ACME Pkg Questions



  • Hi guys,

    I have a few questions about the ACME package usage. I'd like to create a Let's Encrypt cert for the Web UI because it is open for WAN management. (on a non standard port and forced https connection)

    1. I already have a Let's Encrypt certificate running on a web server behind the firewall. If I apply the cert to the pfsense box, will it in any way clash with my existing cert on the webhost? (both will be using the same domain name).

    2. What authorization method should I use? I was following this post. https://blog.artooro.com/2017/02/16/quick-easy-lets-encrypt-setup-on-pfsense-using-acme/ and leaning toward "standard" however. It stated 80 and 443 need to be forwarded to the PFSense box during the time of authorization to properly take place. If I have a webhost running on those ports, couldn't that create an issue with my websites? Should I try doing the DNS-Manual instead? Will DNS-Manual work for auto renewals?

    3. If I already have the webhost with the certificate, is there anyway I can just simply import the cert for the PFSense? (I'm guessing issue here is that it would be a manual process to have to renew it on the PFSense box once it auto renews on the webhost?)

    Any ideas here on a good method to deploy this? I really just need to to help secure my https traffic to PFSense Web UI.


  • Rebel Alliance Developer Netgate

    1: They wouldn't conflict, but you'd have to somehow account for both the GUI and the server behind it using the same name. If it always resolves to your WAN address and you run them on different ports, that is OK.

    2: If you can, use a DNS-based method. Manual can be a pain but ultimately it's up to you and what your DNS host provides.

    3: You could import the certificate again each time it is renewed, but that could get annoying.

    If you must use a web-based validation method, you could use haproxy on pfSense to handle connections to your web server, and haproxy could handle the ACME part itself. Search around the forum a bit and you'll find it.

    Or if your DNS servers support one of the automated update methods, just use a different hostname for the firewall and the web server and they can coexist without any interaction.



  • Awesome, thanks! i'll give that a shot and see how that goes.


Log in to reply