ACME clients

January 20, 2025

There's an acme.sh package for pfSense, which looks like a zero-maintenance option for keeping certs in place by using the Porkbun DNS API.

I've used acme.sh with Porkbun before, so I'm confident in that respect. However, when trying to test it out against the LetsEncrypt staging platform, it's bombing out.

Let's have a look at the logs:

[Mon Jan 20 21:08:03 UTC 2025] POST
[Mon Jan 20 21:08:03 UTC 2025] _post_url='https://porkbun.com/api/json/v3/dns/retrieve/_acme-challenge.pfsense.blip.zip'
[Mon Jan 20 21:08:03 UTC 2025] body='{"apikey":"...","secretapikey":"..."}'
[Mon Jan 20 21:08:03 UTC 2025] _postContentType
[Mon Jan 20 21:08:03 UTC 2025] Http already initialized.
[Mon Jan 20 21:08:03 UTC 2025] _CURL='curl --silent --dump-header /tmp/acme/pfsense-blip-zip-prod/http.header  -L  -g '
[Mon Jan 20 21:08:04 UTC 2025] _ret='0'
[Mon Jan 20 21:08:07 UTC 2025] response='<html>
<head><title>403 Forbidden</title></head>
<body>
<center><h1>403 Forbidden</h1></center>
</body>
'/html>

The API hostname was updated to api.porkbun.com some time ago, and maintenance of the old one was only kept in place until 2024-12-01.

The Porkbun DNS script in acme.sh was updated to use the correct domain back in October, but the upstream changes haven't made their way into the pfsense package yet.

If I find time tomorrow, I'll have a look for the source and see if there are plans to merge it in.