Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Is using tftp a safe way to distribute newly obtained certs internally?

    Scheduled Pinned Locked Moved ACME
    2 Posts 2 Posters 366 Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • T
      tazmo
      last edited by

      Acme Guru's-

      I am able to obtain Let's Encrypt certs just fine, but I need to distribute the new cert to several other internal (only) services.

      I do this by:

      In the Acme "General settings" I have "Write Certificates" to /conf/acme checked.

      Since it appears we can not use any of acme.sh's deploy hook arguments through the pfsense WebUI, I run the following "Actions list" command (among others) after each cert renewal:

      /bin/cp -p /conf/acme/newcert.pem /tftpboot/

      I run the pfsense TFTP Server and bind to only the internal LAN ip address.

      Then from any internal service that needs the newly updated cert I run the following out of cron and dump it to whichever directory it's needed in:

      echo "get newcert.pem" | tftp firewall.internal

      Then I restart the internal service. I do this with just the certs, no keys - keys remain in pfsense.

      My Qs are:

      Is this a "safe" way of doing this?
      Is there a better way to distribute renewed certs internally?

      BobC

      1 Reply Last reply Reply Quote 0
      • jimpJ
        jimp Rebel Alliance Developer Netgate
        last edited by

        I would not consider TFTP safe by any means. It's unencrypted and unauthenticated. So you can't verify that the client is pulling the certificate from the proper source or ensure that it has not been interfered with along the way. On a local network that may not appear like a huge concern, but it's best not to get complacent or make assumptions when dealing with security.

        If you are only transferring the certificate and not private key data then the unencrypted part isn't as large of a concern.

        Some people write the certs to a central location and copy them around with scp, which is better.

        Though it sounds like you're using the ACME package for a role it really was not intended to fill. You might be better suited using a dedicated ACME setup on a local system (small VM, Pi, etc) which can securely deploy the certificates in a manner better suited for your needs.

        Remember: Upvote with the πŸ‘ button for any user/post you find to be helpful, informative, or deserving of recognition!

        Need help fast? Netgate Global Support!

        Do not Chat/PM for help!

        1 Reply Last reply Reply Quote 1
        • First post
          Last post
        Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.