Installing Let’s Encrypt SSL Certificate with pfSense

 4 minute read

 On this page

• Introduction
• Environment
• Installation
  • acme package
  • account key
  • create certificate
  • forward rule
  • issue certificate
  • disable firewall rules
  • auto renew (optional)
  • use certificates
• Some notes
• Additional information

IntroductionPermalink

LetsEncrypt certs are 90 days, and must be renewed. Secondly, you have to be able to prove you control the name that the certificate is for. This makes things more complicated.

There are several ways to verify ownership of a domain. Firstly is create a TXT-record _acme-challenge of your DNS-name. It requires manual actions if your DNS provider doesn’t provide an API to create dns records. This method is only way to get wildcard certificates. But if we want to use not many domains in the HTTP-server, we should prefer to use option named as Standalone HTTP server.

Before to continue create DNS-records type Awith domains that would be accessible with SSL.

I advice use a staging ACME-servers of LetsEncrypt for test use cases because it will only let you do 5 calls per hour.

EnvironmentPermalink

In this article I’ll be showing you how to do this with next version of components:

1. pfSense 2.4.4
2. acme 0.6.3

InstallationPermalink

So here’s a little guide on the process to enable signed Let’s Encrypt certs on your pfSense Web interface.

acme packagePermalink

Under System / Package Manager / Available Packages you should find a package called acme. Click the install button and allow it to complete.

account keyPermalink

Once installed you should find Acme Certificates under the Services menu.

The first step is to create your account keys. Enter a name, select the production server if you want this to be live.

Click Create new account key to generate a key and insert it into the Account key box. Finally click the Register ACME account key, wait to get successful response, then click Save.

create certificatePermalink

The next step is to create your certificate. Under Certificates click the Add button. Enter the details such as the name and description. Set to Active, select your acme account, key size 2048 is currently standard.

Set your domain SAN, for example web.example.com, db.example.com, nginx.example.com. Each domain should be written in a separate row in the table.

The method will be how the Let’s Encrypt server will validate that you control the domain before issuing the cert.

I selected Standalone HTTP server and in the options set the listen port to 8080.

We will accomplish this with a port forward rule in the next step. This is important because the ACME server needs to be able to access this standalone HTTP server on port 80.

forward rulePermalink

Under Firewall / NAT / Port Forward create a new rule that forwards port 80 HTTP to port 8080 in your pfSense IP address which is 192.168.100.1 by default.

This allows the ACME server to communicate with your device to verify ownership.

In this picture 8080 port is bound with Standalone HTTP server in the ACME certificates page. The IP 192.168.100.1 is my pfSense local IP. Don’t forget to set Add associated filter rule in the option Filter rule association.

Open the Firewall / Rules / WAN page and check that the rule was automatically created.

issue certificatePermalink

We are ready to request a first certificate. Click an Issue/Renew button under Services / Acme / Certificates on required certificate.

The gear will turn, and after a bit you’ll see a lot of green text. If there is block that looks like:

The successful message will include this text in the end:[Wed Feb 19 10:36:34 MSK 2020] Cert success. -----BEGIN CERTIFICATE----- < ... > -----END CERTIFICATE----- [Wed Feb 19 10:36:34 MSK 2020] Your cert is in /tmp/acme/staging//nginx.example.com/nginx.example.com.cer [Wed Feb 19 10:36:34 MSK 2020] Your cert key is in /tmp/acme/staging//nginx.example.com/nginx.example.com.key [Wed Feb 19 10:36:34 MSK 2020] The intermediate CA cert is in /tmp/acme/staging//nginx.example.com/ca.cer [Wed Feb 19 10:36:34 MSK 2020] And the full chain certs is there: /tmp/acme/staging//nginx.example.com/fullchain.cer [Wed Feb 19 10:36:34 MSK 2020] Run reload cmd: /tmp/acme/staging/reloadcmd.sh IMPORT CERT cobrain-staging, ... update cert! [Wed Feb 19 10:36:35 MSK 2020] Reload success

Be sure to read it carefully! Even though it’s green and the top may say success, there could be errors listed that you’ll want to resolve.

disable firewall rulesPermalink

When have done disable the NAT and Firewall Rules for security reasons. Don’t remove it, it requires for renew certificates.

auto renew (optional)Permalink

LetsEncrypt certificate as said before lives only 90 days. After that you should renew certificates. You can do it manually (just a click Issue/Renewbutton) or set up auto update process. For auto renew enable Acme client renewal job underServices / Acme / Settings.

I prefer to manually renew because errors is occurred frequently.

use certificatesPermalink

Setup certificates to desired hosted or proxy site or webGUI for an access to them by HTTPS SSL.

In next post I will show you how to use LetsEncrypt certificates with HAproxy Package.