Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    How to automate pulling certs to DMZ?

    Scheduled Pinned Locked Moved ACME
    3 Posts 2 Posters 758 Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • S
      sgw
      last edited by

      At a a site we plan to migrate a mailserver to LE-cert(s).
      This means switching over apache/dovecot/postfix to the LE-cert I already generate on pfsense with the ACME-package.

      I run webservices with SSL-offloading at other sites already, sure, but in this case we want to just change the cert and not fiddle with the services ... so it would be great to be able to automate pulling the cert/key from pfsense via cron. How to do that? plain scp/rsync job? Or is there a clever mechanism somewhere already?

      I prefer managing the cert-stuff on the pfsense and not letting the mailserver doing certbot-jobs or so.

      1 Reply Last reply Reply Quote 0
      • jimpJ
        jimp Rebel Alliance Developer Netgate
        last edited by

        In most cases it is best to have the servers handle their own LE verification rather than relying on a central server.

        That said, in pfSense you could activate the ACME package option to write the certificates to the filesystem, and then write your own script to run from cron or after renew that copies the certificates from /conf/acme/ over to the other servers.

        Or you could have a script on the server periodically pull the cert from the firewall via scp.

        Remember: Upvote with the πŸ‘ button for any user/post you find to be helpful, informative, or deserving of recognition!

        Need help fast? Netgate Global Support!

        Do not Chat/PM for help!

        1 Reply Last reply Reply Quote 0
        • S
          sgw
          last edited by

          ok. Installed cert-bot on the mailserver and set up that ACME-challenge-dir etc // seems to work now. Thanks so far!

          1 Reply Last reply Reply Quote 0
          • First post
            Last post
          Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.