Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Automatic LetsEncrypt for proxy with ACME plugin

    ACME
    2
    2
    4.7k
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • A
      adamoutler
      last edited by

      Hi,
      I just wanted to share my settings for those having problems. All of my HTTPS is applied at my v-host server.  I was having issues making this fully automatic from PF-Sense but I got it figured out today.

      Intro
      This is to assist you in setting up webroot over the top of an existing server.

      Here's what we will accomplish

      • pfSense ACME will automatically update

      Here's how we will accomplish this

      • Set up a webroot in pfSense ACME
      • Set up a way to automatically SCP the key and cer files at the end of ACME update
      • Set up a reverse proxy to send the authentication requests back to pfsense
      • Set up the certificates to be applied with a single "include" statement on any new host.

      Here's my setup
      This is for reference, in case you are wondering what a proxy is/does.  It stands between the server and the outside world. It's also a great place to apply all of your https.
      Internet - Firewall - Apache proxy/v-host server - actual host

      Note: If you're trying to copy the code below, please note you must replace the entirety of <any specific="" informaiton="">including the angle brackets.

      PFSense setup
      Account Keys
      I set up a key and registered it with Let's Encrypt Production

      For Certificates,
      See attached picture.

      Mode: Enabled
      Domainname: <my server.com="">Method: webroot local folder
      Root Folder: /usr/local/www/.well-known/acme-challenge/

      Actions List:
      You need to set up certificates to automatically log in and perform actions.  There is a problem here though.  For SSH, the connection won't automate commands for me.  So i'm plain-texting my password to the v-host server.
      Action list 1:

      scp /tmp/acme/<location from="" dry="" run="" of="" acme="">/fullchain.cer <myusername>@<my.ser.ver.ip>:/etc/apache2/certs/</my.ser.ver.ip></myusername></location>

      scp /tmp/acme/<location from="" dry="" run="" of="" acme="">/<my site="">.key <myusername>@<my.ser.ver.ip>:/etc/apache2/certs/</my.ser.ver.ip></myusername></my></location>

      There is a critical problem with simply running this.  Because it is a live website, reloading the apache server requires me to pass in a password.  Maybe you have a better option?  Mention it below
      Action list 2:

      ssh <myusername>@ <my.ser.ver.ip>"echo '<mypassword>' |sudo -kS service apache2 reload"</mypassword></my.ser.ver.ip></myusername>

      Apache Server Configuration
      You need to create a username for pfSense to log in if you don't already have a service account.

      Create a folder for your certs

      sudo mkdir /etc/apache2/certs

      create /etc/apache2/certs/certs.conf.

      sudo nano /etc/apache2/certs/certs.conf

      add the following content to it:

      SSLCertificateFile  /etc/apache2/certs/fullchain.cer
SSLCertificateKeyFile  /etc/apache2/certs//<my key="" from="" acme="" output="">.key
ProxyPass /.well-known/acme-challenge http://<ip to="" pfsense="">/.well-known/acme-challenge
ProxyPassReverse /.well-known/acme-challenge http://<ip to="" pfsense="">/.well-known/acme-challenge</ip></ip></my>

      now set the permissions of the certs so pfSense can access it and enable proxying.

      sudo chown root:www-data /etc/apache2/certs/*;
sudo chmod 640 /etc/apache2/certs/*;
sudo a2enmod proxy

      Now, to each of your new v-hosts.  Applying permanent HTTPS access is as easy as adding an entry to PFSense ACME, and adding this line into your .conf file

      Include /etc/apache2/certs/certs.conf

      Conclusion
      Now pfSense ACME should be able to automatically generate and update your certificatres.  This works because we are proxying the /.well-known/acme-challenge directory back to the firewall where the webroot takes over and handles your certificates.  After the authentication, pfSense should take your ACME Certs and SCP the files to your server, then reload the apache server.

      If you are missing any values, run ACME once, and read the log it provides.  All the certificate files are within the logs.  All the Addresses and account names/passwords you should have.

      Please note, this is only intended to be an example for a single site.  Your configuration will be different if you must modify multiple sites or if you have anything special.

      I'm interested in feedback on this.  If you have any concerns/pictures to add please mention them and I'll modify the guide above.
      Capture.PNG
      Capture.PNG_thumb</my></any>

      1 Reply Last reply Reply Quote 0
      • jimpJ
        jimp Rebel Alliance Developer Netgate
        last edited by

        Why on Earth would you do it that way vs just handling ACME on the server? If the certificate has nothing to do with pfSense, and the proxy or web server is capable of handling the request, just handle it there with a local ACME client (certbot, acme.sh, dehydrated, etc)

        Exposing the firewall web server, adding users to scp keys around… Lots of things here are using insecure practices, or at least less-than-ideal ones.

        Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

        Need help fast? Netgate Global Support!

        Do not Chat/PM for help!

        1 Reply Last reply Reply Quote 0
        • First post
          Last post
        Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.