Upload SSL certificate for webconfigurator via ssh/scp
-
I use a seperate server that handles all my LetsEncrypt certificate renewals, this gives me a central secure location to create and renew certificates (all renewals are done via DNS-01, so the renewal server is not accessible from outside), these are then uploaded via ssh to various servers and then apache/nginx/postfix etc is restarted on the remote systems.
I can not find where pfsense stores the certificate used for the web frontend
My normal way of renewing a certificate is :
SSL Management server :-certbot /renew scp manager@remote.server.one /etc/letsencrypt/live/remote.server.one/fullchain.pem /etc/ssl/ scp manager@remote.server.one /etc/letsencrypt/live/remote.server.one/private.pem /etc/ssl/ ssh manager@remote.server.one /usr/sbin/service nginx reloadI know nginx uses /var/etc/cert.crt/key and that some form of the certificate is stored in /cf/conf/config.xml but i can't work out how to push a new certificate in the correct format (and where that certificate should be pushed to so it is loaded after restart of webconfig or a full system restart)
Can anyone point me in the right direction? Also how can you reload the web frontend from the command prompt (non interactively)?
As I already have my ssl management server setup, I don’t want to use the letsencrypt acme package on pfsense itself and I want to use the same system to push certificates to multiple pfsense servers.
Any tips/suggestions would be welcome.
-
Hi,
The acme package uses this command (shell script) to reload the NGINX web servers after a new cert was imported.
The acme package also contains the scripts that can show you how to import the certs into pfSense config.