-
Dear All,
First, I would like to thank the creators of the acme package very much. It is super supreme, that one can now automate letsencrypt certificate generation together with the haproxy package!
There is one thing which might increase security even further - please correct me, if I do not understand this in the right way: With acme, one cannot control generation of the private key. Alternatively, there is certbot (including a freebsd port, if I am not mistaken), where one can specify a private key.
Could someone please consider publishing a certbot package as well?
Specifying a private key would (a) raise the comfort level of security minded users and (b) enable implementation of public key pinning in a meaningful manner.
Regards,
Michael Schefczyk
-
Could someone please consider publishing a certbot package as well?
LOL. Good luck with getting people redoing tons of duplicate work for no good reason.
-
I've used certbot and while it's nice for what it is, it has less features than the GUI package does for what we use it for.
There's a checkbox on the first tab of the acme package to setup a cron job to automate renewal. There is a section on each certificate's settings for post-renewal commands. There is even an example there for restarting haproxy.
As for having more control over the certificate's private key, that may be possible but I'm not sure what options we have there with the current acme script base. Reusing a private key sounds less secure to me, not more secure, but to each their own…
-
Technically it is possible to manually 'add' a wanted private key (might need to have the cert but could self-sign that..) to the pfSense certificate manager, and then let the acme package use that same certificate. It will 'overwrite' the certificate part by the LE signed version. But keep the key in place. Make sure to 'match' the type of key in the certificate configuration.. Maybe not 100% user friendly but certainly doable ;).
-
Dear PiBa,
Thank you very much for communicating positively instead of just laughing out loud! It is indeed possible to upload any consistent certificate (regardless of CN and the like) to the cert manager and the acme package will overwrite it, if set up correctly, while retaining the private key. Hence, generating certificates suitable for private key pinning is well possible.
There is one other issue I am trying to resolve: For some applications, I do need certificates outside pfsense, for example for starttls in my e-mail gateway. Instead of generating separate certificates for those servers via lets encrypt, it is conceivable to reuse the certificates generated and renewed by pfsense there. While I do backup the configuration nightly via ssh which seems to contain the certificates and keys in clear text, is there a convenient way to download (or export) individual certificates and keys via a bash script based on the content of config.xml?
Regards,
Michael
