Setting up acme service on fw1 only, and having HA sync the certs to fw2 is working fine now.

A few other hints:

When adding the TXT records to your DNS, first check that each TXT record is live with these two tools:

https://toolbox.googleapps.com/apps/dig/#TXT/
    $ dig -t txt _acme-challenge.fw.yourcomain.something

Note: it's safest to wait at least as long as the DNS timeout set on the TXT records. For ex. if you set the timeout to 7200, this means 2 hours. Any less than that and the old data may still be cached and cause an Acme verification failure.

Once all the TXT records are live, go ahead and hit the Renew button on the acme cert.

If the records are not properly set or not live yet you will get an error like this:
    Verify error:DNS problem: NXDOMAIN looking up TXT for _acme-challenge.fw.yourcomain.something

If you get this error, you'll have to hit Issue on the cert and delete then add the TXT records with their new values given by the acme service and wait long enough for the old TXT records to be deleted from DNS and the new ones to be added. It will not work to hit Renew once you get the verification error. Hitting Renew will just keep generating the error below and eventually you'll be rate limited by the acme web service and have to wait some time before Issuing a new cert.

Unable to update challenge :: The challenge is not pending

Yes, that's exactly what I did.

Port 80 on Wan nated to 5080 on a virtual IP (10.0.0.1). Wan/443 nated to 10.0.0.1/5443
Firewall rules that allows trafic from / to 10.0.0.1/508080 and 10.0.0.1/5443

Haproxy has listners on 10.0.0.1/508080 and 10.0.0.1/5443

I think you can do it without the nat too but since I had that part since earlier (once upon a time there was an issue getting Squid to bind to ports below 1024, hence a nat to a high port) I used it

Apparently they don't support nsupdate for ACME.  They do support the creation of TXT records, however I've decided to use SFTP instead.

Got it, thanks for the reply!

                $env['ALL_PROXY'] = "1.2.3.4:8888";

Adding the above line to acme_sh.inc in line 40 worked well for me. But since I don't know how to access global config to retrieve the system wide proxy settings, I had to hard code my proxy. Also the script should support wget as well. But this shouldn't be that big a deal for somebody used to pfsense packages. Any idea how to contact the maintainer?

@jimp:

There might be some paid DNS providers out there that do RFC2136 but I'm not aware of any specifically.

Dyn does… but it's not the easiest thing in the world to get working. At least it wasn't when I last tried it (which was before I started using pfSense, which might have been part of the problem).

What are the prospects for a freeradius3 package?  freeradius2 is already not getting fixes- only critical security patches-  so at some point folks will need to decide whether to create a new package or drop it entirely.

Dear PiBa,

Thank you very much for communicating positively instead of just laughing out loud! It is indeed possible to upload any consistent certificate (regardless of CN and the like) to the cert manager and the acme package will overwrite it, if set up correctly, while retaining the private key. Hence, generating certificates suitable for private key pinning is well possible.

There is one other issue I am trying to resolve: For some applications, I do need certificates outside pfsense, for example for starttls in my e-mail gateway. Instead of generating separate certificates for those servers via lets encrypt, it is conceivable to reuse the certificates generated and renewed by pfsense there. While I do backup the configuration nightly via ssh which seems to contain the certificates and keys in clear text, is there a convenient way to download (or export) individual certificates and keys via a bash script based on the content of config.xml?

Regards,

Michael

Or, be patient, there is a pull request pending to bring pfSense up to date with the latest acme.sh.

https://github.com/pfsense/FreeBSD-ports/pull/318

Not seeing the same issue as you.  My log is below.  The error seems to be that it is not finding the API Key (Dynamic DNS ID) when connecting to DNSMadeEasy.  I have verified both the ID and Password and they are valid.

[Thu Feb 23 09:01:23 AST 2017] Found domain api file: /usr/local/pkg/acme/dnsapi/dns_me.sh
[Thu Feb 23 09:01:23 AST 2017] dns_me_add exists=0
[Thu Feb 23 09:01:23 AST 2017] APP
[Thu Feb 23 09:01:23 AST 2017] 4:ME_Key='231XXXX'
[Thu Feb 23 09:01:23 AST 2017] APP
[Thu Feb 23 09:01:23 AST 2017] 5:ME_Secret='testforSecureXXXXX'
[Thu Feb 23 09:01:23 AST 2017] First detect the root zone
[Thu Feb 23 09:01:23 AST 2017] name?domainname=secure.accra.ca
[Thu Feb 23 09:01:23 AST 2017] GET
[Thu Feb 23 09:01:23 AST 2017] url='https://api.dnsmadeeasy.com/V2.0/dns/managed/name?domainname=secure.accra.ca'
[Thu Feb 23 09:01:23 AST 2017] timeout
[Thu Feb 23 09:01:23 AST 2017] curl exists=0
[Thu Feb 23 09:01:23 AST 2017] wget exists=127
[Thu Feb 23 09:01:23 AST 2017] _CURL='curl -L –silent --dump-header /tmp/acme/accra.ca//http.header '
[Thu Feb 23 09:01:24 AST 2017] ret='0'
[Thu Feb 23 09:01:24 AST 2017] response='{error: ["API key not found"]}'
[Thu Feb 23 09:01:24 AST 2017] name?domainname=accra.ca
[Thu Feb 23 09:01:24 AST 2017] GET
[Thu Feb 23 09:01:24 AST 2017] url='https://api.dnsmadeeasy.com/V2.0/dns/managed/name?domainname=accra.ca'
[Thu Feb 23 09:01:24 AST 2017] timeout
[Thu Feb 23 09:01:24 AST 2017] curl exists=0
[Thu Feb 23 09:01:24 AST 2017] wget exists=127
[Thu Feb 23 09:01:24 AST 2017] _CURL='curl -L –silent --dump-header /tmp/acme/accra.ca//http.header '
[Thu Feb 23 09:01:24 AST 2017] ret='0'
[Thu Feb 23 09:01:24 AST 2017] response='{error: ["API key not found"]}'
[Thu Feb 23 09:01:24 AST 2017] name?domainname=ca
[Thu Feb 23 09:01:24 AST 2017] GET
[Thu Feb 23 09:01:24 AST 2017] url='https://api.dnsmadeeasy.com/V2.0/dns/managed/name?domainname=ca'
[Thu Feb 23 09:01:24 AST 2017] timeout
[Thu Feb 23 09:01:24 AST 2017] curl exists=0
[Thu Feb 23 09:01:24 AST 2017] wget exists=127
[Thu Feb 23 09:01:24 AST 2017] _CURL='curl -L –silent --dump-header /tmp/acme/accra.ca//http.header '
[Thu Feb 23 09:01:25 AST 2017] ret='0'
[Thu Feb 23 09:01:25 AST 2017] response='{error: ["API key not found"]}'
[Thu Feb 23 09:01:25 AST 2017] invalid domain
[Thu Feb 23 09:01:25 AST 2017] Error add txt for domain:_acme-challenge.secure.accra.ca
[Thu Feb 23 09:01:25 AST 2017] pid
[Thu Feb 23 09:01:25 AST 2017] _clearupdns
[Thu Feb 23 09:01:25 AST 2017] Dns not added, skip.
[Thu Feb 23 09:01:25 AST 2017] _on_issue_err
[Thu Feb 23 09:01:25 AST 2017] Please check log file for more details: /tmp/acme/accra.ca/acme_issuecert.log

doktornotor pointed to the method how to set it up with HAproxy whenthereisn'tawebserveronport80*

HOWEVER: The default nginx Webconfigurator, will also listen on port 80 when the "WebGUI redirect" is unchecked (System -> Advanced -> Admin Access)

Then, under the certificate under the Services -> ACME, select/edit/create the certificate, you select the webroot local, and then use /usr/local/www/.well-known/acme-challenge/
(See attachment)

I suspect when I check that WebGUI redirect disable, then you could use the "standalone HTTP server" option…


There were some issues with that code path. Update the package to 0.1.7 or later when it shows up and it should work.