How to automate pulling certs to DMZ?



  • At a a site we plan to migrate a mailserver to LE-cert(s).
    This means switching over apache/dovecot/postfix to the LE-cert I already generate on pfsense with the ACME-package.

    I run webservices with SSL-offloading at other sites already, sure, but in this case we want to just change the cert and not fiddle with the services ... so it would be great to be able to automate pulling the cert/key from pfsense via cron. How to do that? plain scp/rsync job? Or is there a clever mechanism somewhere already?

    I prefer managing the cert-stuff on the pfsense and not letting the mailserver doing certbot-jobs or so.


  • Rebel Alliance Developer Netgate

    In most cases it is best to have the servers handle their own LE verification rather than relying on a central server.

    That said, in pfSense you could activate the ACME package option to write the certificates to the filesystem, and then write your own script to run from cron or after renew that copies the certificates from /conf/acme/ over to the other servers.

    Or you could have a script on the server periodically pull the cert from the firewall via scp.



  • ok. Installed cert-bot on the mailserver and set up that ACME-challenge-dir etc // seems to work now. Thanks so far!