Installing Let’s Encrypt SSL Certificate with pfSense

4 minute read


LetsEncrypt certs are 90 days, and must be renewed. Secondly, you have to be able to prove you control the name that the certificate is for. This makes things more complicated.

There are several ways to verify ownership of a domain. Firstly is create a TXT-record _acme-challenge of your DNS-name. It requires manual actions if your DNS provider doesn’t provide an API to create dns records. This method is only way to get wildcard certificates. But if we want to use not many domains in the HTTP-server, we should prefer to use option named as Standalone HTTP server.

Before to continue create DNS-records type A with domains that would be accessible with SSL.

I advice use a staging ACME-servers of LetsEncrypt for test use cases because it will only let you do 5 calls per hour.


In this article I’ll be showing you how to do this with next version of components:

  1. pfSense 2.4.4
  2. acme 0.6.3


So here’s a little guide on the process to enable signed Let’s Encrypt certs on your pfSense Web interface.

acme package

Under System / Package Manager / Available Packages you should find a package called acme. Click the install button and allow it to complete.


account key

Once installed you should find Acme Certificates under the Services menu.

The first step is to create your account keys. Enter a name, select the production server if you want this to be live.


Click Create new account key to generate a key and insert it into the Account key box. Finally click the Register ACME account key, wait to get successful response, then click Save.

create certificate

The next step is to create your certificate. Under Certificates click the Add button. Enter the details such as the name and description. Set to Active, select your acme account, key size 2048 is currently standard.

Set your domain SAN, for example,, Each domain should be written in a separate row in the table.

The method will be how the Let’s Encrypt server will validate that you control the domain before issuing the cert.

I selected Standalone HTTP server and in the options set the listen port to 8080.


We will accomplish this with a port forward rule in the next step. This is important because the ACME server needs to be able to access this standalone HTTP server on port 80.

forward rule

Under Firewall / NAT / Port Forward create a new rule that forwards port 80 HTTP to port 8080 in your pfSense IP address which is by default.

This allows the ACME server to communicate with your device to verify ownership.


In this picture 8080 port is bound with Standalone HTTP server in the ACME certificates page. The IP is my pfSense local IP. Don’t forget to set Add associated filter rule in the option Filter rule association.

Open the Firewall / Rules / WAN page and check that the rule was automatically created.


issue certificate

We are ready to request a first certificate. Click an Issue/Renew button under Services / Acme / Certificates on required certificate.


The gear will turn, and after a bit you’ll see a lot of green text. If there is block that looks like:


The successful message will include this text in the end:

[Wed Feb 19 10:36:34 MSK 2020] Cert success.
< ... >
[Wed Feb 19 10:36:34 MSK 2020] Your cert is in  /tmp/acme/staging//
[Wed Feb 19 10:36:34 MSK 2020] Your cert key is in  /tmp/acme/staging//
[Wed Feb 19 10:36:34 MSK 2020] The intermediate CA cert is in  /tmp/acme/staging//
[Wed Feb 19 10:36:34 MSK 2020] And the full chain certs is there:  /tmp/acme/staging//
[Wed Feb 19 10:36:34 MSK 2020] Run reload cmd: /tmp/acme/staging/

IMPORT CERT cobrain-staging, ... update cert!
[Wed Feb 19 10:36:35 MSK 2020] Reload success

Be sure to read it carefully! Even though it’s green and the top may say success, there could be errors listed that you’ll want to resolve.

disable firewall rules

When have done disable the NAT and Firewall Rules for security reasons. Don’t remove it, it requires for renew certificates.

auto renew (optional)

LetsEncrypt certificate as said before lives only 90 days. After that you should renew certificates. You can do it manually (just a click Issue/Renew button) or set up auto update process. For auto renew enable Acme client renewal job under Services / Acme / Settings.


I prefer to manually renew because errors is occurred frequently.

use certificates

Setup certificates to desired hosted or proxy site or webGUI for an access to them by HTTPS SSL.

In next post I will show you how to use LetsEncrypt certificates with HAproxy Package.

Some notes

If you have any issues or questions, you can reach out to me and I’d be happy to help.

Additional information