Using Let's Encrypt Certs with Web GUI
-
My repeated efforts to get the 2.3.2-RELEASE WebGUI to use Let's Encrypt certs have resulted in locking myself out of the GUI (which I recover via the console by restoring an earlier configuration and restarting the GUI).
I've obtained certs for pfsense by using "certbot certonly –manual --preferred-challenges dns-01 -d pfsense.example.com". When this is done, I have take the cert.pem and privkeypem files from /etc/letsencrypt/live/pfsense.example.com/ and cut-and-paste their contents in in the "Import Certificate" dialog in the Certificate Manager.
This results in a new record for the pfsense.example.com cert (CA: No, Server: No), with an "external" issuer. I've also tried importing the Let's Encrypt Authority X3 cert as a new CA. This changed the new pfsense cert's issuer from "external" to "Let's Encrypt Authority X3". But even then my browser cannot reconnect after changing the WebGUI cert.
I'd appreciate if you could point me where I might be going wrong. Thanks.
-
How about upgrading your pfSense to 2.3.3 and using the ACME package?
-
It turns out I gave up too easily – Not only did I have to add the "Let's Encrypt Authority X3" cert to the CAs, I had to add it's parent cert, "DST Root CA X3". With this, my pfsense.example.com cert had a chain all the way to the root, and WebGUI now works fine. It might be useful if pfSense refused to allow certificates missing a full certificate chain to be selected.
It's funny how you can battle a problem for hours, and the solution comes together right after you ask for help.
-
How about upgrading your pfSense to 2.3.3 and using the ACME package?
Thanks for the suggestion. As I just mentioned, I was able to get it working. But as my current certbot workflow is somewhat clunky, I should see if 2.3.3 w/ACME can file off some of those rough edges. A project for next weekend…