os-acme-client + DNS-01 - error:DNS problem: SERVFAIL looking up TXT for ... but TXT record was updated!

[AlexIT-FT]

Important notices

• [ x] I have read the contributing guide lines at https://github.com/opnsense/plugins/blob/master/CONTRIBUTING.md
• [ x] I have searched the existing issues, open and closed, and I'm convinced that mine is new.
• [ x] The title contains the plugin to which this issue belongs

Describe the bug It's my first OPNsense so, never tested with previous version I have a BIND9 server, working with nsupdate to update records When I send a widlcard certificate request from acme-client plugin, the order request is sent to letsencrypt, the DNS-01 challange starts, then nsupdate asks for record TXT to be updated, in the server th bind9 execute and update the _acme-challenge record ...

till now it's ok

I see the request in BIND9 log, it's accepted and executed

from an external windows client I can verify the changes with nslookup -type=TXT _acme-challenge.fibertelecom.com ns1.fibetelecom.com nslookup -type=TXT _acme-challenge.fibertelecom.com ns2.fibetelecom.com nslookup -type=TXT _acme-challenge.fibertelecom.com ns3.fibetelecom.com nslookup -type=TXT _acme-challenge.fibertelecom.com and all of them show the new value correctly like this

Server:  ns1.fibertelecom.it
Address:  93.94.88.50
_acme-challenge.fibertelecom.com        text = "mm60284zRClciD0WBywWDb9mFQRpvAOuQ5_jyixmL_U"
fibertelecom.com        nameserver = ns1.fibertelecom.it
fibertelecom.com        nameserver = ns2.fibertelecom.it
fibertelecom.com        nameserver = ns3.fibertelecom.it
ns1.fibertelecom.it     internet address = 93.94.88.50
ns2.fibertelecom.it     internet address = 93.94.88.51
ns3.fibertelecom.it     internet address = 185.157.229.254
ns1.fibertelecom.it     AAAA IPv6 address = 2a03:b020:0:404::50
ns2.fibertelecom.it     AAAA IPv6 address = 2a03:b020:0:404::51
ns3.fibertelecom.it     AAAA IPv6 address = 2a03:b020:0:403::254

but after the sleep period (60sec or so) in the log I can see the error domain validation failed (dns01) validation for certificate failed: *.fibertelecom.com

To Reproduce Steps to reproduce the behavior:

go to Services->ACMEclient->Certificate click on "Issue or renew Certificate" icon ⟳

wait for about 1 min

go to Services->ACMEclient->LogFiles see error in SystemLog and ACMElog

Expected behavior request new order to letsencrypt OK ask for dns challenge OK dnsupdate to create/update TXT record (request to my bind9) OK bind9 to create/update TXT record in the correct ZONE (reply from my bind9) OK wait a while for master/slave propagation OK dns check/lookup from letsencrypt FAIL certificate signed SKIPPED dnsupdate to delete TXT record (request to my bind9) OK bind9 to delete TXT record in the correct ZONE (reply from my bind9) OK

Screenshots settings

account

challenge type

certificate

Relevant log files

/var/log/named/bind.log FROM BIND9 SERVER

queries: info: client @0x7f89dc10df70 5.61.4.11#26085 (dit.whatsapp.net): query: dit.whatsapp.net IN A + (93.94.88.50)
queries: info: client @0x7f89dc10df70 31.185.97.23#52223 (jenson.api.swiftkey.com): query: jenson.api.swiftkey.com IN A + (93.94.88.50)
queries: info: client @0x7f89e4890150 10.0.29.120#57921 (cloud.mikrotik.com): query: cloud.mikrotik.com IN A + (93.94.88.50)
update-security: info: client @0x7f89e4890150 185.157.229.244#53963/key letsencrypt: signer "letsencrypt" approved
update: info: client @0x7f89e4890150 185.157.229.244#53963/key letsencrypt: updating zone 'fibertelecom.com/IN': adding an RR at '_acme-challenge.fibertelecom.com' TXT "mm60284zRClciD0WBywWDb9mFQRpvAOuQ5_jyixmL_U"
queries: info: client @0x7f89d426ae10 5.61.3.40#11574 (cdn.samsungcloudsolution.com): query: cdn.samsungcloudsolution.com IN A + (93.94.88.50)
queries: info: client @0x7f89dc1cdae0 5.61.4.103#51014 (www.msndvr.com): query: www.msndvr.com IN A + (93.94.88.50)
queries: info: client @0x7f89d426ae10 172.17.210.152#52190 (voip.eutelia.it): query: voip.eutelia.it IN A + (93.94.88.50)
notify: info: zone fibertelecom.com/IN: sending notifies (serial 2022082783)

System Log FROM Services: ACME Client: Log Files (reverse order)

**2022-08-31T05:54:50   opnsense    AcmeClient: validation for certificate failed: *.fibertelecom.com**
**2022-08-31T05:54:50   opnsense    AcmeClient: domain validation failed (dns01)**
2022-08-31T05:54:06 opnsense    AcmeClient: running acme.sh command: /usr/local/sbin/acme.sh --issue --syslog 7 --debug 3 --server 'letsencrypt_test' --dns 'dns_nsupdate' --dnssleep '30' --home '/var/etc/acme-client/home' --certpath '/var/etc/acme-client/certs/630e16fd428678.73410954/cert.pem' --keypath '/var/etc/acme-client/keys/630e16fd428678.73410954/private.key' --capath '/var/etc/acme-client/certs/630e16fd428678.73410954/chain.pem' --fullchainpath '/var/etc/acme-client/certs/630e16fd428678.73410954/fullchain.pem' --domain '*.fibertelecom.com' --days '1' --force --keylength '4096' --accountconf '/var/etc/acme-client/accounts/630e22238d0e13.59919420_stg/account.conf'
2022-08-31T05:54:06 opnsense    AcmeClient: using challenge type: Dns Challange fibertelecom.com
2022-08-31T05:54:06 opnsense    AcmeClient: account is registered: *.fibertelecom.com TEST
2022-08-31T05:54:06 opnsense    AcmeClient: using CA: letsencrypt_test
2022-08-31T05:54:06 opnsense    AcmeClient: issue certificate: *.fibertelecom.com
2022-08-31T05:54:06 opnsense    AcmeClient: certificate must be issued/renewed: *.fibertelecom.com

ACME log FROM Services: ACME Client: Log Files

        running on FreeBSD version FreeBSD 13.1-RELEASE-p1 sta
        socat version 1.7.4.3 on Aug 16 2022 04:11:15
        socat by Gerhard Rieger and contributors - see www.dest-unreach.org
        socat:
        configure arguments: --prefix=/usr/local/etc/nginx --with-cc-opt='-I /usr/local/include' --with-ld-opt='-L /usr/local/lib' --conf-path=/usr/local/etc/nginx/nginx.conf --sbin-path=/usr/local/sbin/nginx --pid-path=/var/run/nginx.pid --error-log-path=/var/log/nginx/error.log --user=www --group=www --with-compat --with-pcre --modules-path=/usr/local/libexec/nginx --with-file-aio --http-client-body-temp-path=/var/tmp/nginx/client_body_temp --http-fastcgi-temp-path=/var/tmp/nginx/fastcgi_temp --http-proxy-temp-path=/var/tmp/nginx/proxy_temp --http-scgi-temp-path=/var/tmp/nginx/scgi_temp --http-uwsgi-temp-path=/var/tmp/nginx/uwsgi_temp --http-log-path=/var/log/nginx/access.log --with-http_v2_module --with-http_addition_module --with-http_auth_request_module --with-http_dav_module --with-http_flv_module --with-http_gunzip_module --with-http_gzip_static_module --with-http_mp4_module --with-http_random_index_module --with-http_realip_module --with-http_secure_link_module --with-http_slice_module --with-http_ssl_module --with-http_stub_status_module --with-http_sub_module --without-mail_smtp_module --with-mail_ssl_module --without-pcre2 --with-stream_ssl_module --with-stream_ssl_preread_module --with-threads --add-module=/usr/obj/usr/ports/www/nginx/work/nginx-module-vts-0.1.18 --with-mail=dynamic --with-stream=dynamic --add-dynamic-module=/usr/obj/usr/ports/www/nginx/work/ngx_brotli-9aec15e --add-dynamic-module=/usr/obj/usr/ports/www/nginx/work/headers-more-nginx-module-d6d7eba --add-dynamic-module=/usr/obj/usr/ports/www/nginx/work/naxsi-1.3/naxsi_src --add-dynamic-module=/usr/obj/usr/ports/www/nginx/work/njs-0.7.6/nginx
        TLS SNI support enabled
        built with OpenSSL 1.1.1q 5 Jul 2022
        nginx version: nginx/1.22.0
        nginx:
        apache doesn't exist.
        apache:
        OpenSSL 1.1.1o-freebsd 3 May 2022
        openssl:openssl
2022-08-31T05:54:50 acme.sh [Wed Aug 31 05:54:50 UTC 2022] Diagnosis versions:
2022-08-31T05:54:50 acme.sh [Wed Aug 31 05:54:50 UTC 2022] code='400'
2022-08-31T05:54:50 acme.sh [Wed Aug 31 05:54:50 UTC 2022] _ret='0'
2022-08-31T05:54:50 acme.sh [Wed Aug 31 05:54:50 UTC 2022] _CURL='curl --silent --dump-header /var/etc/acme-client/home/http.header -L --trace-ascii /tmp/tmp.DNesoFbo '
2022-08-31T05:54:50 acme.sh [Wed Aug 31 05:54:50 UTC 2022] _post_url='https://acme-staging-v02.api.letsencrypt.org/acme/chall-v3/3490184753/cRhv6w'
2022-08-31T05:54:50 acme.sh [Wed Aug 31 05:54:50 UTC 2022] POST
2022-08-31T05:54:50 acme.sh [Wed Aug 31 05:54:50 UTC 2022] payload='{}'
2022-08-31T05:54:50 acme.sh [Wed Aug 31 05:54:50 UTC 2022] url='https://acme-staging-v02.api.letsencrypt.org/acme/chall-v3/3490184753/cRhv6w'
2022-08-31T05:54:50 acme.sh [Wed Aug 31 05:54:49 UTC 2022] See: https://github.com/acmesh-official/acme.sh/wiki/How-to-debug-acme.sh
2022-08-31T05:54:49 acme.sh [Wed Aug 31 05:54:49 UTC 2022] Please add '--debug' or '--log' to check more details.
2022-08-31T05:54:49 acme.sh [Wed Aug 31 05:54:49 UTC 2022] _on_issue_err
2022-08-31T05:54:49 acme.sh [Wed Aug 31 05:54:49 UTC 2022] Removed: Success
2022-08-31T05:54:49 acme.sh [Wed Aug 31 05:54:49 UTC 2022] removing _acme-challenge.fibertelecom.com. txt
2022-08-31T05:54:49 acme.sh [Wed Aug 31 05:54:49 UTC 2022] Removing txt: mm60284zRClciD0WBywWDb9mFQRpvAOuQ5_jyixmL_U for domain: _acme-challenge.fibertelecom.com
2022-08-31T05:54:49 acme.sh [Wed Aug 31 05:54:49 UTC 2022] d_api='/usr/local/share/examples/acme.sh/dnsapi/dns_nsupdate.sh'
2022-08-31T05:54:49 acme.sh [Wed Aug 31 05:54:49 UTC 2022] txt='mm60284zRClciD0WBywWDb9mFQRpvAOuQ5_jyixmL_U'
2022-08-31T05:54:49 acme.sh [Wed Aug 31 05:54:49 UTC 2022] _currentRoot='dns_nsupdate'
2022-08-31T05:54:49 acme.sh [Wed Aug 31 05:54:49 UTC 2022] aliasDomain='_acme-challenge.fibertelecom.com'
2022-08-31T05:54:49 acme.sh [Wed Aug 31 05:54:49 UTC 2022] txtdomain='_acme-challenge.fibertelecom.com'
2022-08-31T05:54:49 acme.sh [Wed Aug 31 05:54:49 UTC 2022] d='fibertelecom.com'
2022-08-31T05:54:49 acme.sh [Wed Aug 31 05:54:49 UTC 2022] Removing DNS records.
2022-08-31T05:54:49 acme.sh [Wed Aug 31 05:54:49 UTC 2022] dns_entries='fibertelecom.com,_acme-challenge.fibertelecom.com,,dns_nsupdate,mm60284zRClciD0WBywWDb9mFQRpvAOuQ5_jyixmL_U,/usr/local/share/examples/acme.sh/dnsapi/dns_nsupdate.sh
2022-08-31T05:54:49 acme.sh [Wed Aug 31 05:54:49 UTC 2022] _clearupdns
2022-08-31T05:54:49 acme.sh [Wed Aug 31 05:54:49 UTC 2022] No need to restore nginx, skip.
2022-08-31T05:54:49 acme.sh [Wed Aug 31 05:54:49 UTC 2022] pid
2022-08-31T05:54:49 acme.sh [Wed Aug 31 05:54:49 UTC 2022] Skip for removelevel:
**2022-08-31T05:54:49   acme.sh [Wed Aug 31 05:54:49 UTC 2022] *.fibertelecom.com:Verify error:DNS problem: SERVFAIL looking up TXT for _acme-challenge.fibertelecom.com - the domain's nameservers may be malfunctioning**
2022-08-31T05:54:49 acme.sh [Wed Aug 31 05:54:49 UTC 2022] code='200'
2022-08-31T05:54:49 acme.sh [Wed Aug 31 05:54:49 UTC 2022] _ret='0'
2022-08-31T05:54:48 acme.sh [Wed Aug 31 05:54:48 UTC 2022] _CURL='curl --silent --dump-header /var/etc/acme-client/home/http.header -L --trace-ascii /tmp/tmp.DNesoFbo '
2022-08-31T05:54:48 acme.sh [Wed Aug 31 05:54:48 UTC 2022] _post_url='https://acme-staging-v02.api.letsencrypt.org/acme/chall-v3/3490184753/cRhv6w'
2022-08-31T05:54:48 acme.sh [Wed Aug 31 05:54:48 UTC 2022] POST
2022-08-31T05:54:48 acme.sh [Wed Aug 31 05:54:48 UTC 2022] payload
2022-08-31T05:54:48 acme.sh [Wed Aug 31 05:54:48 UTC 2022] url='https://acme-staging-v02.api.letsencrypt.org/acme/chall-v3/3490184753/cRhv6w'
2022-08-31T05:54:48 acme.sh [Wed Aug 31 05:54:48 UTC 2022] checking
2022-08-31T05:54:46 acme.sh [Wed Aug 31 05:54:46 UTC 2022] sleep 2 secs to verify again
2022-08-31T05:54:46 acme.sh [Wed Aug 31 05:54:46 UTC 2022] Pending, The CA is processing your order, please just wait. (2/30)
2022-08-31T05:54:46 acme.sh [Wed Aug 31 05:54:46 UTC 2022] code='200'
2022-08-31T05:54:46 acme.sh [Wed Aug 31 05:54:46 UTC 2022] _ret='0'
2022-08-31T05:54:46 acme.sh [Wed Aug 31 05:54:46 UTC 2022] _CURL='curl --silent --dump-header /var/etc/acme-client/home/http.header -L --trace-ascii /tmp/tmp.DNesoFbo '
2022-08-31T05:54:46 acme.sh [Wed Aug 31 05:54:46 UTC 2022] _post_url='https://acme-staging-v02.api.letsencrypt.org/acme/chall-v3/3490184753/cRhv6w'
2022-08-31T05:54:46 acme.sh [Wed Aug 31 05:54:46 UTC 2022] POST
2022-08-31T05:54:45 acme.sh [Wed Aug 31 05:54:45 UTC 2022] payload
2022-08-31T05:54:45 acme.sh [Wed Aug 31 05:54:45 UTC 2022] url='https://acme-staging-v02.api.letsencrypt.org/acme/chall-v3/3490184753/cRhv6w'
2022-08-31T05:54:45 acme.sh [Wed Aug 31 05:54:45 UTC 2022] checking
2022-08-31T05:54:43 acme.sh [Wed Aug 31 05:54:43 UTC 2022] sleep 2 secs to verify again
2022-08-31T05:54:43 acme.sh [Wed Aug 31 05:54:43 UTC 2022] Pending, The CA is processing your order, please just wait. (1/30)
2022-08-31T05:54:43 acme.sh [Wed Aug 31 05:54:43 UTC 2022] trigger validation code: 200
2022-08-31T05:54:43 acme.sh [Wed Aug 31 05:54:43 UTC 2022] code='200'
2022-08-31T05:54:43 acme.sh [Wed Aug 31 05:54:43 UTC 2022] _ret='0'
2022-08-31T05:54:43 acme.sh [Wed Aug 31 05:54:43 UTC 2022] _CURL='curl --silent --dump-header /var/etc/acme-client/home/http.header -L --trace-ascii /tmp/tmp.DNesoFbo '
2022-08-31T05:54:43 acme.sh [Wed Aug 31 05:54:43 UTC 2022] _post_url='https://acme-staging-v02.api.letsencrypt.org/acme/chall-v3/3490184753/cRhv6w'
2022-08-31T05:54:43 acme.sh [Wed Aug 31 05:54:43 UTC 2022] POST
2022-08-31T05:54:42 acme.sh [Wed Aug 31 05:54:42 UTC 2022] payload='{}'
2022-08-31T05:54:42 acme.sh [Wed Aug 31 05:54:42 UTC 2022] url='https://acme-staging-v02.api.letsencrypt.org/acme/chall-v3/3490184753/cRhv6w'
2022-08-31T05:54:42 acme.sh [Wed Aug 31 05:54:42 UTC 2022] _currentRoot='dns_nsupdate'
2022-08-31T05:54:42 acme.sh [Wed Aug 31 05:54:42 UTC 2022] uri='https://acme-staging-v02.api.letsencrypt.org/acme/chall-v3/3490184753/cRhv6w'
2022-08-31T05:54:42 acme.sh [Wed Aug 31 05:54:42 UTC 2022] keyauthorization='DB-ngPui2lHjhC8LiDKkXYCw7sprVJX_JxEtuI8d_nI.Sgc2Szv5GT1AiCkTjGqRWbgXtQGunnjIqj81lAolIl4'
2022-08-31T05:54:42 acme.sh [Wed Aug 31 05:54:42 UTC 2022] d='*.fibertelecom.com'
2022-08-31T05:54:42 acme.sh [Wed Aug 31 05:54:42 UTC 2022] Verifying: *.fibertelecom.com
2022-08-31T05:54:42 acme.sh [Wed Aug 31 05:54:42 UTC 2022] ok, let's start to verify
2022-08-31T05:54:12 acme.sh [Wed Aug 31 05:54:12 UTC 2022] Sleep 30 seconds for the txt records to take effect
2022-08-31T05:54:12 acme.sh [Wed Aug 31 05:54:12 UTC 2022] The txt record is added: Success.
2022-08-31T05:54:12 acme.sh [Wed Aug 31 05:54:12 UTC 2022] adding _acme-challenge.fibertelecom.com. 60 in txt "mm60284zRClciD0WBywWDb9mFQRpvAOuQ5_jyixmL_U"
2022-08-31T05:54:12 acme.sh [Wed Aug 31 05:54:12 UTC 2022] Adding txt value: mm60284zRClciD0WBywWDb9mFQRpvAOuQ5_jyixmL_U for domain: _acme-challenge.fibertelecom.com
2022-08-31T05:54:12 acme.sh [Wed Aug 31 05:54:12 UTC 2022] Found domain api file: /usr/local/share/examples/acme.sh/dnsapi/dns_nsupdate.sh
2022-08-31T05:54:12 acme.sh [Wed Aug 31 05:54:12 UTC 2022] d_api='/usr/local/share/examples/acme.sh/dnsapi/dns_nsupdate.sh'
2022-08-31T05:54:12 acme.sh [Wed Aug 31 05:54:12 UTC 2022] txt='mm60284zRClciD0WBywWDb9mFQRpvAOuQ5_jyixmL_U'
2022-08-31T05:54:12 acme.sh [Wed Aug 31 05:54:12 UTC 2022] txtdomain='_acme-challenge.fibertelecom.com'
2022-08-31T05:54:12 acme.sh [Wed Aug 31 05:54:12 UTC 2022] _d_alias
2022-08-31T05:54:12 acme.sh [Wed Aug 31 05:54:12 UTC 2022] d='*.fibertelecom.com'
2022-08-31T05:54:12 acme.sh [Wed Aug 31 05:54:12 UTC 2022] vlist='*.fibertelecom.com#DB-ngPui2lHjhC8LiDKkXYCw7sprVJX_JxEtuI8d_nI.Sgc2Szv5GT1AiCkTjGqRWbgXtQGunnjIqj81lAolIl4#https://acme-staging-v02.api.letsencrypt.org/acme/chall-v3/3490184753/cRhv6w#dns-01#dns_nsupdate,'
2022-08-31T05:54:12 acme.sh [Wed Aug 31 05:54:12 UTC 2022] d
2022-08-31T05:54:12 acme.sh [Wed Aug 31 05:54:12 UTC 2022] dvlist='*.fibertelecom.com#DB-ngPui2lHjhC8LiDKkXYCw7sprVJX_JxEtuI8d_nI.Sgc2Szv5GT1AiCkTjGqRWbgXtQGunnjIqj81lAolIl4#https://acme-staging-v02.api.letsencrypt.org/acme/chall-v3/3490184753/cRhv6w#dns-01#dns_nsupdate'
2022-08-31T05:54:12 acme.sh [Wed Aug 31 05:54:12 UTC 2022] keyauthorization='DB-ngPui2lHjhC8LiDKkXYCw7sprVJX_JxEtuI8d_nI.Sgc2Szv5GT1AiCkTjGqRWbgXtQGunnjIqj81lAolIl4'
2022-08-31T05:54:12 acme.sh [Wed Aug 31 05:54:12 UTC 2022] uri='https://acme-staging-v02.api.letsencrypt.org/acme/chall-v3/3490184753/cRhv6w'
2022-08-31T05:54:12 acme.sh [Wed Aug 31 05:54:12 UTC 2022] token='DB-ngPui2lHjhC8LiDKkXYCw7sprVJX_JxEtuI8d_nI'
2022-08-31T05:54:12 acme.sh [Wed Aug 31 05:54:12 UTC 2022] entry='"type":"dns-01","status":"pending","url":"https://acme-staging-v02.api.letsencrypt.org/acme/chall-v3/3490184753/cRhv6w","token":"DB-ngPui2lHjhC8LiDKkXYCw7sprVJX_JxEtuI8d_nI"'
2022-08-31T05:54:12 acme.sh [Wed Aug 31 05:54:12 UTC 2022] _currentRoot='dns_nsupdate'
2022-08-31T05:54:12 acme.sh [Wed Aug 31 05:54:12 UTC 2022] _w='dns_nsupdate'
2022-08-31T05:54:12 acme.sh [Wed Aug 31 05:54:12 UTC 2022] Getting webroot for domain='*.fibertelecom.com'
2022-08-31T05:54:12 acme.sh [Wed Aug 31 05:54:12 UTC 2022] d='*.fibertelecom.com'
2022-08-31T05:54:11 acme.sh [Wed Aug 31 05:54:11 UTC 2022] code='200'
2022-08-31T05:54:11 acme.sh [Wed Aug 31 05:54:11 UTC 2022] _ret='0'
2022-08-31T05:54:11 acme.sh [Wed Aug 31 05:54:11 UTC 2022] _CURL='curl --silent --dump-header /var/etc/acme-client/home/http.header -L --trace-ascii /tmp/tmp.DNesoFbo '
2022-08-31T05:54:11 acme.sh [Wed Aug 31 05:54:11 UTC 2022] _post_url='https://acme-staging-v02.api.letsencrypt.org/acme/authz-v3/3490184753'
2022-08-31T05:54:11 acme.sh [Wed Aug 31 05:54:11 UTC 2022] POST
2022-08-31T05:54:11 acme.sh [Wed Aug 31 05:54:11 UTC 2022] payload
2022-08-31T05:54:11 acme.sh [Wed Aug 31 05:54:11 UTC 2022] url='https://acme-staging-v02.api.letsencrypt.org/acme/authz-v3/3490184753'
2022-08-31T05:54:11 acme.sh [Wed Aug 31 05:54:11 UTC 2022] Le_OrderFinalize='https://acme-staging-v02.api.letsencrypt.org/acme/finalize/66518223/3864148853'
2022-08-31T05:54:11 acme.sh [Wed Aug 31 05:54:11 UTC 2022] Le_LinkOrder='https://acme-staging-v02.api.letsencrypt.org/acme/order/66518223/3864148853'
2022-08-31T05:54:11 acme.sh [Wed Aug 31 05:54:11 UTC 2022] code='201'
2022-08-31T05:54:11 acme.sh [Wed Aug 31 05:54:11 UTC 2022] _ret='0'
2022-08-31T05:54:10 acme.sh [Wed Aug 31 05:54:10 UTC 2022] _CURL='curl --silent --dump-header /var/etc/acme-client/home/http.header -L --trace-ascii /tmp/tmp.DNesoFbo '
2022-08-31T05:54:10 acme.sh [Wed Aug 31 05:54:10 UTC 2022] _post_url='https://acme-staging-v02.api.letsencrypt.org/acme/new-order'
2022-08-31T05:54:10 acme.sh [Wed Aug 31 05:54:10 UTC 2022] POST
2022-08-31T05:54:10 acme.sh [Wed Aug 31 05:54:10 UTC 2022] _ret='0'
2022-08-31T05:54:09 acme.sh [Wed Aug 31 05:54:09 UTC 2022] _CURL='curl --silent --dump-header /var/etc/acme-client/home/http.header -L --trace-ascii /tmp/tmp.DNesoFbo -I '
2022-08-31T05:54:09 acme.sh [Wed Aug 31 05:54:09 UTC 2022] _post_url='https://acme-staging-v02.api.letsencrypt.org/acme/new-nonce'
2022-08-31T05:54:09 acme.sh [Wed Aug 31 05:54:09 UTC 2022] HEAD
2022-08-31T05:54:07 acme.sh [Wed Aug 31 05:54:07 UTC 2022] RSA key
2022-08-31T05:54:07 acme.sh [Wed Aug 31 05:54:07 UTC 2022] payload='{"identifiers": [{"type":"dns","value":"*.fibertelecom.com"}]}'
2022-08-31T05:54:07 acme.sh [Wed Aug 31 05:54:07 UTC 2022] url='https://acme-staging-v02.api.letsencrypt.org/acme/new-order'
2022-08-31T05:54:07 acme.sh [Wed Aug 31 05:54:07 UTC 2022] d
2022-08-31T05:54:07 acme.sh [Wed Aug 31 05:54:07 UTC 2022] Getting domain auth token for each domain
2022-08-31T05:54:07 acme.sh [Wed Aug 31 05:54:07 UTC 2022] Single domain='*.fibertelecom.com'
2022-08-31T05:54:07 acme.sh [Wed Aug 31 05:54:07 UTC 2022] _createcsr
2022-08-31T05:54:07 acme.sh [Wed Aug 31 05:54:07 UTC 2022] Read key length:4096
2022-08-31T05:54:07 acme.sh [Wed Aug 31 05:54:07 UTC 2022] _saved_account_key_hash is not changed, skip register account.
2022-08-31T05:54:07 acme.sh [Wed Aug 31 05:54:07 UTC 2022] d
2022-08-31T05:54:07 acme.sh [Wed Aug 31 05:54:07 UTC 2022] _currentRoot='dns_nsupdate'
2022-08-31T05:54:07 acme.sh [Wed Aug 31 05:54:07 UTC 2022] Check for domain='*.fibertelecom.com'
2022-08-31T05:54:07 acme.sh [Wed Aug 31 05:54:07 UTC 2022] d='*.fibertelecom.com'
2022-08-31T05:54:07 acme.sh [Wed Aug 31 05:54:07 UTC 2022] Le_LocalAddress
2022-08-31T05:54:07 acme.sh [Wed Aug 31 05:54:07 UTC 2022] _chk_alt_domains
2022-08-31T05:54:07 acme.sh [Wed Aug 31 05:54:07 UTC 2022] _chk_main_domain='*.fibertelecom.com'
2022-08-31T05:54:07 acme.sh [Wed Aug 31 05:54:07 UTC 2022] _on_before_issue
2022-08-31T05:54:07 acme.sh [Wed Aug 31 05:54:07 UTC 2022] Using CA: https://acme-staging-v02.api.letsencrypt.org/directory
2022-08-31T05:54:07 acme.sh [Wed Aug 31 05:54:07 UTC 2022] ACME_NEW_NONCE='https://acme-staging-v02.api.letsencrypt.org/acme/new-nonce'
2022-08-31T05:54:07 acme.sh [Wed Aug 31 05:54:07 UTC 2022] ACME_AGREEMENT='https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017-w-v1.3-notice.pdf'
2022-08-31T05:54:07 acme.sh [Wed Aug 31 05:54:07 UTC 2022] ACME_REVOKE_CERT='https://acme-staging-v02.api.letsencrypt.org/acme/revoke-cert'
2022-08-31T05:54:07 acme.sh [Wed Aug 31 05:54:07 UTC 2022] ACME_NEW_ACCOUNT='https://acme-staging-v02.api.letsencrypt.org/acme/new-acct'
2022-08-31T05:54:07 acme.sh [Wed Aug 31 05:54:07 UTC 2022] ACME_NEW_ORDER='https://acme-staging-v02.api.letsencrypt.org/acme/new-order'
2022-08-31T05:54:07 acme.sh [Wed Aug 31 05:54:07 UTC 2022] ACME_NEW_AUTHZ
2022-08-31T05:54:07 acme.sh [Wed Aug 31 05:54:07 UTC 2022] ACME_KEY_CHANGE='https://acme-staging-v02.api.letsencrypt.org/acme/key-change'
2022-08-31T05:54:07 acme.sh [Wed Aug 31 05:54:07 UTC 2022] ret='0'
2022-08-31T05:54:06 acme.sh [Wed Aug 31 05:54:06 UTC 2022] _CURL='curl --silent --dump-header /var/etc/acme-client/home/http.header -L --trace-ascii /tmp/tmp.bSaqbk2x '
2022-08-31T05:54:06 acme.sh [Wed Aug 31 05:54:06 UTC 2022] timeout=
2022-08-31T05:54:06 acme.sh [Wed Aug 31 05:54:06 UTC 2022] url='https://acme-staging-v02.api.letsencrypt.org/directory'
2022-08-31T05:54:06 acme.sh [Wed Aug 31 05:54:06 UTC 2022] GET
2022-08-31T05:54:06 acme.sh [Wed Aug 31 05:54:06 UTC 2022] _init api for server: https://acme-staging-v02.api.letsencrypt.org/directory
2022-08-31T05:54:06 acme.sh [Wed Aug 31 05:54:06 UTC 2022] Using ACME_DIRECTORY: https://acme-staging-v02.api.letsencrypt.org/directory
2022-08-31T05:54:06 acme.sh [Wed Aug 31 05:54:06 UTC 2022] Le_NextRenewTime
2022-08-31T05:54:06 acme.sh [Wed Aug 31 05:54:06 UTC 2022] DOMAIN_PATH='/var/etc/acme-client/home/*.fibertelecom.com'
2022-08-31T05:54:06 acme.sh [Wed Aug 31 05:54:06 UTC 2022] ACME_DIRECTORY='https://acme-staging-v02.api.letsencrypt.org/directory'
2022-08-31T05:54:06 acme.sh [Wed Aug 31 05:54:06 UTC 2022] Using config home:/var/etc/acme-client/home
2022-08-31T05:54:06 acme.sh [Wed Aug 31 05:54:06 UTC 2022] _alt_domains='no'
2022-08-31T05:54:06 acme.sh [Wed Aug 31 05:54:06 UTC 2022] _main_domain='*.fibertelecom.com'
2022-08-31T05:54:06 acme.sh [Wed Aug 31 05:54:06 UTC 2022] Running cmd: issue
2022-08-31T05:54:06 acme.sh [Wed Aug 31 05:54:06 UTC 2022] Using server: letsencrypt_test

Additional context The namsserver must be configured to accept dns dynamyc update RFC2136 (nsupdate)

In BIND9 server, just use

dnssec-keygen -a HMAC-SHA512 -b 512 -n HOST letsencrypt

and to allow nsupdate create a letsencrypt.key file like this

key "letsencrypt" {
        algorithm hmac-sha512;
        secret [**base64key**];
};

then allow update in named.conf

...
include "/etc/bind/letsencrypt.key";
zone "fibertelecom.com" {
    file "/etc/bind/zones/fibertelecom.com.signed";
    type master; allow-transfer { ...; }; also-notify { ...; }; allow-update { key letsencrypt; ...};
};
...

Environment on OPNsense appliance OPNsense 22.7.2-amd64 FreeBSD 13.1-RELEASE-p1 OpenSSL 1.1.1q 5 Jul 2022 plugin os-acme-client v3.13

Intel(R) Xeon(R) CPU E5-2670 v3 @ 2.30GHz

on DNS server BIND9.11.5 (working well for years) Intel(R) Xeon(R) CPU E5-2670 v3 @ 2.30GHz

(same issue as #3104, re-written using template ... please remove or merge)

[fraenki]

2022-08-31T05:54:49 acme.sh [Wed Aug 31 05:54:49 UTC 2022] *.fibertelecom.com:Verify error:DNS problem: SERVFAIL looking up TXT for _acme-challenge.fibertelecom.com - the domain's nameservers may be malfunctioning

As reported by acme.sh, a SERVFAIL DNS error has occured. This most likely hints at an issue with the nameservers of your domain.

[AlexIT-FT]

Just upgraded to OPNsense v22.7.3_2 , but acme version is still v3.13 ... nothing touched in configuration or nameserver

But ... now it's working ! :O

These are the logs using "Let's Encrypt Test CA"

SYSTEM LOG

php AcmeClient: running automation (configd): Restart Nginx php AcmeClient: running automation (configd): Restart HaProxy php AcmeClient: running automations for certificate: .fibertelecom.com opnsense AcmeClient: imported ACME X.509 certificate: .fibertelecom.com opnsense AcmeClient: importing ACME CA: (STAGING) Artificial Apricot R3 opnsense AcmeClient: successfully issued/renewed certificate: .fibertelecom.com opnsense AcmeClient: running acme.sh command: /usr/local/sbin/acme.sh --issue --syslog 7 --debug 3 --server 'letsencrypt_test' --dns 'dns_nsupdate' --dnssleep '30' --home '/var/etc/acme-client/home' --certpath '/var/etc/acme-client/certs/630e16fd428678.73410954/cert.pem' --keypath '/var/etc/acme-client/keys/630e16fd428678.73410954/private.key' --capath '/var/etc/acme-client/certs/630e16fd428678.73410954/chain.pem' --fullchainpath '/var/etc/acme-client/certs/630e16fd428678.73410954/fullchain.pem' --domain '.fibertelecom.com' --days '1' --keylength '4096' --accountconf '/var/etc/acme-client/accounts/630e22238d0e13.59919420_stg/account.conf' opnsense AcmeClient: using challenge type: Dns Challange fibertelecom.com opnsense AcmeClient: account is registered: .fibertelecom.com TEST opnsense AcmeClient: using CA: letsencrypt_test opnsense AcmeClient: issue certificate: .fibertelecom.com opnsense AcmeClient: certificate must be issued/renewed: .fibertelecom.com php AcmeClient: running automation (configd): Restart Nginx php AcmeClient: running automation (configd): Restart HaProxy php AcmeClient: running automations for certificate: .fibertelecom.com opnsense AcmeClient: imported ACME X.509 certificate: .fibertelecom.com opnsense AcmeClient: importing ACME CA: (STAGING) Artificial Apricot R3 opnsense AcmeClient: successfully issued/renewed certificate: .fibertelecom.com opnsense AcmeClient: running acme.sh command: /usr/local/sbin/acme.sh --issue --syslog 7 --debug 3 --server 'letsencrypt_test' --dns 'dns_nsupdate' --dnssleep '30' --home '/var/etc/acme-client/home' --certpath '/var/etc/acme-client/certs/630e16fd428678.73410954/cert.pem' --keypath '/var/etc/acme-client/keys/630e16fd428678.73410954/private.key' --capath '/var/etc/acme-client/certs/630e16fd428678.73410954/chain.pem' --fullchainpath '/var/etc/acme-client/certs/630e16fd428678.73410954/fullchain.pem' --domain '.fibertelecom.com' --days '1' --keylength '4096' --accountconf '/var/etc/acme-client/accounts/630e22238d0e13.59919420_stg/account.conf' opnsense AcmeClient: using challenge type: Dns Challange fibertelecom.com opnsense AcmeClient: account is registered: .fibertelecom.com TEST opnsense AcmeClient: using CA: letsencrypt_test opnsense AcmeClient: issue certificate: .fibertelecom.com opnsense AcmeClient: certificate must be issued/renewed: .fibertelecom.com

ACME LOG

acme.sh _on_issue_success acme.sh Installing full chain to: /var/etc/acme-client/certs/630e16fd428678.73410954/fullchain.pem acme.sh Installing key to: /var/etc/acme-client/keys/630e16fd428678.73410954/private.key acme.sh Installing CA to: /var/etc/acme-client/certs/630e16fd428678.73410954/chain.pem acme.sh Installing cert to: /var/etc/acme-client/certs/630e16fd428678.73410954/cert.pem acme.sh And the full chain certs is there: /var/etc/acme-client/home/.fibertelecom.com/fullchain.cer acme.sh The intermediate CA cert is in: /var/etc/acme-client/home/.fibertelecom.com/ca.cer acme.sh Your cert key is in: /var/etc/acme-client/home/.fibertelecom.com/.fibertelecom.com.key acme.sh Your cert is in: /var/etc/acme-client/home/.fibertelecom.com/.fibertelecom.com.cer acme.sh Cert success. acme.sh Le_LinkCert='https://acme-staging-v02.api.letsencrypt.org/acme/cert/fae2dc7c4334e1c3f069d46b029c726d5cfe' acme.sh _end_n='36' acme.sh Found cert chain acme.sh code='200' acme.sh _ret='0' acme.sh _CURL='curl --silent --dump-header /var/etc/acme-client/home/http.header -L --trace-ascii /tmp/tmp.W9CdftaD ' acme.sh _post_url='https://acme-staging-v02.api.letsencrypt.org/acme/cert/fae2dc7c4334e1c3f069d46b029c726d5cfe' acme.sh POST acme.sh payload acme.sh url='https://acme-staging-v02.api.letsencrypt.org/acme/cert/fae2dc7c4334e1c3f069d46b029c726d5cfe' acme.sh Le_LinkCert='https://acme-staging-v02.api.letsencrypt.org/acme/cert/fae2dc7c4334e1c3f069d46b029c726d5cfe' acme.sh Downloading cert. acme.sh Le_LinkCert='https://acme-staging-v02.api.letsencrypt.org/acme/cert/fae2dc7c4334e1c3f069d46b029c726d5cfe' acme.sh Order status is valid. acme.sh code='200' acme.sh _ret='0' acme.sh _CURL='curl --silent --dump-header /var/etc/acme-client/home/http.header -L --trace-ascii /tmp/tmp.W9CdftaD ' acme.sh _post_url='https://acme-staging-v02.api.letsencrypt.org/acme/finalize/66518223/3947136873' acme.sh POST acme.sh payload='{"csr": "MIIEkjCCAnoCA.......BfZxTntnLprDkCcka0JCKW67A"}' acme.sh url='https://acme-staging-v02.api.letsencrypt.org/acme/finalize/66518223/3947136873' acme.sh Le_OrderFinalize='https://acme-staging-v02.api.letsencrypt.org/acme/finalize/66518223/3947136873' acme.sh Lets finalize the order. acme.sh j='26' acme.sh i='2' acme.sh Verify finished, start to sign. acme.sh Removed: Success acme.sh removing _acme-challenge.fibertelecom.com. txt acme.sh Removing txt: HwaP0kkv51jUwHrz0t6ASaRcmod4bhIMEIIJ0B_lXWo for domain: _acme-challenge.fibertelecom.com acme.sh d_api='/usr/local/share/examples/acme.sh/dnsapi/dns_nsupdate.sh' acme.sh txt='HwaP0kkv51jUwHrz0t6ASaRcmod4bhIMEIIJ0B_lXWo' acme.sh _currentRoot='dns_nsupdate' acme.sh aliasDomain='_acme-challenge.fibertelecom.com' acme.sh txtdomain='_acme-challenge.fibertelecom.com' acme.sh d='fibertelecom.com' acme.sh Removing DNS records. acme.sh dns_entries='fibertelecom.com,_acme-challenge.fibertelecom.com,,dns_nsupdate,HwaP0kkv51jUwHrz0t6ASaRcmod4bhIMEIIJ0B_lXWo,/usr/local/share/examples/acme.sh/dnsapi/dns_nsupdate.sh acme.sh _clearupdns acme.sh No need to restore nginx, skip. acme.sh pid acme.sh Skip for removelevel: acme.sh pid acme.sh Success acme.sh code='200' acme.sh _ret='0' acme.sh _CURL='curl --silent --dump-header /var/etc/acme-client/home/http.header -L --trace-ascii /tmp/tmp.W9CdftaD ' acme.sh _post_url='https://acme-staging-v02.api.letsencrypt.org/acme/chall-v3/3550832853/UL8Qug' acme.sh POST acme.sh payload acme.sh url='https://acme-staging-v02.api.letsencrypt.org/acme/chall-v3/3550832853/UL8Qug' acme.sh checking acme.sh sleep 2 secs to verify again acme.sh Pending, The CA is processing your order, please just wait. (1/30) acme.sh trigger validation code: 200 acme.sh code='200' acme.sh _ret='0' acme.sh _CURL='curl --silent --dump-header /var/etc/acme-client/home/http.header -L --trace-ascii /tmp/tmp.W9CdftaD ' acme.sh _post_url='https://acme-staging-v02.api.letsencrypt.org/acme/chall-v3/3550832853/UL8Qug' acme.sh POST acme.sh payload='{}' acme.sh url='https://acme-staging-v02.api.letsencrypt.org/acme/chall-v3/3550832853/UL8Qug' acme.sh _currentRoot='dns_nsupdate' acme.sh uri='https://acme-staging-v02.api.letsencrypt.org/acme/chall-v3/3550832853/UL8Qug' acme.sh keyauthorization='Sd0i6ZCZa_PppAz8_GBPOfH-stqX-uAkptWnkm1JzyM.Sgc2Szv5GT1AiCkTjGqRWbgXtQGunnjIqj81lAolIl4' acme.sh d='.fibertelecom.com' acme.sh Verifying: .fibertelecom.com acme.sh ok, let's start to verify acme.sh Sleep 30 seconds for the txt records to take effect acme.sh The txt record is added: Success. acme.sh adding _acme-challenge.fibertelecom.com. 60 in txt "HwaP0kkv51jUwHrz0t6ASaRcmod4bhIMEIIJ0B_lXWo" acme.sh Adding txt value: HwaP0kkv51jUwHrz0t6ASaRcmod4bhIMEIIJ0B_lXWo for domain: _acme-challenge.fibertelecom.com acme.sh Found domain api file: /usr/local/share/examples/acme.sh/dnsapi/dns_nsupdate.sh acme.sh d_api='/usr/local/share/examples/acme.sh/dnsapi/dns_nsupdate.sh' acme.sh txt='HwaP0kkv51jUwHrz0t6ASaRcmod4bhIMEIIJ0B_lXWo' acme.sh txtdomain='_acme-challenge.fibertelecom.com' acme.sh _d_alias acme.sh d='.fibertelecom.com' acme.sh vlist='.fibertelecom.com#Sd0i6ZCZa_PppAz8_GBPOfH-stqX-uAkptWnkm1JzyM.Sgc2Szv5GT1AiCkTjGqRWbgXtQGunnjIqj81lAolIl4#https://acme-staging-v02.api.letsencrypt.org/acme/chall-v3/3550832853/UL8Qug#dns-01#dns_nsupdate,' acme.sh d acme.sh dvlist='.fibertelecom.com#Sd0i6ZCZa_PppAz8_GBPOfH-stqX-uAkptWnkm1JzyM.Sgc2Szv5GT1AiCkTjGqRWbgXtQGunnjIqj81lAolIl4#https://acme-staging-v02.api.letsencrypt.org/acme/chall-v3/3550832853/UL8Qug#dns-01#dns_nsupdate' acme.sh keyauthorization='Sd0i6ZCZa_PppAz8_GBPOfH-stqX-uAkptWnkm1JzyM.Sgc2Szv5GT1AiCkTjGqRWbgXtQGunnjIqj81lAolIl4' acme.sh uri='https://acme-staging-v02.api.letsencrypt.org/acme/chall-v3/3550832853/UL8Qug' acme.sh token='Sd0i6ZCZa_PppAz8_GBPOfH-stqX-uAkptWnkm1JzyM' acme.sh entry='"type":"dns-01","status":"pending","url":"https://acme-staging-v02.api.letsencrypt.org/acme/chall-v3/3550832853/UL8Qug","token":"Sd0i6ZCZa_PppAz8_GBPOfH-stqX-uAkptWnkm1JzyM"' acme.sh _currentRoot='dns_nsupdate' acme.sh _w='dns_nsupdate' acme.sh Getting webroot for domain='.fibertelecom.com' acme.sh d='.fibertelecom.com' acme.sh code='200' acme.sh _ret='0' acme.sh _CURL='curl --silent --dump-header /var/etc/acme-client/home/http.header -L --trace-ascii /tmp/tmp.W9CdftaD ' acme.sh _post_url='https://acme-staging-v02.api.letsencrypt.org/acme/authz-v3/3550832853' acme.sh POST acme.sh payload acme.sh url='https://acme-staging-v02.api.letsencrypt.org/acme/authz-v3/3550832853' acme.sh Le_OrderFinalize='https://acme-staging-v02.api.letsencrypt.org/acme/finalize/66518223/3947136873' acme.sh Le_LinkOrder='https://acme-staging-v02.api.letsencrypt.org/acme/order/66518223/3947136873' acme.sh code='201' acme.sh _ret='0' acme.sh _CURL='curl --silent --dump-header /var/etc/acme-client/home/http.header -L --trace-ascii /tmp/tmp.W9CdftaD ' acme.sh _post_url='https://acme-staging-v02.api.letsencrypt.org/acme/new-order' acme.sh POST acme.sh _ret='0' acme.sh _CURL='curl --silent --dump-header /var/etc/acme-client/home/http.header -L --trace-ascii /tmp/tmp.W9CdftaD -I ' acme.sh _post_url='https://acme-staging-v02.api.letsencrypt.org/acme/new-nonce' acme.sh HEAD acme.sh RSA key acme.sh payload='{"identifiers": [{"type":"dns","value":".fibertelecom.com"}]}' acme.sh url='https://acme-staging-v02.api.letsencrypt.org/acme/new-order' acme.sh d acme.sh Getting domain auth token for each domain acme.sh Single domain='.fibertelecom.com' acme.sh _createcsr acme.sh Read key length:4096 acme.sh _saved_account_key_hash is not changed, skip register account. acme.sh d acme.sh _currentRoot='dns_nsupdate' acme.sh Check for domain='.fibertelecom.com' acme.sh d='.fibertelecom.com' acme.sh Le_LocalAddress acme.sh _chk_alt_domains acme.sh _chk_main_domain='.fibertelecom.com' acme.sh _on_before_issue acme.sh Using CA: https://acme-staging-v02.api.letsencrypt.org/directory acme.sh ACME_NEW_NONCE='https://acme-staging-v02.api.letsencrypt.org/acme/new-nonce' acme.sh ACME_AGREEMENT='https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017-w-v1.3-notice.pdf' acme.sh ACME_REVOKE_CERT='https://acme-staging-v02.api.letsencrypt.org/acme/revoke-cert' acme.sh ACME_NEW_ACCOUNT='https://acme-staging-v02.api.letsencrypt.org/acme/new-acct' acme.sh ACME_NEW_ORDER='https://acme-staging-v02.api.letsencrypt.org/acme/new-order' acme.sh ACME_NEW_AUTHZ acme.sh ACME_KEY_CHANGE='https://acme-staging-v02.api.letsencrypt.org/acme/key-change' acme.sh ret='0' acme.sh _CURL='curl --silent --dump-header /var/etc/acme-client/home/http.header -L --trace-ascii /tmp/tmp.9hlYu3Av ' acme.sh timeout= acme.sh url='https://acme-staging-v02.api.letsencrypt.org/directory' acme.sh GET acme.sh _init api for server: https://acme-staging-v02.api.letsencrypt.org/directory acme.sh Using ACME_DIRECTORY: https://acme-staging-v02.api.letsencrypt.org/directory acme.sh Le_NextRenewTime acme.sh DOMAIN_PATH='/var/etc/acme-client/home/.fibertelecom.com' acme.sh ACME_DIRECTORY='https://acme-staging-v02.api.letsencrypt.org/directory' acme.sh Using config home:/var/etc/acme-client/home acme.sh _alt_domains='no' acme.sh _main_domain='.fibertelecom.com' acme.sh Running cmd: issue acme.sh Using server: letsencrypt_test

And it seems to work also with "Let's Encrypt CA".

I had tried just before the upgrade and it had failed. After upgrade it's working.

I'm closing ... for me with OPNsense v22.7.3_2 is now working. Thanks.