@Gertjan said in Template variables for ACME actions?: On a firewall ?? at least not in my case ;-) This pfsense box works as server in my network and not as router/firewall. But fully agree that Cert/Key handling should not take place on a firewall. I use acme.sh on my servers for quite a while now. Works like charm, but I like the GUI to manage the LE stuff ;-) You could write up a feature request https://redmine.pfsense.org/projects/pfsense/issues?set_filter=1&tracker_id=2 I opened a feature request: https://redmine.pfsense.org/issues/9725

I've completed my small php script and it seems to work well. This is the result in case anyone needs it: // -- CONFIG $certname = 'lan.domain.com'; //a registered FQDN in cPanel with acme let's encrypt enabled (wildcard cert) $pfsense_cert_id = 1; // certificate id in pfsense to overwrite. (The correct ID can be found by hovering over an icon in the cert manager or by looking in the config file. $ftp_server = 'ftp.domain.com'; //ftps location to your domain (cpanel). $ftp_user_name = ''; $ftp_user_pass = ''; $server_file = '/.cpanel/nvdata/letsencrypt-cpanel'; //download file used by cPanel holding every certificate (in JSON format). // -- PROGRAM $conn_id = ftp_ssl_connect($ftp_server); $login_result = ftp_login($conn_id, $ftp_user_name, $ftp_user_pass); ftp_pasv($conn_id, true); if (!$login_result) die("can't login"); ob_start(); $dataLoaded = ftp_get($conn_id, "php://output", $server_file, FTP_BINARY); $data = ob_get_contents(); ob_end_clean(); ftp_close($conn_id); if (!$dataLoaded) die("There was a problem downloading the json data from $ftp_server"); $jsonData = json_decode($data, true); $cert = $jsonData['certs'][$certname]; if(empty($cert)) die("Certificate with name $certname not found"); $config['cert'][$pfsense_cert_id ]['prv'] = base64_encode($cert['key']); $config['cert'][$pfsense_cert_id ]['crt'] = base64_encode($cert['cert']); write_config(); exec('/etc/rc.restart_webgui'); //echo 'Certificate:', PHP_EOL, $cert['cert'], PHP_EOL; //echo 'Key:', PHP_EOL, $cert['key'], PHP_EOL; echo 'New certificate for ', $certname, ' is valid untill ', gmdate('r',$cert['cert_expiry']), PHP_EOL; exit; I've uploaded the file (named sslupdate) to the /etc/phpshellsessions directory in pfsense and I added the following cron job (through the cron package): 0 0 1 1/3 * : /usr/local/sbin/pfSsh.php playback sslupdate

Great! It must have been solved upstream in acme.sh

I just reverted back from Version "2.5.0.a.20190806.1707 i" to the snapshot using 2.4.4-RELEASE-p3 (amd64) version. I upgraded the acme to version 0.6_1 and tried to issue a certificate with the staging servers of letsencript. Everything works well without no problem at all !!! Then i tired a copy of some file to the tmp of PfSense i.e. scp test1.txt root@192.168.87.1:/tmp/ the file got copies and its content to tmp. All good there. Now i need to upgrade to 2.5.0.a.20190806.1707 again and see if i will be able to replicate the problem with the file copy.

Im suffering a similar bug but I use the webroot FTP option. Manually hit the renew button and I see the certificate is renewed BUT it isnt applied on the HTTPS side of my pfSense. 2.4.4-RELEASE-p1 acme security 0.5.8

@kiokoman Yeah, you're right =) But anyway, I wasn't able to make some reasonable solution, so I've just created tiny VM guest with alpine linux, lighttpd and nfs-client, and I'm passing my .well-known challenge through "local webroot", but I'm putting there appropiate path for my NFS share + ballast ( </path/to/share>/.well-known/acme-challenge/ ). pfSense comes already preloaded with nfs, all I needed was just enable it through /etc/rc.d.local. HAProxy does rest of the job ( frontend for path match looks like that ---v ) HAProxy Frontend rules ( I've got it implemented with http->https redirect, except for .well-known =3 I was pretty suprised it came on my mind ) Spoiler [image: 8KS6ZFt.png] So that's my hotfix solution, but I'm curious for any other ideas ))

Let's Encrypt won't publish a list of possible sources as that would let someone game the system to obtain certs for domains they do not own from systems they have compromised in subtle ways (e.g. port forward all LE servers to fakeserver, but let other connections go through to realserver) They could reach you from anywhere in the world, there is no way to predict the source. You have to allow connections from anywhere during that timeframe. If that bugs you, then switch to a DNS-based method that does not require any inbound access whatsoever.

@raigh29 said in RE error: parentheses not balanced: error: parentheses not balanced Related to https://forum.netgate.com/topic/134704/script-error-in-dns-namesilo-method ?

@jimp said in ACME and admins group: not enough permission: Did you select the "Deny Config Write" privilege for your custom group? Sounds like that's what you did. Thanks yours point directly answered to my problem. Removing deny permission fixed my problem. There is plans to add pfSense WebGUI exception for inform about not enough permissions?

@Gertjan thanks, very appriciated...

Hit the Renew button yourself right now. You'll see. You are allowed to renew yourself, like 5 times a week.

@Gertjan I really did miss that!

@Peek said in Let's Encrypt & ACME: _acme-challenge.pfsense.domain.com What about asking for a wildcard cert for root "domain.com" ? Using domain.com and *.domain.com (twice) as "Domainname". You can use pfsense.domain.com, another.domain.com and something-else.domain.com, they will all 'work'. edit : btw : _acme-challenge.pfsense.domain.com is a sub domain do shouldn't exist already. It's just a 'random' place holder, so the acme check server can test for a TXT filed in "_acme-challenge.pfsense.domain.com" - which should contain the "VTTcvhklvFWaDrbJc" phrase. This proves that you control the domain "domain.com", thus the certificate can be handed over to you.

If you update to the latest ACME package posted today, you will see the tabs with other users who have access to that package.

Upgrade to the latest ACME package.

I have the same issue. Any progress on this topic?