Let's Encypt w Acme package working, but not ideal



  • pfSense 2.4.2R-p1
    acme package installed (v0.1.34)
    dynamic DNS configured and functional in pfSense
    I use Namecheap for my domain name registration and to host DNS 
    I only own one domain name, and I want to use it externally to VPN home, as well internally on a few devices so I can use https.
    acme configured and working, Certificate issued, Installed working and have since renewed it. Standalone HTTP Server is the authentication option configured.

    I would like to move to another authentication option because
    -this option requires that I have an entry in my external Namecheap DNS, and this entry is the internal name for my router. I do not want that to ever resolve to my external IP address, I want it to fail, or to resolve to my internal IP via my pfSense internal DNS resolver. So right now, I have to manually make the A record in my external DNS, renew, then manually delete it.
    -I have to manually enable firewall rule and port forward rule to redirect the port to allow Let's Encrypt to reach the temp HTTP server.

    These steps prevent me from scheduling the renewal.

    any suggestions?

    https://doc.pfsense.org/index.php/ACME_package

    suggests in order
    nsupdate - can't see how to make this work with Namecheap DNS
    DNS-Manual - seems to only work to create certs, not renew them
    FTP webroot - seems to need fixed IP address
    webroot local folder - seems easy to make an error that would compromise security


  • Rebel Alliance Developer Netgate

    The namecheap API is not feasible to use, partially because it's closed/paid access so the folks at acme.sh can't implement it easily. Additionally, last I looked, the API was not very good. You had to read all records, change one thing and then push the entire zone back. Lots of room for error.

    Your best bet is moving your DNS to an alternate provider that is supported by the ACME package.

    I love Namecheap, all of my domains are registered there, but they have not been very good for API/dynamic updates for anything other than A records.



  • It's only been 3 months, but I have not made any real headway.

    I just manually renewed once more :)

    • Add A record in Namecheap DNS for pfsense.mydomain.com
    • Add firewall NAT PF rule to allow inbound HTTP to pfSense firewall
    • run renew in ACME package
    • shell command /etc/rc.restart_webgui
    • disable firewall NAT PF rule to allow inbound HTTP to pfSense firewall
    • remove A record in Namecheap DNS for pfsense.mydomain.com

    Would be great to have this fully automated.
    ClouDNS has a free tier that would seem to do, and it's listed by name in the ACME Domain SAN list.



  • @jimp:

    I love Namecheap, all of my domains are registered there, but they have not been very good for API/dynamic updates for anything other than A records.

    I use namecheap as my registrar, but Cloudflare as my DNS service, free for 1 Domain, and don't even use the cache/reverse proxy anymore, and it works great with ACME



  • thanks, I will give that a try!



  • Strange.
    With :
    @MervinCM:

    pfSense 2.4.2R-p1

    This one
    @MervinCM:

    acme package installed (v0.1.34)

    has been replaced ags ago with

    acme package installed (v0.2.2)
    

    Packages like acme should be kept on the latest version - no exceptions.
    You have probably upgrade and update problems, handle them asap.

    edit : oops : first post dates from 24/11/2017 ….
    Any, update, a new one came out  ;)



  • https://github.com/Neilpang/acme.sh/tree/master/dnsapi#53-use-namecheap says that acme.sh supports namecheap.com's API to issue and renew certs automatically.
    Yet, namecheap is not in the dropdown list (see picture below).
    How come? Thank you.
    alt text


  • Rebel Alliance Developer Netgate

    It was recently added to acme.sh, we have not synced up to their code yet to pull that in. It will be added eventually.


  • Rebel Alliance Developer Netgate

    Also: The limitation I listed above is still true. It is supported, but the API sucks.

    https://github.com/Neilpang/acme.sh/blob/master/dnsapi/dns_namecheap.sh#L7



  • Thank you Jim! I know the limitations still hold true but luckily they don't affect me!