• Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login
Netgate Discussion Forum
  • Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login

Using Let's Encrypt Certs with Web GUI

Scheduled Pinned Locked Moved webGUI
4 Posts 2 Posters 2.2k Views
Loading More Posts
  • Oldest to Newest
  • Newest to Oldest
  • Most Votes
Reply
  • Reply as topic
Log in to reply
This topic has been deleted. Only users with topic management privileges can see it.
  • J
    johntconklin
    last edited by Mar 5, 2017, 9:56 PM

    My repeated efforts to get the 2.3.2-RELEASE WebGUI to use Let's Encrypt certs have resulted in locking myself out of the GUI (which I recover via the console by restoring an earlier configuration and restarting the GUI).

    I've obtained certs for pfsense by using "certbot certonly –manual --preferred-challenges dns-01 -d pfsense.example.com".  When this is done, I have take the cert.pem and privkeypem files from /etc/letsencrypt/live/pfsense.example.com/ and cut-and-paste their contents in in the "Import Certificate" dialog in the Certificate Manager.

    This results in a new record for the pfsense.example.com cert (CA: No, Server: No), with an "external" issuer.  I've also tried importing the Let's Encrypt Authority X3 cert as a new CA.  This changed the new pfsense cert's issuer from "external" to "Let's Encrypt Authority X3".  But even then my browser cannot reconnect after changing the WebGUI cert.

    I'd appreciate if you could point me where I might be going wrong.  Thanks.

    1 Reply Last reply Reply Quote 0
    • D
      doktornotor Banned
      last edited by Mar 5, 2017, 9:58 PM

      How about upgrading your pfSense to 2.3.3 and using the ACME package?

      1 Reply Last reply Reply Quote 0
      • J
        johntconklin
        last edited by Mar 5, 2017, 10:23 PM

        It turns out I gave up too easily – Not only did I have to add the "Let's Encrypt Authority X3" cert to the CAs, I had to add it's parent cert, "DST Root CA X3".  With this, my pfsense.example.com cert had a chain all the way to the root, and WebGUI now works fine.  It might be useful if pfSense refused to allow certificates missing a full certificate chain to be selected.

        It's funny how you can battle a problem for hours, and the solution comes together right after you ask for help.

        1 Reply Last reply Reply Quote 0
        • J
          johntconklin
          last edited by Mar 5, 2017, 10:24 PM

          @doktornotor:

          How about upgrading your pfSense to 2.3.3 and using the ACME package?

          Thanks for the suggestion.  As I just mentioned, I was able to get it working.  But as my current certbot workflow is somewhat clunky, I should see if 2.3.3 w/ACME can file off some of those rough edges.  A project for next weekend…

          1 Reply Last reply Reply Quote 0
          2 out of 4
          • First post
            2/4
            Last post
          Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.
            This community forum collects and processes your personal information.
            consent.not_received