plugins icon indicating copy to clipboard operation
plugins copied to clipboard
verified publisher icon opnsense

Every year I have to reset my ACME client to make cert renewal work again

Open g4njawizard opened this issue 1 month ago • 1 comments

I have this issue for years now. Cert renewal works for a couple of months and then suddenly stop's due to "invalid token".

My Setup:

  • I use cloudflare
  • The API token has no end date so it should be valid unless I remove it.
  • For challange types I use DNS-01
  • I have this Plugin running on my OPNsense which is installed on bare metal

Certification renewal works for a couple of months and then suddenly stops working.

I had the same issue last year:

2024-10-07T14:25:41	acme.sh	[Mon Oct 7 14:25:41 CEST 2024] Error add txt for domain:_acme-challenge.mydomain.com
2024-10-07T14:25:41	acme.sh	[Mon Oct 7 14:25:41 CEST 2024] invalid domain
2024-10-07T14:25:41	acme.sh	[Mon Oct 7 14:25:41 CEST 2024] response='{"success":false,"errors":[{"code":9109,"message":"Invalid access token"}],"messages":[],"result":null}'

And this again today:

2025-12-14T10:21:37
acme.sh
[Sun Dec 14 10:21:37 CET 2025] _chk_vlist='*.mydomain.com#kYT41WueR2-AgPYd4lCwncWwimvdFIlWqZlyzfpnLXw.mFCMVl_e0EgPLj1iQ81zm_GNlnNjEVHgL_yLQDXju70#https://acme-v02.api.letsencrypt.org/acme/chall/2289211146/627301307846/2SrAmg#dns-01#dns_cf#https://acme-v02.api.letsencrypt.org/acme/authz/2289211146/627301307846,'
2025-12-14T10:21:37
acme.sh
[Sun Dec 14 10:21:37 CET 2025] See: https://github.com/acmesh-official/acme.sh/wiki/How-to-debug-acme.sh
2025-12-14T10:21:37
acme.sh
[Sun Dec 14 10:21:37 CET 2025] Please add '--debug' or '--log' to see more information.
2025-12-14T10:21:37
acme.sh
[Sun Dec 14 10:21:37 CET 2025] _on_issue_err
2025-12-14T10:21:37
acme.sh
[Sun Dec 14 10:21:37 CET 2025] Error adding TXT record to domain: _acme-challenge.mydomain.com
2025-12-14T10:21:37
acme.sh
[Sun Dec 14 10:21:37 CET 2025] invalid domain
2025-12-14T10:21:37
acme.sh
[Sun Dec 14 10:21:37 CET 2025] response='{"success":false,"errors":[{"code":9109,"message":"Invalid access token"}],"messages":[],"result":null}'
2025-12-14T10:21:37
acme.sh
[Sun Dec 14 10:21:37 CET 2025] ret='0'
2025-12-14T10:21:36
acme.sh
[Sun Dec 14 10:21:36 CET 2025] _CURL='curl --silent --dump-header /var/etc/acme-client/home/http.header -L --trace-ascii /tmp/tmp.LryNXMTRFz -g '
2025-12-14T10:21:36
acme.sh
[Sun Dec 14 10:21:36 CET 2025] Http already initialized.
2025-12-14T10:21:36
acme.sh
[Sun Dec 14 10:21:36 CET 2025] timeout=

My workaround for this is --> Reset Acme Client It removes existing cert's and recreates them and then it works again. But I shouldn't need to reset the acme client right?

I haven't changed the settings or other values for months inside ACME, but it becomes invalid after sometime nethertheless...

Expected behavior Infinite Cert renewals on valid tokens

g4njawizard avatar Dec 14 '25 10:12 g4njawizard

Thank you for creating an issue. Since the ticket doesn't seem to be using one of our templates, we're marking this issue as low priority until further notice.

For more information about the policies for this repository, please read https://github.com/opnsense/plugins/blob/master/CONTRIBUTING.md for further details.

The easiest option to gain traction is to close this ticket and open a new one using one of our templates.

OPNsense-bot avatar Dec 14 '25 11:12 OPNsense-bot