Automated cert renewal



  • Hi,

    what's the recommended way to automatically update renewed certificates for
    the pfsense GUI?

    What needs to be done:

    1. Add new certificate to
      System → Certificate Manager → Certificates
    2. Select this certificate in
      System → Advanced → Admin Access → SSL Certificate
    3. Possibly reload web server config

    Certs have been updated manually in the past. But since the move to
    letsencrypt cert renewal should be automated. Certs are generated on another
    server, not on the pfsense box.

    According to a forum search there doesn't seem to be an API that could be
    utilised.


  • Rebel Alliance Developer Netgate

    You only need steps 1 and 2. Step 3 happens automatically when you save on step 2.

    So just import the new cert, switch the GUI to the new cert, done. You can remove the old cert once you are sure the new cert is working as expected.

    Let's Encrypt/ACME only renews its own certs (from the ACME package) in-place, that does not apply to certificates generated any other way.



  • @zjgn said in Automated cert renewal:

    Certs are generated on another
    server, not on the pfsense box.

    Have this box generate it's certs except the one for pfSense, and let pfSense handle it's cert using the package acme.

    True, there is no API. But you have the full shell script (several flavors);, PHP (and thus indirect access to the config).

    Try Google pfsense import cert script and you will find -as always - a lot of info on the very first link.



  • Using the acme package might be a solution. I haven't tried that.

    That link helped to get me started. Using the correct search terms massively helps getting more relevant search results. Thanks a lot for the quick response and the nudge in the right direction.


Log in to reply