Thank you all. Very helpful. I'm going to try to install x64 version (I think in the past I tried and it failed).

Great. Thanks to everyone for your help.

You are login with the user "admin" ?

That's already shown under System > Cert Manager where the certificates are held. The ACME package doesn't track renewal times. Though it's not terribly hard to calculate (last renew +90d). If you are worried about expiring certificates, add your e-mail address under the account key when making a new cert, then LE will e-mail you if anything gets close to expiring.

dns_cf is the DNS-Cloudflare selection in the ACME certificate settings. When you choose that, there is still a box for Enable DNS alias mode to do what you want.

Im all set. I was able to create wild card certs (since Sept 27)

[image: 1538850084896-screenshot_2018-10-06-bill-lab-jimp-pw-services-acme-certificate-options-edit-resized.png]

Ok, got it (0.3.2_3). Guess I gonna line up for 2.4.4 now

yes I found. Looks like this tag></tag>

Will do. Thanks

If you want to offload SSL to HAProxy on pfSense and let ACME handle the validation, you can. You do not need to import anything from your other servers, let the ACME package create and request the certificates for you. Even though they already exist, as long as the validation passes it will be OK. From the look of that last error you do not have the proper settings for DNS validation. You could instead follow the example at https://forum.netgate.com/topic/90643/let-s-encypt-support/31 and configure it so HAProxy can assist in handling the validation instead of using DNS.

ok. Installed cert-bot on the mailserver and set up that ACME-challenge-dir etc // seems to work now. Thanks so far!

The GUI does not have support for EC keys at this time.

Ok worked fine with HAProxy. I would suggest you to drop the Squid packages since many features are deprecated or not working properly :) Thank you for all your amazing stuff.

Thanks for the reply, gotcha i thought it was a bug on pfSense will update it the package edit: solved thank you @jimp

Well I don't know WTF changed, but this problem has automagically resolved itself after a reboot. My guess is some stale routing state somewhere. The GUI changes in latest ACME package work well, though!

@napsterbater Thanks for the response. I found that post before posing my question here. The issue is that this solution required the installation of a different certificate manager. What follows is not a complaint but an observation. It is now clear to me that the pfSense Certificate Manager is designed to import and export certificates needed by the router. It's a great router. We really shouldn't need it to be a CA as well. So I installed OpenSSL and used it to recreated all my certs, replacing the old ones as needed. We no longer generate certificates in the pfSense Certificate Manager.

I opened https://redmine.pfsense.org/issues/8682 to add a proper check on the AJAX response for this, and just pushed the change in the latest version of the ACME package. An update should show up shortly. It won't solve your other issue (which I can't reproduce) but it will at least hopefully indicate success or failure properly. It did in my testing, but I couldn't induce a server side failure to test a real-world failure, only a locally faked one.

In the ACME general settings, check Write Certificates, and then have your script check in /conf/acme/ and copy them wherever you want. The script doesn't need to hook on an update, it could check the file modification time or use some other method. Calling it from cron once a day some time after the ACME update would be sufficient.

That would be a matter of configuring plesk to accept updates via the nsupdate method. Using their API is going to be completely different unless it implements that somehow. nsupdate is an implementation of a specific protocol, RFC2136. This is a guide on what is required to get a bind server configured to accept updates: https://www.netgate.com/docs/pfsense/dns/rfc2136-dynamic-dns.html An alternate strategy might be to set up a bind server like in that link that serves as the master of a dynamic zone with the plesk as the slave but that would preclude managing the zone in plesk which is likely undesirable. The heavy lifting for this probably needs to be done on the plesk. Instead of accepting updates via their proprietary API they should have a standard method such as RFC2136.