Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    my ACME cert from letsencrypt is not a Internal CA

    Scheduled Pinned Locked Moved General pfSense Questions
    3 Posts 2 Posters 201 Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • M
      maverikh
      last edited by

      ... what do i need to do???

      Im not sure what to do here. Lets encrypt worked just fine for my pfsense FQDN and my vpn FQDN

      When i try to create a cpn user... the ROOT-CA is not available. litereally nothing in the list.
      I though the letsencrypt key was a root-ca along with cert for FQDN

      Did i do something wrong?

      GertjanG 1 Reply Last reply Reply Quote 0
      • GertjanG
        Gertjan @maverikh
        last edited by Gertjan

        @maverikh

        Internal ?
        A Letsencrypt certicate isn't internal(ly) generated, it comes from Letsencrypt.
        Here's mine :

        b2130412-3758-4c00-b15c-6d9e7f33d02d-image.png

        This "R10" intermediate certificate is listed on the CA page :

        55bffb29-aaea-4bf6-b88c-8cfc0d6e62a2-image.png

        I have them there because I imported them myself ;) (not really needed I guess)
        From where ? From Lets-encrypt of course, do your chopping here :
        https://letsencrypt.org/certificates/

        Btw : a acme question belongs to the acme forum. Go check over there for more info.

        Even if you haven't listed these R10, R11, ISRG Root X1 and ISRG Root X2 on the System > Certificate > Authorities page, you still have them in the pfSense FreeBSD certificate store, go have a look here : /etc/ssl/certs/
        Like your PC, phone, tablet etc, these certs are known as the trusted ones.

        Also : you use the Letsecrypt certificates for VPN ?
        Isn't that a PITA ?
        I've generated a 10 years 'self signed' CA first :

        a53ef313-a8b5-4637-ad18-705c378fb5a1-image.png

        then a server certificate :

        fb744b8f-e22b-45ce-8483-42599c25dc68-image.png

        and based my VPN client certificates on this server certificate.

        Maybe Letsencrypt certs work fine, but doesn't that means you have to re export the client config every 60-90 days ?

        No "help me" PM's please. Use the forum, the community will thank you.
        Edit : and where are the logs ??

        M 1 Reply Last reply Reply Quote 1
        • M
          maverikh @Gertjan
          last edited by

          @Gertjan Thank you, This helps!

          1 Reply Last reply Reply Quote 0
          • First post
            Last post
          Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.