Is using tftp a safe way to distribute newly obtained certs internally?

  • Acme Guru's-

    I am able to obtain Let's Encrypt certs just fine, but I need to distribute the new cert to several other internal (only) services.

    I do this by:

    In the Acme "General settings" I have "Write Certificates" to /conf/acme checked.

    Since it appears we can not use any of's deploy hook arguments through the pfsense WebUI, I run the following "Actions list" command (among others) after each cert renewal:

    /bin/cp -p /conf/acme/newcert.pem /tftpboot/

    I run the pfsense TFTP Server and bind to only the internal LAN ip address.

    Then from any internal service that needs the newly updated cert I run the following out of cron and dump it to whichever directory it's needed in:

    echo "get newcert.pem" | tftp firewall.internal

    Then I restart the internal service. I do this with just the certs, no keys - keys remain in pfsense.

    My Qs are:

    Is this a "safe" way of doing this?
    Is there a better way to distribute renewed certs internally?


  • Rebel Alliance Developer Netgate

    I would not consider TFTP safe by any means. It's unencrypted and unauthenticated. So you can't verify that the client is pulling the certificate from the proper source or ensure that it has not been interfered with along the way. On a local network that may not appear like a huge concern, but it's best not to get complacent or make assumptions when dealing with security.

    If you are only transferring the certificate and not private key data then the unencrypted part isn't as large of a concern.

    Some people write the certs to a central location and copy them around with scp, which is better.

    Though it sounds like you're using the ACME package for a role it really was not intended to fill. You might be better suited using a dedicated ACME setup on a local system (small VM, Pi, etc) which can securely deploy the certificates in a manner better suited for your needs.

Log in to reply