Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Let's Encypt w Acme package working, but not ideal

    Scheduled Pinned Locked Moved ACME
    10 Posts 5 Posters 2.7k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • M
      mervincm
      last edited by

      pfSense 2.4.2R-p1
      acme package installed (v0.1.34)
      dynamic DNS configured and functional in pfSense
      I use Namecheap for my domain name registration and to host DNS 
      I only own one domain name, and I want to use it externally to VPN home, as well internally on a few devices so I can use https.
      acme configured and working, Certificate issued, Installed working and have since renewed it. Standalone HTTP Server is the authentication option configured.

      I would like to move to another authentication option because
      -this option requires that I have an entry in my external Namecheap DNS, and this entry is the internal name for my router. I do not want that to ever resolve to my external IP address, I want it to fail, or to resolve to my internal IP via my pfSense internal DNS resolver. So right now, I have to manually make the A record in my external DNS, renew, then manually delete it.
      -I have to manually enable firewall rule and port forward rule to redirect the port to allow Let's Encrypt to reach the temp HTTP server.

      These steps prevent me from scheduling the renewal.

      any suggestions?

      https://doc.pfsense.org/index.php/ACME_package

      suggests in order
      nsupdate - can't see how to make this work with Namecheap DNS
      DNS-Manual - seems to only work to create certs, not renew them
      FTP webroot - seems to need fixed IP address
      webroot local folder - seems easy to make an error that would compromise security

      1 Reply Last reply Reply Quote 0
      • jimpJ
        jimp Rebel Alliance Developer Netgate
        last edited by

        The namecheap API is not feasible to use, partially because it's closed/paid access so the folks at acme.sh can't implement it easily. Additionally, last I looked, the API was not very good. You had to read all records, change one thing and then push the entire zone back. Lots of room for error.

        Your best bet is moving your DNS to an alternate provider that is supported by the ACME package.

        I love Namecheap, all of my domains are registered there, but they have not been very good for API/dynamic updates for anything other than A records.

        Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

        Need help fast? Netgate Global Support!

        Do not Chat/PM for help!

        1 Reply Last reply Reply Quote 0
        • M
          mervincm
          last edited by

          It's only been 3 months, but I have not made any real headway.

          I just manually renewed once more :)

          • Add A record in Namecheap DNS for pfsense.mydomain.com
          • Add firewall NAT PF rule to allow inbound HTTP to pfSense firewall
          • run renew in ACME package
          • shell command /etc/rc.restart_webgui
          • disable firewall NAT PF rule to allow inbound HTTP to pfSense firewall
          • remove A record in Namecheap DNS for pfsense.mydomain.com

          Would be great to have this fully automated.
          ClouDNS has a free tier that would seem to do, and it's listed by name in the ACME Domain SAN list.

          1 Reply Last reply Reply Quote 0
          • N
            Napsterbater
            last edited by

            @jimp:

            I love Namecheap, all of my domains are registered there, but they have not been very good for API/dynamic updates for anything other than A records.

            I use namecheap as my registrar, but Cloudflare as my DNS service, free for 1 Domain, and don't even use the cache/reverse proxy anymore, and it works great with ACME

            1 Reply Last reply Reply Quote 0
            • M
              mervincm
              last edited by

              thanks, I will give that a try!

              1 Reply Last reply Reply Quote 0
              • GertjanG
                Gertjan
                last edited by

                Strange.
                With :
                @MervinCM:

                pfSense 2.4.2R-p1

                This one
                @MervinCM:

                acme package installed (v0.1.34)

                has been replaced ags ago with

                acme package installed (v0.2.2)
                

                Packages like acme should be kept on the latest version - no exceptions.
                You have probably upgrade and update problems, handle them asap.

                edit : oops : first post dates from 24/11/2017 ….
                Any, update, a new one came out  ;)

                No "help me" PM's please. Use the forum, the community will thank you.
                Edit : and where are the logs ??

                1 Reply Last reply Reply Quote 0
                • M
                  Making_sense_of_pfSense
                  last edited by

                  https://github.com/Neilpang/acme.sh/tree/master/dnsapi#53-use-namecheap says that acme.sh supports namecheap.com's API to issue and renew certs automatically.
                  Yet, namecheap is not in the dropdown list (see picture below).
                  How come? Thank you.
                  alt text

                  Running pfSense Community Edition 2.7.2 on a Qotom Mini PC.

                  1 Reply Last reply Reply Quote 0
                  • jimpJ
                    jimp Rebel Alliance Developer Netgate
                    last edited by

                    It was recently added to acme.sh, we have not synced up to their code yet to pull that in. It will be added eventually.

                    Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

                    Need help fast? Netgate Global Support!

                    Do not Chat/PM for help!

                    1 Reply Last reply Reply Quote 0
                    • jimpJ
                      jimp Rebel Alliance Developer Netgate
                      last edited by

                      Also: The limitation I listed above is still true. It is supported, but the API sucks.

                      https://github.com/Neilpang/acme.sh/blob/master/dnsapi/dns_namecheap.sh#L7

                      Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

                      Need help fast? Netgate Global Support!

                      Do not Chat/PM for help!

                      1 Reply Last reply Reply Quote 0
                      • M
                        Making_sense_of_pfSense
                        last edited by

                        Thank you Jim! I know the limitations still hold true but luckily they don't affect me!

                        Running pfSense Community Edition 2.7.2 on a Qotom Mini PC.

                        1 Reply Last reply Reply Quote 0
                        • First post
                          Last post
                        Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.