Apparently they don't support nsupdate for ACME.  They do support the creation of TXT records, however I've decided to use SFTP instead.

Got it, thanks for the reply!

Adding the above line to acme_sh.inc in line 40 worked well for me. But since I don't know how to access global config to retrieve the system wide proxy settings, I had to hard code my proxy. Also the script should support wget as well. But this shouldn't be that big a deal for somebody used to pfsense packages. Any idea how to contact the maintainer?

@jimp:

There might be some paid DNS providers out there that do RFC2136 but I'm not aware of any specifically.

Dyn does… but it's not the easiest thing in the world to get working. At least it wasn't when I last tried it (which was before I started using pfSense, which might have been part of the problem).

What are the prospects for a freeradius3 package?  freeradius2 is already not getting fixes- only critical security patches-  so at some point folks will need to decide whether to create a new package or drop it entirely.

Dear PiBa,

Thank you very much for communicating positively instead of just laughing out loud! It is indeed possible to upload any consistent certificate (regardless of CN and the like) to the cert manager and the acme package will overwrite it, if set up correctly, while retaining the private key. Hence, generating certificates suitable for private key pinning is well possible.

There is one other issue I am trying to resolve: For some applications, I do need certificates outside pfsense, for example for starttls in my e-mail gateway. Instead of generating separate certificates for those servers via lets encrypt, it is conceivable to reuse the certificates generated and renewed by pfsense there. While I do backup the configuration nightly via ssh which seems to contain the certificates and keys in clear text, is there a convenient way to download (or export) individual certificates and keys via a bash script based on the content of config.xml?

Regards,

Michael

Or, be patient, there is a pull request pending to bring pfSense up to date with the latest acme.sh.

https://github.com/pfsense/FreeBSD-ports/pull/318

Not seeing the same issue as you.  My log is below.  The error seems to be that it is not finding the API Key (Dynamic DNS ID) when connecting to DNSMadeEasy.  I have verified both the ID and Password and they are valid.

[Thu Feb 23 09:01:23 AST 2017] Found domain api file: /usr/local/pkg/acme/dnsapi/dns_me.sh
[Thu Feb 23 09:01:23 AST 2017] dns_me_add exists=0
[Thu Feb 23 09:01:23 AST 2017] APP
[Thu Feb 23 09:01:23 AST 2017] 4:ME_Key='231XXXX'
[Thu Feb 23 09:01:23 AST 2017] APP
[Thu Feb 23 09:01:23 AST 2017] 5:ME_Secret='testforSecureXXXXX'
[Thu Feb 23 09:01:23 AST 2017] First detect the root zone
[Thu Feb 23 09:01:23 AST 2017] name?domainname=secure.accra.ca
[Thu Feb 23 09:01:23 AST 2017] GET
[Thu Feb 23 09:01:23 AST 2017] url='https://api.dnsmadeeasy.com/V2.0/dns/managed/name?domainname=secure.accra.ca'
[Thu Feb 23 09:01:23 AST 2017] timeout
[Thu Feb 23 09:01:23 AST 2017] curl exists=0
[Thu Feb 23 09:01:23 AST 2017] wget exists=127
[Thu Feb 23 09:01:23 AST 2017] _CURL='curl -L –silent --dump-header /tmp/acme/accra.ca//http.header '
[Thu Feb 23 09:01:24 AST 2017] ret='0'
[Thu Feb 23 09:01:24 AST 2017] response='{error: ["API key not found"]}'
[Thu Feb 23 09:01:24 AST 2017] name?domainname=accra.ca
[Thu Feb 23 09:01:24 AST 2017] GET
[Thu Feb 23 09:01:24 AST 2017] url='https://api.dnsmadeeasy.com/V2.0/dns/managed/name?domainname=accra.ca'
[Thu Feb 23 09:01:24 AST 2017] timeout
[Thu Feb 23 09:01:24 AST 2017] curl exists=0
[Thu Feb 23 09:01:24 AST 2017] wget exists=127
[Thu Feb 23 09:01:24 AST 2017] _CURL='curl -L –silent --dump-header /tmp/acme/accra.ca//http.header '
[Thu Feb 23 09:01:24 AST 2017] ret='0'
[Thu Feb 23 09:01:24 AST 2017] response='{error: ["API key not found"]}'
[Thu Feb 23 09:01:24 AST 2017] name?domainname=ca
[Thu Feb 23 09:01:24 AST 2017] GET
[Thu Feb 23 09:01:24 AST 2017] url='https://api.dnsmadeeasy.com/V2.0/dns/managed/name?domainname=ca'
[Thu Feb 23 09:01:24 AST 2017] timeout
[Thu Feb 23 09:01:24 AST 2017] curl exists=0
[Thu Feb 23 09:01:24 AST 2017] wget exists=127
[Thu Feb 23 09:01:24 AST 2017] _CURL='curl -L –silent --dump-header /tmp/acme/accra.ca//http.header '
[Thu Feb 23 09:01:25 AST 2017] ret='0'
[Thu Feb 23 09:01:25 AST 2017] response='{error: ["API key not found"]}'
[Thu Feb 23 09:01:25 AST 2017] invalid domain
[Thu Feb 23 09:01:25 AST 2017] Error add txt for domain:_acme-challenge.secure.accra.ca
[Thu Feb 23 09:01:25 AST 2017] pid
[Thu Feb 23 09:01:25 AST 2017] _clearupdns
[Thu Feb 23 09:01:25 AST 2017] Dns not added, skip.
[Thu Feb 23 09:01:25 AST 2017] _on_issue_err
[Thu Feb 23 09:01:25 AST 2017] Please check log file for more details: /tmp/acme/accra.ca/acme_issuecert.log

doktornotor pointed to the method how to set it up with HAproxy whenthereisn'tawebserveronport80*

HOWEVER: The default nginx Webconfigurator, will also listen on port 80 when the "WebGUI redirect" is unchecked (System -> Advanced -> Admin Access)

Then, under the certificate under the Services -> ACME, select/edit/create the certificate, you select the webroot local, and then use /usr/local/www/.well-known/acme-challenge/
(See attachment)

I suspect when I check that WebGUI redirect disable, then you could use the "standalone HTTP server" option…


There were some issues with that code path. Update the package to 0.1.7 or later when it shows up and it should work.