-
NOYB.. And in what point did I say I was an expert? And at what point did I sound like one.. Please explain to me why a FIREWALL with limited access to its webgui by only ADMINS that has its own built in CA already would need/want and automated system to install a cert that expires every 90 days if it can not phone home..
I just do not get it?? I have a cert on my web gui, took all of 2 seconds to create and trust from my different machines I admin pfsense from..
I mentioned already that it might be a good idea for something like captive portal as well.
-
The project is now in public beta.
It seems to be supported on freebsd :
https://letsencrypt.readthedocs.org/en/latest/contributing.html#freebsd
https://letsencrypt.readthedocs.org/en/latest/using.html#installation-and-usage
-
gonzopancho mentioned on reddit that there will be a let's encrypt package in 2.4 ;D
-
Package is there in the nightly, but i don't know how to use it … lol
-
Package is there in the nightly, but i don't know how to use it … lol
It depends on what you want to do with it. For the GUI:
Visit keys tab, make a new entry, click the button to generate a new account key, then click the button to register the key, then save.
Visit the certs tab, make a new cert, enter a hostname and setup a challenge/response method in the SAN list (pick a method, click +, enter the details), then save, then click issue/renew.
What you can use for the challenge depends on what you have available. If your DNS provider for your domain is listed you can probably use one of the DNS update methods, or if your server supports RFC2136 you could setup keys for the TXT records it wants to make and use the nsupdate option (this is what I prefer to do).
I would advise against attempting the webroot method directly on the firewall. You could port forward port 80 on the firewall's WAN address to a local web server and then use the webroot FTP option perhaps if you don't have any other choice.
Once you have managed to get a cert issued, go to System > Advanced, pick it for the GUI cert. Edit the cert entry in the ACME package and setup a new action for a shell command to run /etc/rc.restart_webgui, save again. Visit the general settings tab and check the box, then save.
If you want to use it for something other than the GUI, repeat the process but pick it wherever you need to use it instead (e.g. haproxy), though your update method may vary for that.
I'll write up a more thorough doc on it eventually.
-
@KOM:
90 days?? Geez, why waste time with that when you can get a freebie from StartSSL that's good for a year.
The let's encrypt script can be put on cron, and automate every 90 days with a new cert.
It's done regularly on linux webservers.
-
@KOM:
90 days?? Geez, why waste time with that when you can get a freebie from StartSSL that's good for a year.
One reason may be that the newest version of Google Chrome is no longer trusting StartSSL, due to their parent company doing some shady things.
-
Package is there in the nightly, but i don't know how to use it … lol
It depends on what you want to do with it. For the GUI:
Visit keys tab, make a new entry, click the button to generate a new account key, then click the button to register the key, then save.
Visit the certs tab, make a new cert, enter a hostname and setup a challenge/response method in the SAN list (pick a method, click +, enter the details), then save, then click issue/renew.
What you can use for the challenge depends on what you have available. If your DNS provider for your domain is listed you can probably use one of the DNS update methods, or if your server supports RFC2136 you could setup keys for the TXT records it wants to make and use the nsupdate option (this is what I prefer to do).
I would advise against attempting the webroot method directly on the firewall. You could port forward port 80 on the firewall's WAN address to a local web server and then use the webroot FTP option perhaps if you don't have any other choice.
Once you have managed to get a cert issued, go to System > Advanced, pick it for the GUI cert. Edit the cert entry in the ACME package and setup a new action for a shell command to run /etc/rc.restart_webgui, save again. Visit the general settings tab and check the box, then save.
If you want to use it for something other than the GUI, repeat the process but pick it wherever you need to use it instead (e.g. haproxy), though your update method may vary for that.
I'll write up a more thorough doc on it eventually.
awesome.. i had my dns with namecheap & wasnt able to figure out how to do NSUpdate with them. so moved it to cloudflare & it worked.
If you use cloudflare make sure the dns uses cloudflare DNS only & has a grey cloud. Grey Cloud: Records that display a grey cloud icon will bypass Cloudflare, using only Cloudflare DNS
if you have an orange cloud the auth fails. you can re-enable it after the cert is issued
-
If someone really insists on using a local webroot.
1/ Install HAproxy package.
2/ Put this to HAProxy > Files (Type - Lua script, Name: acme-http01-webroot.lua)(or download from here)
-- ACME http-01 domain validation plugin for Haproxy 1.6+ -- copyright (C) 2015 Jan Broer -- acme = {} acme.version = "0.1.1" -- -- Configuration -- -- When HAProxy is *not* configured with the 'chroot' option you must set an absolute path here and pass -- that as 'webroot-path' to the letsencrypt client acme.conf = { ["non_chroot_webroot"] = "" } -- -- Startup -- acme.startup = function() core.Info("[acme] http-01 plugin v" .. acme.version); end -- -- ACME http-01 validation endpoint -- acme.http01 = function(applet) local response = "" local reqPath = applet.path local src = applet.sf:src() local token = reqPath:match( ".+/(.*)$" ) if token then token = sanitizeToken(token) end if (token == nil or token == '') then response = "bad request\n" applet:set_status(400) core.Warning("[acme] malformed request (client-ip: " .. tostring(src) .. ")") else auth = getKeyAuth(token) if (auth:len() >= 1) then response = auth .. "\n" applet:set_status(200) core.Info("[acme] served http-01 token: " .. token .. " (client-ip: " .. tostring(src) .. ")") else response = "resource not found\n" applet:set_status(404) core.Warning("[acme] http-01 token not found: " .. token .. " (client-ip: " .. tostring(src) .. ")") end end applet:add_header("Server", "haproxy/acme-http01-authenticator") applet:add_header("Content-Length", string.len(response)) applet:add_header("Content-Type", "text/plain") applet:start_response() applet:send(response) end -- -- strip chars that are not in the URL-safe Base64 alphabet -- see https://github.com/letsencrypt/acme-spec/blob/master/draft-barnes-acme.md -- function sanitizeToken(token) _strip="[^%a%d%+%-%_=]" token = token:gsub(_strip,'') return token end -- -- get key auth from token file -- function getKeyAuth(token) local keyAuth = "" local path = acme.conf.non_chroot_webroot .. "/.well-known/acme-challenge/" .. token local f = io.open(path, "rb") if f ~= nil then keyAuth = f:read("*all") f:close() end return keyAuth end core.register_init(acme.startup) core.register_service("acme-http01", "http", acme.http01)3/ Create a very simple http frontend on WAN address, port 80.
4/ Use this for your certificate(s) in ACME package:
[EDIT: The image host originally used in this post is dead. Fixed using cached copies of the images on another host -jimp]
-
Is there any chance that this will work with Google Domain's DNS? It doesn't look Google provides a way to create txt records using their Dynamic DNS API.
-
What you can use for the challenge depends on what you have available. If your DNS provider for your domain is listed you can probably use one of the DNS update methods, or if your server supports RFC2136 you could setup keys for the TXT records it wants to make and use the nsupdate option (this is what I prefer to do)..
I've been trying to get the manual method to work with he.net, but can't figure out how to generate the TXT key - While I know I need to add it manually to my DNS, is the generation of the key included in your package or is there a manual step required here?
/SJ
-
What you can use for the challenge depends on what you have available. If your DNS provider for your domain is listed you can probably use one of the DNS update methods, or if your server supports RFC2136 you could setup keys for the TXT records it wants to make and use the nsupdate option (this is what I prefer to do)..
I've been trying to get the manual method to work with he.net, but can't figure out how to generate the TXT key - While I know I need to add it manually to my DNS, is the generation of the key included in your package or is there a manual step required here?
/SJ
That was the first method I tested. Define the domain name entry and then click issue/renew. In the green output it tells you what the content of the record should be. Add it to DNS and then wait 2-3 minutes to be sure the record is available, then click issue/renew again.
-
Hello,
new user here. Fresh pfsense install update to 2.3.2_1
I've installed the acme package but i have some problems with Route 53 Dns validation
The output say that:[Mon Feb 6 17:24:12 CET 2017] Registering account [Mon Feb 6 17:24:13 CET 2017] Already registered [Mon Feb 6 17:24:14 CET 2017] Update success. [Mon Feb 6 17:24:14 CET 2017] Single domain='test.sanitazedomain.it' [Mon Feb 6 17:24:14 CET 2017] Getting domain auth token for each domain [Mon Feb 6 17:24:14 CET 2017] Getting webroot for domain='test.sanitazedomain.it' [Mon Feb 6 17:24:14 CET 2017] _w='dns_aws' [Mon Feb 6 17:24:14 CET 2017] Getting new-authz for domain='test.sanitazedomain.it' [Mon Feb 6 17:24:15 CET 2017] The new-authz request is ok. [Mon Feb 6 17:24:16 CET 2017] Found domain api file: /usr/local/pkg/acme/dnsapi/dns_aws.sh [color][Mon Feb 6 17:24:18 CET 2017] Error add txt for domain:_acme-challenge.test.sanitazedomain.it[/color] [Mon Feb 6 17:24:18 CET 2017] Please check log file for more details: /tmp/acme/test/acme_issuecert.logi checked the log and seem to fail at curl command to retriete http.header.
If i open HTTP.HEADER file in the acme domain folder (test in this case) i get:HTTP/1.1 505 HTTP Version not supported Date: Mon, 06 Feb 17 16:24:18 GMT Connection: close x-amz-id-2: 1rjTvEvOKQpJ5zruKVbddXvS15q4+I1y/+r2qirC9S8MYXm1esOQYwkOscLruZW8zzvK0+WY8BOQiy8GvYMu0rx0Uwq8WqlH x-amz-request-id: 8B82C340F9CA158D Content-Length: 0any hint? Aws access ID and secret key seems ok. I've tried also to get full access to this IAM user to Route53
-
Route53 made some change to their service in the last few days that might have broken this client. We've had at least one other report of Route53 dyndns not working in general (not related to acme). Odds are the route53 script needs updated to match their new API/methods.
-
Thank you.
Just my luck. Every time i try something new, something is broken since hours or days ::) -
Hello, cert BFU here, so sorry if I won't make much sense…
Is it somehow possible to continue with certs from previous "issuing"? I have used "acme.sh" script in Ubuntu two months ago, sucefully got some acme-challenge TXT values for my (sub)domains, which I have added manually to my DNS configuration and on the second run of "acme.sh" couple files were generated (.cer, .key, ...).I have sucesfully added generated .cer to HAproxy on my pfSense and it is now serving me my https websites through HAproxy and it was my undestanding that when the time comes I would just have to do "acme.sh --renew -d mydomain.com" to regenerate certs and manually replace cert on HAproxy.
I wanted to automate this using this pfSense package. Is it possible to continue with started process, or do I have to generate new set of TXT values and replace them at my DNS config again?
I have tried to put content of my .key file into "Account keys" tab and define same domainname on Certificates tab with Method: DNS-manual, but attempt to "Renew" ends with green "mydomain.com is not a issued domain, skip" message.
Am I doing it all wrong?
-
The TXT records are only valid for a few days and then they expire – you'd have to remake them when it's time to renew anyhow.
If you use the exact same list of SANs from your original cert, LE will allow it can will consider it a reissue. If you change the the list of SANs, it's treated as a new certificate. (Not too important unless you're close to their rate limits...)
-
That was the first method I tested. Define the domain name entry and then click issue/renew. In the green output it tells you what the content of the record should be. Add it to DNS and then wait 2-3 minutes to be sure the record is available, then click issue/renew again.
Thanks for the response! Oddly, when I configure the manual method I get both an issue and a renew button, rather than the joined button I get if it was set to webroot, but I think that's a minor detail.
My output, however, holds no TXT entry, which is why I was getting confused
xxx.net Renewing certificateaccount: xxx-key server: letsencrypt-production /usr/local/pkg/acme/acme.sh --issue -d 'host.xxx.net' --home '/tmp/acme/xxx.net/' --accountconf '/tmp/acme/xxx.net/accountconf.conf' --force --reloadCmd '/tmp/acme/xxx.net/reloadcmd.sh' --dns '' --log-level 3 --log '/tmp/acme/xxx.net/acme_issuecert.log' Array ( [path] => /etc:/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/bin/ [PATH] => /etc:/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/bin/ ) [Mon Feb 6 21:03:55 UTC 2017] Single domain='host.xxx.net' [Mon Feb 6 21:03:55 UTC 2017] Getting domain auth token for each domain [Mon Feb 6 21:03:55 UTC 2017] Getting webroot for domain='host.xxx.net' [Mon Feb 6 21:03:55 UTC 2017] _w [Mon Feb 6 21:03:55 UTC 2017] Getting new-authz for domain='host.xxx.net' [Mon Feb 6 21:03:59 UTC 2017] The new-authz request is ok. [Mon Feb 6 21:03:59 UTC 2017] Verifying:host.xxx.net [Mon Feb 6 21:04:02 UTC 2017] Pending [Mon Feb 6 21:04:05 UTC 2017] host.xxx.net:Verify error:Could not connect to host.xxx.net [Mon Feb 6 21:04:05 UTC 2017] Please check log file for more details: /tmp/acme/xxx.net/acme_issuecert.log -
I found a problem with it and pushed a fix a couple hours ago. Update the package to 0.1.8 when you see it. I put in fixes for SFTP Webroot and DNS-Manual today.
https://github.com/pfsense/FreeBSD-ports/commit/a8952d9a67c674e521f75f5c3e61d879f89d43a4
https://github.com/pfsense/FreeBSD-ports/commit/9bda224f04c361836ebd7ebf1992de20d504487bThe new package won't show up for 2.3.3 or 2.4 until new snapshots are built.
-
I found a problem with it and pushed a fix a couple hours ago. Update the package to 0.1.8 when you see it. I put in fixes for SFTP Webroot and DNS-Manual today.
https://github.com/pfsense/FreeBSD-ports/commit/a8952d9a67c674e521f75f5c3e61d879f89d43a4
https://github.com/pfsense/FreeBSD-ports/commit/9bda224f04c361836ebd7ebf1992de20d504487bThe new package won't show up for 2.3.3 or 2.4 until new snapshots are built.
I see the update and giving it a shot now! Shall report back in a jiffy.
Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.