LetsEncrypt certs are 90 days, and must be renewed. Secondly, you have to be able to prove you control the name that the certificate is for. This makes things more complicated.
There are several ways to verify ownership of a domain.
Firstly is create a
_acme-challenge of your DNS-name.
It requires manual actions if your DNS provider doesn’t provide an API to create dns records.
This method is only way to get wildcard certificates.
But if we want to use not many domains in the HTTP-server, we should prefer to
use option named as
Standalone HTTP server.
Before to continue create DNS-records type
A with domains that would be accessible with SSL.
I advice use a staging ACME-servers of LetsEncrypt for test use cases because it will only let you do 5 calls per hour.
In this article I’ll be showing you how to do this with next version of components:
- pfSense 2.4.4
- acme 0.6.3
So here’s a little guide on the process to enable signed Let’s Encrypt certs on your pfSense Web interface.
Under System / Package Manager / Available Packages you should find a package called
Click the install button and allow it to complete.
Once installed you should find Acme Certificates under the Services menu.
The first step is to create your account keys. Enter a name, select the production server if you want this to be live.
Create new account key to generate a key and insert it into the
Account key box.
Finally click the
Register ACME account key, wait to get successful response, then click
The next step is to create your certificate.
Under Certificates click the
Enter the details such as the name and description. Set to Active, select your acme account, key size 2048 is currently standard.
Set your domain SAN, for example
Each domain should be written in a separate row in the table.
The method will be how the Let’s Encrypt server will validate that you control the domain before issuing the cert.
Standalone HTTP server and in the options set the listen port to
We will accomplish this with a port forward rule in the next step. This is important because the ACME server needs to be able to access this standalone HTTP server on port 80.
Under Firewall / NAT / Port Forward create a new rule that forwards port
80 HTTP to port
8080 in your pfSense IP address which is
192.168.100.1 by default.
This allows the ACME server to communicate with your device to verify ownership.
In this picture
8080 port is bound with Standalone HTTP server in the ACME certificates page.
192.168.100.1 is my pfSense local IP. Don’t forget to set Add associated filter rule in the option Filter rule association.
Open the Firewall / Rules / WAN page and check that the rule was automatically created.
We are ready to request a first certificate. Click an Issue/Renew button under Services / Acme / Certificates on required certificate.
The gear will turn, and after a bit you’ll see a lot of green text. If there is block that looks like:
The successful message will include this text in the end:
[Wed Feb 19 10:36:34 MSK 2020] Cert success. -----BEGIN CERTIFICATE----- < ... > -----END CERTIFICATE----- [Wed Feb 19 10:36:34 MSK 2020] Your cert is in /tmp/acme/staging//nginx.example.com/nginx.example.com.cer [Wed Feb 19 10:36:34 MSK 2020] Your cert key is in /tmp/acme/staging//nginx.example.com/nginx.example.com.key [Wed Feb 19 10:36:34 MSK 2020] The intermediate CA cert is in /tmp/acme/staging//nginx.example.com/ca.cer [Wed Feb 19 10:36:34 MSK 2020] And the full chain certs is there: /tmp/acme/staging//nginx.example.com/fullchain.cer [Wed Feb 19 10:36:34 MSK 2020] Run reload cmd: /tmp/acme/staging/reloadcmd.sh IMPORT CERT cobrain-staging, ... update cert! [Wed Feb 19 10:36:35 MSK 2020] Reload success
Be sure to read it carefully! Even though it’s green and the top may say success, there could be errors listed that you’ll want to resolve.
disable firewall rules
When have done disable the NAT and Firewall Rules for security reasons. Don’t remove it, it requires for renew certificates.
auto renew (optional)
LetsEncrypt certificate as said before lives only 90 days. After that you should renew certificates. You can do it manually (just a click Issue/Renew button) or set up auto update process. For auto renew enable Acme client renewal job under Services / Acme / Settings.
I prefer to manually renew because errors is occurred frequently.
Setup certificates to desired hosted or proxy site or webGUI for an access to them by HTTPS SSL.
In next post I will show you how to use LetsEncrypt certificates with HAproxy Package.
If you have any issues or questions, you can reach out to me and I’d be happy to help.
- Wildcard Certificates on pfSense - Creating Wildcard Certificates on pfSense with Let’s Encrypt.
- LetsEncrypt SSL Certificate with pfSense - LetsEncrypt SSL Certificate with pfSense on Internal Linux Server.
- ACME package - pfSense - Official documentation of ACME on pfSense site.
- Acme plugin on pfSense - Acme plugin on pfSense, add Let’s Encrypt Cert to your firewall.