diff --git a/security/acme-client/Makefile b/security/acme-client/Makefile
index a8898c9c7..743c52491 100644
--- a/security/acme-client/Makefile
+++ b/security/acme-client/Makefile
@@ -1,5 +1,5 @@
 PLUGIN_NAME=		acme-client
-PLUGIN_VERSION=		1.11
+PLUGIN_VERSION=		1.12
 PLUGIN_COMMENT=		Let's Encrypt client
 PLUGIN_MAINTAINER=	opnsense@moov.de
 PLUGIN_DEPENDS=		acme.sh bind911
diff --git a/security/acme-client/src/etc/inc/plugins.inc.d/acmeclient.inc b/security/acme-client/src/etc/inc/plugins.inc.d/acmeclient.inc
index 0dc25a115..a210c2f85 100644
--- a/security/acme-client/src/etc/inc/plugins.inc.d/acmeclient.inc
+++ b/security/acme-client/src/etc/inc/plugins.inc.d/acmeclient.inc
@@ -40,7 +40,6 @@ function acmeclient_firewall($fw)
         return;
     }
 
-    // TODO
     $fw->registerAnchor('acme-client/*', 'nat');
     $fw->registerAnchor('acme-client/*', 'rdr');
     $fw->registerAnchor('acme-client/*', 'fw');
@@ -73,18 +72,7 @@ function acmeclient_services()
 }
 
 /**
- *  sync configuration via xmlrpc
- * @return array
- */
-
-/**
-XXX: needs investigation, auto-renewal must be disabled on secondary node(s)
-function acmeclient_xmlrpc_sync()
-{
-    $result = array();
-    $result['id'] = 'acmeclient';
-    $result['section'] = 'OPNsense.acmeclient';
-    $result['description'] = gettext('Let\'s Encrypt client');
-    return array($result);
-}
+ *  NOTE: Does NOT support configuration sync (xmlrpc). The required acme.sh
+ *        state files are missing on the secondary node and thus all attempts
+ *        to renew a certificate on the secondary node would fail.
  */
diff --git a/security/acme-client/src/opnsense/mvc/app/controllers/OPNsense/AcmeClient/Api/SettingsController.php b/security/acme-client/src/opnsense/mvc/app/controllers/OPNsense/AcmeClient/Api/SettingsController.php
index bdf55143c..3a7fdf7e1 100644
--- a/security/acme-client/src/opnsense/mvc/app/controllers/OPNsense/AcmeClient/Api/SettingsController.php
+++ b/security/acme-client/src/opnsense/mvc/app/controllers/OPNsense/AcmeClient/Api/SettingsController.php
@@ -200,11 +200,13 @@ class SettingsController extends ApiMutableModelControllerBase
                     $this->getLogger()->error("LE check: HAProxy integration is complete");
                 } else {
                     $integration_changes = true;
-                    // Check if we need to remove relics of incomplete HAProxy integration.
-                    // NOTE: We try to automatically repair a broken HAProxy integration,
-                    //       although the user may have deleted some items intentionally.
-                    //       As long as the HAProxy integration is enabled we assume that
-                    //       this is an error that should *automatically* be fixed.
+                    /**
+                     * Check if we need to remove relics of incomplete HAProxy integration.
+                     * NOTE: We try to automatically repair a broken HAProxy integration,
+                     *       although the user may have deleted some items intentionally.
+                     *       As long as the HAProxy integration is enabled we assume that
+                     *       this is an error that should *automatically* be fixed.
+                     */
                     if ($integration_found and !$integration_complete) {
                         // NOTE: We ignore the return value of the del() calls
                         //       too keep this as simple as possible.
@@ -250,11 +252,10 @@ class SettingsController extends ApiMutableModelControllerBase
                     $acl_uuid = $mdlHAProxy->newAcl(
                         "find_acme_challenge",
                         "Added by Let's Encrypt plugin",
-                        "path_starts_with",
+                        "path_beg",
                         "0",
-                        "/.well-known/acme-challenge/"
+                        array("path_beg" => "/.well-known/acme-challenge/")
                     );
-                    //$this->getLogger()->error("LE acl: ${acl_uuid}");
 
                     // Add a new HAProxy backend
                     $backend_uuid = $mdlHAProxy->newBackend(
@@ -266,7 +267,6 @@ class SettingsController extends ApiMutableModelControllerBase
                         "",
                         ""
                     );
-                    //$this->getLogger()->error("LE backend: ${backend_uuid}");
 
                     // Add a new HAProxy action
                     $action_uuid = $mdlHAProxy->newAction(
@@ -277,13 +277,9 @@ class SettingsController extends ApiMutableModelControllerBase
                         "and",
                         "use_backend",
                         // Use the new backend uuid in field "useBackend"
-                        $backend_uuid,
-                        "",
-                        "",
-                        "",
-                        ""
+                        array("use_backend" => $backend_uuid)
                     );
-                    //$this->getLogger()->error("LE action: ${action_uuid}");
+
                     // NOTE: This action is linked to frontends.
                     $action_ref = $action_uuid;
 
@@ -298,7 +294,6 @@ class SettingsController extends ApiMutableModelControllerBase
                         "0",
                         ""
                     );
-                    //$this->getLogger()->error("LE server: ${server_uuid}");
 
                     // Update hidden fields to signal that HAProxy integration is complete.
                     $mdlAcme->settings->haproxyAclRef = $acl_uuid;
@@ -308,11 +303,9 @@ class SettingsController extends ApiMutableModelControllerBase
 
                     // Link new ACL to HAProxy action
                     $link_acl_result = $mdlHAProxy->linkAclToAction($acl_uuid, $action_uuid);
-                    //$this->getLogger()->error("LE link acl result: ${link_acl_result}");
 
                     // Link new server to HAProxy backend
                     $link_server_result = $mdlHAProxy->linkServerToBackend($server_uuid, $backend_uuid);
-                    //$this->getLogger()->error("LE link server result: ${link_server_result}");
                 }
 
                 // Ensure HAProxy frontend additions have been applied.
@@ -321,7 +314,6 @@ class SettingsController extends ApiMutableModelControllerBase
                     if ((string)$validation->enabled == "1" and
                         (string)$validation->method == "http01" and
                         (string)$validation->http_service == "haproxy") {
-                        //$this->getLogger()->error("LE HAProxy DEBUG: checking validation method: " . (string)$validation->name);
                         // Check if HAProxy frontends were specified.
                         if (empty((string)$validation->http_haproxyFrontends)) {
                             // Skip item, no HAProxy frontends were specified.
@@ -330,7 +322,6 @@ class SettingsController extends ApiMutableModelControllerBase
                         $_frontends = explode(',', $validation->http_haproxyFrontends);
                         // Walk through all linked frontends.
                         foreach ($_frontends as $_frontend) {
-                            //$this->getLogger()->error("LE HAProxy DEBUG: checking frontend: ${_frontend}");
                             $frontend = $mdlHAProxy->getByFrontendID($_frontend);
                             // Make sure the frontend was found in config.
                             if (!is_null($frontend) && !empty((string)$frontend->id)) {
diff --git a/security/acme-client/src/opnsense/mvc/app/controllers/OPNsense/AcmeClient/forms/settings.xml b/security/acme-client/src/opnsense/mvc/app/controllers/OPNsense/AcmeClient/forms/settings.xml
index d6f30156f..ca475bb1f 100644
--- a/security/acme-client/src/opnsense/mvc/app/controllers/OPNsense/AcmeClient/forms/settings.xml
+++ b/security/acme-client/src/opnsense/mvc/app/controllers/OPNsense/AcmeClient/forms/settings.xml
@@ -27,7 +27,7 @@
         <id>acmeclient.settings.challengePort</id>
         <label>Local HTTP Port</label>
         <type>text</type>
-        <help><![CDATA[When using HTTP-01 as validation method, a local webserver is used to provide acme challenge data to the Let's Encrypt servers. This setting allows you to change the local port of this webserver in case it interferes with another local services. Defaults to port 43580.]]></help>
+        <help><![CDATA[When using HTTP-01 as validation method, a local webserver is used to provide acme challenge data to the Let's Encrypt servers. The local webserver is NOT directly exposed to the outside and should NOT use port 80 or any other well-known port. This setting allows you to change the local port of this webserver in case it interferes with another local service. Defaults to port 43580.]]></help>
         <advanced>true</advanced>
     </field>
     <field>
diff --git a/security/acme-client/src/opnsense/mvc/app/models/OPNsense/AcmeClient/AcmeClient.xml b/security/acme-client/src/opnsense/mvc/app/models/OPNsense/AcmeClient/AcmeClient.xml
index 0052522c2..d78dfcabd 100644
--- a/security/acme-client/src/opnsense/mvc/app/models/OPNsense/AcmeClient/AcmeClient.xml
+++ b/security/acme-client/src/opnsense/mvc/app/models/OPNsense/AcmeClient/AcmeClient.xml
@@ -1,7 +1,7 @@
 <model>
 
     <mount>//OPNsense/AcmeClient</mount>
-    <version>1.1.0</version>
+    <version>1.2.0</version>
     <description>
         a secure Let's Encrypt plugin
     </description>
@@ -430,6 +430,12 @@
                 <dns_gd_secret type="TextField">
                     <Required>N</Required>
                 </dns_gd_secret>
+                <dns_he_user type="TextField">
+                    <Required>N</Required>
+                </dns_he_user>
+                <dns_he_password type="TextField">
+                    <Required>N</Required>
+                </dns_he_password>
                 <dns_ispconfig_user type="TextField">
                     <Required>N</Required>
                 </dns_ispconfig_user>