Ruslan Gainanov

Ruslan Gainanov

System & Software engineer

Installing Let’s Encrypt SSL Certificate with pfSense

4 minute read

Introduction

LetsEncrypt certs are 90 days, and must be renewed. Secondly, you have to be able to prove you control the name that the certificate is for. This makes things more complicated.

There are several ways to verify ownership of a domain. Firstly is create a TXT-record _acme-challenge of your DNS-name. It requires manual actions if your DNS provider doesn’t provide an API to create dns records. This method is only way to get wildcard certificates. But if we want to use not many domains in the HTTP-server, we should prefer to use option named as Standalone HTTP server.

Before to continue create DNS-records type A with domains that would be accessible with SSL.

I advice use a staging ACME-servers of LetsEncrypt for test use cases because it will only let you do 5 calls per hour.

Environment

In this article I’ll be showing you how to do this with next version of components:

  1. pfSense 2.4.4
  2. acme 0.6.3

Installation

So here’s a little guide on the process to enable signed Let’s Encrypt certs on your pfSense Web interface.

acme package

Under System / Package Manager / Available Packages you should find a package called acme. Click the install button and allow it to complete.

acme_package_install

account key

Once installed you should find Acme Certificates under the Services menu.

The first step is to create your account keys. Enter a name, select the production server if you want this to be live.

new_account_key_creation

Click Create new account key to generate a key and insert it into the Account key box. Finally click the Register ACME account key, wait to get successful response, then click Save.

create certificate

The next step is to create your certificate. Under Certificates click the Add button. Enter the details such as the name and description. Set to Active, select your acme account, key size 2048 is currently standard.

Set your domain SAN, for example web.example.com, db.example.com, nginx.example.com. Each domain should be written in a separate row in the table.

The method will be how the Let’s Encrypt server will validate that you control the domain before issuing the cert.

I selected Standalone HTTP server and in the options set the listen port to 8080.

create_certificates

We will accomplish this with a port forward rule in the next step. This is important because the ACME server needs to be able to access this standalone HTTP server on port 80.

forward rule

Under Firewall / NAT / Port Forward create a new rule that forwards port 80 HTTP to port 8080 in your pfSense IP address which is 192.168.100.1 by default.

This allows the ACME server to communicate with your device to verify ownership.

create_nat_rule

In this picture 8080 port is bound with Standalone HTTP server in the ACME certificates page. The IP 192.168.100.1 is my pfSense local IP. Don’t forget to set Add associated filter rule in the option Filter rule association.

Open the Firewall / Rules / WAN page and check that the rule was automatically created.

firewall_rule

issue certificate

We are ready to request a first certificate. Click an Issue/Renew button under Services / Acme / Certificates on required certificate.

issue_certificate

The gear will turn, and after a bit you’ll see a lot of green text. If there is block that looks like:

issue_certificate

The successful message will include this text in the end:

[Wed Feb 19 10:36:34 MSK 2020] Cert success.
-----BEGIN CERTIFICATE-----
< ... >
-----END CERTIFICATE-----
[Wed Feb 19 10:36:34 MSK 2020] Your cert is in  /tmp/acme/staging//nginx.example.com/nginx.example.com.cer
[Wed Feb 19 10:36:34 MSK 2020] Your cert key is in  /tmp/acme/staging//nginx.example.com/nginx.example.com.key
[Wed Feb 19 10:36:34 MSK 2020] The intermediate CA cert is in  /tmp/acme/staging//nginx.example.com/ca.cer
[Wed Feb 19 10:36:34 MSK 2020] And the full chain certs is there:  /tmp/acme/staging//nginx.example.com/fullchain.cer
[Wed Feb 19 10:36:34 MSK 2020] Run reload cmd: /tmp/acme/staging/reloadcmd.sh

IMPORT CERT cobrain-staging, ... update cert!
[Wed Feb 19 10:36:35 MSK 2020] Reload success

Be sure to read it carefully! Even though it’s green and the top may say success, there could be errors listed that you’ll want to resolve.

disable firewall rules

When have done disable the NAT and Firewall Rules for security reasons. Don’t remove it, it requires for renew certificates.

auto renew (optional)

LetsEncrypt certificate as said before lives only 90 days. After that you should renew certificates. You can do it manually (just a click Issue/Renew button) or set up auto update process. For auto renew enable Acme client renewal job under Services / Acme / Settings.

auto_renew_certificates

I prefer to manually renew because errors is occurred frequently.

use certificates

Setup certificates to desired hosted or proxy site or webGUI for an access to them by HTTPS SSL.

In next post I will show you how to use LetsEncrypt certificates with HAproxy Package.

Some notes

If you have any issues or questions, you can reach out to me and I’d be happy to help.

Additional information

You May Also Enjoy

DELL. Disabling SupportAssist on switch

3 minute read

SupportAssist is a daemon for sending technical reports to Dell servers. It enables by default. Here we disable this unwanted feature (and may be unsecured).