Automatic LetsEncrypt for proxy with ACME plugin
adamoutler last edited by
I just wanted to share my settings for those having problems. All of my HTTPS is applied at my v-host server. I was having issues making this fully automatic from PF-Sense but I got it figured out today.
This is to assist you in setting up webroot over the top of an existing server.
Here's what we will accomplish
- pfSense ACME will automatically update
Here's how we will accomplish this
- Set up a webroot in pfSense ACME
- Set up a way to automatically SCP the key and cer files at the end of ACME update
- Set up a reverse proxy to send the authentication requests back to pfsense
- Set up the certificates to be applied with a single "include" statement on any new host.
Here's my setup
This is for reference, in case you are wondering what a proxy is/does. It stands between the server and the outside world. It's also a great place to apply all of your https.
Internet - Firewall - Apache proxy/v-host server - actual host
Note: If you're trying to copy the code below, please note you must replace the entirety of <any specific="" informaiton="">including the angle brackets.
I set up a key and registered it with Let's Encrypt Production
See attached picture.
Domainname: <my server.com="">Method: webroot local folder
Root Folder: /usr/local/www/.well-known/acme-challenge/
You need to set up certificates to automatically log in and perform actions. There is a problem here though. For SSH, the connection won't automate commands for me. So i'm plain-texting my password to the v-host server.
Action list 1:
scp /tmp/acme/<location from="" dry="" run="" of="" acme="">/fullchain.cer <myusername>@<my.ser.ver.ip>:/etc/apache2/certs/</my.ser.ver.ip></myusername></location>
scp /tmp/acme/<location from="" dry="" run="" of="" acme="">/<my site="">.key <myusername>@<my.ser.ver.ip>:/etc/apache2/certs/</my.ser.ver.ip></myusername></my></location>
There is a critical problem with simply running this. Because it is a live website, reloading the apache server requires me to pass in a password. Maybe you have a better option? Mention it below
Action list 2:
ssh <myusername>@ <my.ser.ver.ip>"echo '<mypassword>' |sudo -kS service apache2 reload"</mypassword></my.ser.ver.ip></myusername>
Apache Server Configuration
You need to create a username for pfSense to log in if you don't already have a service account.
Create a folder for your certs
sudo mkdir /etc/apache2/certs
sudo nano /etc/apache2/certs/certs.conf
add the following content to it:
SSLCertificateFile /etc/apache2/certs/fullchain.cer SSLCertificateKeyFile /etc/apache2/certs//<my key="" from="" acme="" output="">.key ProxyPass /.well-known/acme-challenge http://<ip to="" pfsense="">/.well-known/acme-challenge ProxyPassReverse /.well-known/acme-challenge http://<ip to="" pfsense="">/.well-known/acme-challenge</ip></ip></my>
now set the permissions of the certs so pfSense can access it and enable proxying.
sudo chown root:www-data /etc/apache2/certs/*; sudo chmod 640 /etc/apache2/certs/*; sudo a2enmod proxy
Now, to each of your new v-hosts. Applying permanent HTTPS access is as easy as adding an entry to PFSense ACME, and adding this line into your .conf file
Now pfSense ACME should be able to automatically generate and update your certificatres. This works because we are proxying the /.well-known/acme-challenge directory back to the firewall where the webroot takes over and handles your certificates. After the authentication, pfSense should take your ACME Certs and SCP the files to your server, then reload the apache server.
If you are missing any values, run ACME once, and read the log it provides. All the certificate files are within the logs. All the Addresses and account names/passwords you should have.
Please note, this is only intended to be an example for a single site. Your configuration will be different if you must modify multiple sites or if you have anything special.
I'm interested in feedback on this. If you have any concerns/pictures to add please mention them and I'll modify the guide above.
Why on Earth would you do it that way vs just handling ACME on the server? If the certificate has nothing to do with pfSense, and the proxy or web server is capable of handling the request, just handle it there with a local ACME client (certbot, acme.sh, dehydrated, etc)
Exposing the firewall web server, adding users to scp keys around… Lots of things here are using insecure practices, or at least less-than-ideal ones.