Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    ACME Pkg Questions

    Scheduled Pinned Locked Moved
    ACME
    2
    3
    796
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • A
      AndroBourne
      last edited by

      Hi guys,

      I have a few questions about the ACME package usage. I'd like to create a Let's Encrypt cert for the Web UI because it is open for WAN management. (on a non standard port and forced https connection)

      1. I already have a Let's Encrypt certificate running on a web server behind the firewall. If I apply the cert to the pfsense box, will it in any way clash with my existing cert on the webhost? (both will be using the same domain name).

      2. What authorization method should I use? I was following this post. https://blog.artooro.com/2017/02/16/quick-easy-lets-encrypt-setup-on-pfsense-using-acme/ and leaning toward "standard" however. It stated 80 and 443 need to be forwarded to the PFSense box during the time of authorization to properly take place. If I have a webhost running on those ports, couldn't that create an issue with my websites? Should I try doing the DNS-Manual instead? Will DNS-Manual work for auto renewals?

      3. If I already have the webhost with the certificate, is there anyway I can just simply import the cert for the PFSense? (I'm guessing issue here is that it would be a manual process to have to renew it on the PFSense box once it auto renews on the webhost?)

      Any ideas here on a good method to deploy this? I really just need to to help secure my https traffic to PFSense Web UI.

      1 Reply Last reply Reply Quote 0
      • jimpJ
        jimp Rebel Alliance Developer Netgate
        last edited by

        1: They wouldn't conflict, but you'd have to somehow account for both the GUI and the server behind it using the same name. If it always resolves to your WAN address and you run them on different ports, that is OK.

        2: If you can, use a DNS-based method. Manual can be a pain but ultimately it's up to you and what your DNS host provides.

        3: You could import the certificate again each time it is renewed, but that could get annoying.

        If you must use a web-based validation method, you could use haproxy on pfSense to handle connections to your web server, and haproxy could handle the ACME part itself. Search around the forum a bit and you'll find it.

        Or if your DNS servers support one of the automated update methods, just use a different hostname for the firewall and the web server and they can coexist without any interaction.

        Remember: Upvote with the πŸ‘ button for any user/post you find to be helpful, informative, or deserving of recognition!

        Need help fast? Netgate Global Support!

        Do not Chat/PM for help!

        1 Reply Last reply Reply Quote 0
        • A
          AndroBourne
          last edited by

          Awesome, thanks! i'll give that a shot and see how that goes.

          1 Reply Last reply Reply Quote 0
          • First post
            Last post