Automatic LetsEncrypt for proxy with ACME plugin

  • Hi,
    I just wanted to share my settings for those having problems. All of my HTTPS is applied at my v-host server.  I was having issues making this fully automatic from PF-Sense but I got it figured out today.

    This is to assist you in setting up webroot over the top of an existing server.

    Here's what we will accomplish

    • pfSense ACME will automatically update

    Here's how we will accomplish this

    • Set up a webroot in pfSense ACME
    • Set up a way to automatically SCP the key and cer files at the end of ACME update
    • Set up a reverse proxy to send the authentication requests back to pfsense
    • Set up the certificates to be applied with a single "include" statement on any new host.

    Here's my setup
    This is for reference, in case you are wondering what a proxy is/does.  It stands between the server and the outside world. It's also a great place to apply all of your https.
    Internet - Firewall - Apache proxy/v-host server - actual host

    Note: If you're trying to copy the code below, please note you must replace the entirety of <any specific="" informaiton="">including the angle brackets.

    PFSense setup
    Account Keys
    I set up a key and registered it with Let's Encrypt Production

    For Certificates,
    See attached picture.

    Mode: Enabled
    Domainname: <my"">Method: webroot local folder
    Root Folder: /usr/local/www/.well-known/acme-challenge/

    Actions List:
    You need to set up certificates to automatically log in and perform actions.  There is a problem here though.  For SSH, the connection won't automate commands for me.  So i'm plain-texting my password to the v-host server.
    Action list 1:

    scp /tmp/acme/<location from="" dry="" run="" of="" acme="">/fullchain.cer <myusername>@<my.ser.ver.ip>:/etc/apache2/certs/</my.ser.ver.ip></myusername></location>
    scp /tmp/acme/<location from="" dry="" run="" of="" acme="">/<my site="">.key <myusername>@<my.ser.ver.ip>:/etc/apache2/certs/</my.ser.ver.ip></myusername></my></location>

    There is a critical problem with simply running this.  Because it is a live website, reloading the apache server requires me to pass in a password.  Maybe you have a better option?  Mention it below
    Action list 2:

    ssh <myusername>@ <my.ser.ver.ip>"echo '<mypassword>' |sudo -kS service apache2 reload"</mypassword></my.ser.ver.ip></myusername>

    Apache Server Configuration
    You need to create a username for pfSense to log in if you don't already have a service account.

    Create a folder for your certs

    sudo mkdir /etc/apache2/certs

    create /etc/apache2/certs/certs.conf.

    sudo nano /etc/apache2/certs/certs.conf

    add the following content to it:

    SSLCertificateFile  /etc/apache2/certs/fullchain.cer
    SSLCertificateKeyFile  /etc/apache2/certs//<my key="" from="" acme="" output="">.key
    ProxyPass /.well-known/acme-challenge http://<ip to="" pfsense="">/.well-known/acme-challenge
    ProxyPassReverse /.well-known/acme-challenge http://<ip to="" pfsense="">/.well-known/acme-challenge</ip></ip></my>

    now set the permissions of the certs so pfSense can access it and enable proxying.

    sudo chown root:www-data /etc/apache2/certs/*;
    sudo chmod 640 /etc/apache2/certs/*;
    sudo a2enmod proxy

    Now, to each of your new v-hosts.  Applying permanent HTTPS access is as easy as adding an entry to PFSense ACME, and adding this line into your .conf file

    Include /etc/apache2/certs/certs.conf

    Now pfSense ACME should be able to automatically generate and update your certificatres.  This works because we are proxying the /.well-known/acme-challenge directory back to the firewall where the webroot takes over and handles your certificates.  After the authentication, pfSense should take your ACME Certs and SCP the files to your server, then reload the apache server.

    If you are missing any values, run ACME once, and read the log it provides.  All the certificate files are within the logs.  All the Addresses and account names/passwords you should have.

    Please note, this is only intended to be an example for a single site.  Your configuration will be different if you must modify multiple sites or if you have anything special.

    I'm interested in feedback on this.  If you have any concerns/pictures to add please mention them and I'll modify the guide above.


  • Rebel Alliance Developer Netgate

    Why on Earth would you do it that way vs just handling ACME on the server? If the certificate has nothing to do with pfSense, and the proxy or web server is capable of handling the request, just handle it there with a local ACME client (certbot,, dehydrated, etc)

    Exposing the firewall web server, adding users to scp keys around… Lots of things here are using insecure practices, or at least less-than-ideal ones.

Log in to reply