Project

General

Profile

Actions
Copy link

Bug #16461

closed

ACME fails to renew 2nd to N certificates that expire the same day

Added by Stuart Wyatt about 10 hours ago. Updated about 9 hours ago.

Status:
Rejected
Priority:
Normal
Assignee:
-
Category:
ACME
Target version:
-
Start date:
Due date:
% Done:

0%

Estimated time:
Plus Target Version:
Affected Version:
2.8.0
Affected Plus Version:
Affected Architecture:
All

Description

When you have multiple certificates renewing on the same day, only the first one succeeds. The rest will fail.

If left alone, the 2nd one will succeed the next day, and so on.

This is with ACME 1.0, but this has been a problem with previous releases also.

Actions
Copy link
 #1

Updated by Jim Pingle about 10 hours ago

  • Project changed from pfSense to pfSense Packages
  • Category changed from Certificates to ACME
  • Status changed from New to Rejected
  • Release Notes deleted (Default)

I can't reproduce this here, I have one system with five ACME certs and two sets of them renew on the same days, and they always succeed automatically.

On another system I have three that go on the same date and all succeed. All of those have been in place for years across many different ACME package versions.

There must be some other contributing factor in your case, but this site is not for support or diagnostic discussion.

For assistance in solving problems, please post on the Netgate Forum .

See Reporting Issues with pfSense Software for more information.

Actions
Copy link
 #2

Updated by Stuart Wyatt about 9 hours ago

I have nearly 50 certificates, most of which are used with HAProxy. Have you tried that combination? Maybe that's the difference?

Actions
Copy link
 #3

Updated by Jim Pingle about 9 hours ago

Some of the certificates I have are used with HAProxy.

Actions
Copy link
 #4

Updated by Stuart Wyatt about 9 hours ago

How can I get more logging?

I only see this email message:
03:20:46 ACME, Failed to renew certificate for zzz.com ACME, Failed to renew certificate for yyy.dom ACME, Failed to renew certificate for xxx.dom

Actions
Copy link
 #5

Updated by Stuart Wyatt about 9 hours ago

I dug deeper into this example:

8 succeeded before the 3 failed.

Sun, 24 Aug 2025 03:16:26 -0700
Sun, 24 Aug 2025 03:16:52 -0700
Sun, 24 Aug 2025 03:17:17 -0700
Sun, 24 Aug 2025 03:17:44 -0700
Sun, 24 Aug 2025 03:18:35 -0700
Sun, 24 Aug 2025 03:19:00 -0700
Sun, 24 Aug 2025 03:19:53 -0700
Sun, 24 Aug 2025 03:20:45 -0700

The 3 that failed all succeeded the next day.

Mon, 25 Aug 2025 03:16:25 -0700
Mon, 25 Aug 2025 03:16:52 -0700
Mon, 25 Aug 2025 03:17:17 -0700

These are all used with HAProxy. None of them have "actions"

Actions
Copy link

Also available in: Atom PDF