Certs not written to /conf/config.xml if "write certificates" selected in general settings



  • If I select "Write certificates" in Acme's general settings, the automatic renewal output LE certs are written to the filesystem at /conf/acme but NOT to /conf/config.xml. If I do NOT select "Write certificates," then the renewed certs are written to /conf/config.xml but NOT to the filesystem at /conf/acme. That sounds to me like, "After we renew the certs for pfSense's use, we will also store them on the filesystem in case you need them for something else." But that, apparently, isn't the way the Acme package works.

    But I do need both: renewed certs in /conf/config.xml and on the filesystem at /conf/acme.

    I "get" that this package may want to offer users a way NOT to write the certs to /conf/config.xml, though it seems odd to me that someone would use Acme on pfSense NOT to write the certs to /conf/config.xml

    But the way it works today completely misses a use case like mine where several devices on the LAN could make use of an LE cert but cannot since each of them requires port 80 to be open to Acme verification requests. Since LE allows multiple low-level names in each request (dev1.example.com, dev2.example.com, etc.), it's very convenient to use pfSense as the central renewal and distribution point.

    How could I get Acme renewed certs into both the filesystem and the Certificate Manager?



  • Before posting :

    7f2dd95b-5c4d-4013-820c-42ca9263efa6-image.png

    Right after manual cert renewal :

    86f8b0a5-1058-43d1-844a-2c70ee1ac91c-image.png

    You saw the date/time change ?

    The concerned

    <cert>
          ....
          <crt> ........</crt>
         .....
    </cert>
    

    in the config.xml showed me the cert was changed thus saved to config.xml

    How could pfSense otherwise use the new certificate dater a reboot ?
    Because it's in the config.xml .... (and no where else).

    Btw :

    a397d082-d42c-478b-b7fc-0eae9ab12b7b-image.png

    edit : I tend to say : read the log from /tmp/acme/<your domain>/acme_issuecert.log and you have your answer why it was not renewed and thus why it wasn't written to config.xml and why it didn't doesn't show in System > Certificate Manager > Certificates

    Edit : See the official video : https://www.netgate.com/resources/videos/lets-encrypt-on-pfsense.html => 49 minutes and 30 seconds ;)


Log in to reply