Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Certs not written to /conf/config.xml if "write certificates" selected in general settings

    Scheduled Pinned Locked Moved ACME
    2 Posts 2 Posters 466 Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • Y
      yobyot
      last edited by

      If I select "Write certificates" in Acme's general settings, the automatic renewal output LE certs are written to the filesystem at /conf/acme but NOT to /conf/config.xml. If I do NOT select "Write certificates," then the renewed certs are written to /conf/config.xml but NOT to the filesystem at /conf/acme. That sounds to me like, "After we renew the certs for pfSense's use, we will also store them on the filesystem in case you need them for something else." But that, apparently, isn't the way the Acme package works.

      But I do need both: renewed certs in /conf/config.xml and on the filesystem at /conf/acme.

      I "get" that this package may want to offer users a way NOT to write the certs to /conf/config.xml, though it seems odd to me that someone would use Acme on pfSense NOT to write the certs to /conf/config.xml

      But the way it works today completely misses a use case like mine where several devices on the LAN could make use of an LE cert but cannot since each of them requires port 80 to be open to Acme verification requests. Since LE allows multiple low-level names in each request (dev1.example.com, dev2.example.com, etc.), it's very convenient to use pfSense as the central renewal and distribution point.

      How could I get Acme renewed certs into both the filesystem and the Certificate Manager?

      1 Reply Last reply Reply Quote 0
      • GertjanG
        Gertjan
        last edited by Gertjan

        Before posting :

        7f2dd95b-5c4d-4013-820c-42ca9263efa6-image.png

        Right after manual cert renewal :

        86f8b0a5-1058-43d1-844a-2c70ee1ac91c-image.png

        You saw the date/time change ?

        The concerned

        <cert>
              ....
              <crt> ........</crt>
             .....
        </cert>
        

        in the config.xml showed me the cert was changed thus saved to config.xml

        How could pfSense otherwise use the new certificate dater a reboot ?
        Because it's in the config.xml .... (and no where else).

        Btw :

        a397d082-d42c-478b-b7fc-0eae9ab12b7b-image.png

        edit : I tend to say : read the log from /tmp/acme/<your domain>/acme_issuecert.log and you have your answer why it was not renewed and thus why it wasn't written to config.xml and why it didn't doesn't show in System > Certificate Manager > Certificates

        Edit : See the official video : https://www.netgate.com/resources/videos/lets-encrypt-on-pfsense.html => 49 minutes and 30 seconds ;)

        No "help me" PM's please. Use the forum, the community will thank you.
        Edit : and where are the logs ??

        1 Reply Last reply Reply Quote 1
        • First post
          Last post
        Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.