ACME Client - ACME DNS API not using the configured challenge type

[DutchForeigner]

When issuing a (new) cert, the configured settings of the 'ACME DNS API' challenge type are not being used. Instead, it always is using the endpoint 'https://auth.acme-dns.io/update'

I'm using a local ACME-DNS client which is running as a stack in Docker, running with DNS on port 10053(TCP+UDP), update on port 10043.

• Port forward is in place in OPNsense (Port 53/both -> IP of docker host, port 10053)
• CNAME record is in place on the external DNS provider

I have acme.sh fully working (v3.0.4) as a standalone install on a separate raspberry pi, and wanted to migrate to the ACME client plugin on OPNsense, but I keep getting this error.

The System log shows:

• AcmeClient: domain validation failed (dns01)
• AcmeClient: running acme.sh command: /usr/local/sbin/acme.sh --issue --syslog 7 --debug 3 --server 'letsencrypt_test' --dns 'dns_acmedns' --dnssleep '5' --home '/var/etc/acme-client/home' --certpath '/var/etc/acme-client/certs/62365975691499.27456646/cert.pem' --keypath '/var/etc/acme-client/keys/62365975691499.27456646/private.key' --capath '/var/etc/acme-client/certs/62365975691499.27456646/chain.pem' --fullchainpath '/var/etc/acme-client/certs/62365975691499.27456646/fullchain.pem' --domain 'nexusnet.me' --domain '*.nexusnet.me' --days '1' --force --keylength '4096' --accountconf '/var/etc/acme-client/accounts/62365903948097.29588209_stg/account.conf'

The Acme log shows this entry:

• _post_url='https://auth.acme-dns.io/update'

OPNsense/ACME Client Settings:

• Enabled Plugin: ticked
• Auto Renewal: ticked Accounts: 1 entry for:
• Let's encrypt Test CA
• Name: Lets Encrypt STAGING Challenge Types: 1 entry with:
• Name: ACME DNS client on docker
• Challenge Type: DNS-01
• DNS Service: ACME DNS API
• Sleep Time: 5
• User: user account created on the acme-dns client
• Password: password for the user account created on the acme-dns client
• Update URL: https://auth.nexusnet.me:10443/update Certificates: Common name: nexusnet.me Alt Names: *.nexusnet.me ACME Account: Lets Encrypt STAGING Challenge Type: ACME DNS client on docker Key Lenght: 4096

[Neilpang]

please upgrade to the latest version first and try again and show me the full log.

[DutchForeigner]

Hi,

I've upgraded to the latest version of acme.sh (its now v3.0.3 , not v3.0.4 as I mistakenly mentioned in previous post) I've also tried rebooting the system, unfortunately the issue is still there, each time I try to renew the cert from the UI. My wild guess is that the 4 DNSAPI variables (below) are not coming over, but that's just a wild guess...

• ACMEDNS_BASE_URL
• ACMEDNS_USERNAME
• ACMEDNS_PASSWORD
• ACMEDNS_SUBDOMAIN

Latest acme client log is also attached: latest.log

Upgraded acme.sh using below steps: logged in as root: acme.sh --upgrade This installed the latest version into /root/.acme.sh chmod a+w /usr/local/sbin/acme.sh cp /root/.acme.sh/acme.sh /usr/local/sbin/ chmod a-w /usr/local/sbin/acme.sh cp -f /root/.acme.sh/dnsapi/ /usr/local/share/examples/acme.sh/dnsapi/ cp -f /root/.acme.sh/deploy/ /usr/local/share/examples/acme.sh/deploy/ cp -f /root/.acme.sh/notify/* /usr/local/share/examples/acme.sh/notify/ acme.sh --version -> now shows v3.0.3

[DutchForeigner]

Note: I'm now looking at no longer using this plugin in OPNsense and migrate to running acme.sh on a docker image, as I also need the oauthtools package due to 2FA on my Synology NAS boxes.