with Cloudflare as the DNS provider, the script fails to properly handle the DNS zones for domain.de and domain.com.
Misplaced TXT Records: _acme-challenge TXT records for domain.de are incorrectly created in the domain.com DNS zone. These records appear as:
_acme-challenge.domain.de.domain.com. 120 IN TXT "example_value_1"
_acme-challenge.domain.de.domain.com. 120 IN TXT "example_value_2"
No _acme-challenge records are created in the correct domain.de zone.
Validation Issues:
Let's Encrypt cannot validate the challenges for domain.de because the TXT records are not placed in the correct zone.
The domain.com validation works as expected.
Configure ACME in pfSense to issue a certificate for:
domain.de
.domain.de
domain.com
.domain.com
The ACME script uses the following command:
/usr/local/pkg/acme/acme.sh --issue \
--domain 'domain.de' --dns 'dns_cf' \
--domain '*.domain.de' --dns 'dns_cf' \
--domain 'domain.com' --dns 'dns_cf' \
--domain '*.domain.com' --dns 'dns_cf' \
--home '/tmp/acme/domain/' \
--accountconf '/tmp/acme/domain/accountconf.conf' \
--force --always-force-new-domain-key \
--reloadCmd '/tmp/acme/domain/reloadcmd.sh' \
--log-level 3 --log '/tmp/acme/domain/acme_issuecert.log'
No data to display