Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Using Let's Encrypt Certs with Web GUI

    webGUI
    2
    4
    2.2k
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • J
      johntconklin
      last edited by

      My repeated efforts to get the 2.3.2-RELEASE WebGUI to use Let's Encrypt certs have resulted in locking myself out of the GUI (which I recover via the console by restoring an earlier configuration and restarting the GUI).

      I've obtained certs for pfsense by using "certbot certonly –manual --preferred-challenges dns-01 -d pfsense.example.com".  When this is done, I have take the cert.pem and privkeypem files from /etc/letsencrypt/live/pfsense.example.com/ and cut-and-paste their contents in in the "Import Certificate" dialog in the Certificate Manager.

      This results in a new record for the pfsense.example.com cert (CA: No, Server: No), with an "external" issuer.  I've also tried importing the Let's Encrypt Authority X3 cert as a new CA.  This changed the new pfsense cert's issuer from "external" to "Let's Encrypt Authority X3".  But even then my browser cannot reconnect after changing the WebGUI cert.

      I'd appreciate if you could point me where I might be going wrong.  Thanks.

      1 Reply Last reply Reply Quote 0
      • D
        doktornotor Banned
        last edited by

        How about upgrading your pfSense to 2.3.3 and using the ACME package?

        1 Reply Last reply Reply Quote 0
        • J
          johntconklin
          last edited by

          It turns out I gave up too easily – Not only did I have to add the "Let's Encrypt Authority X3" cert to the CAs, I had to add it's parent cert, "DST Root CA X3".  With this, my pfsense.example.com cert had a chain all the way to the root, and WebGUI now works fine.  It might be useful if pfSense refused to allow certificates missing a full certificate chain to be selected.

          It's funny how you can battle a problem for hours, and the solution comes together right after you ask for help.

          1 Reply Last reply Reply Quote 0
          • J
            johntconklin
            last edited by

            @doktornotor:

            How about upgrading your pfSense to 2.3.3 and using the ACME package?

            Thanks for the suggestion.  As I just mentioned, I was able to get it working.  But as my current certbot workflow is somewhat clunky, I should see if 2.3.3 w/ACME can file off some of those rough edges.  A project for next weekend…

            1 Reply Last reply Reply Quote 0
            • First post
              Last post
            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.