Upload SSL certificate for webconfigurator via ssh/scp

  • I use a seperate server that handles all my LetsEncrypt certificate renewals, this gives me a central secure location to create and renew certificates (all renewals are done via DNS-01, so the renewal server is not accessible from outside), these are then uploaded via ssh to various servers and then apache/nginx/postfix etc is restarted on the remote systems.
    I can not find where pfsense stores the certificate used for the web frontend 😦

    My normal way of renewing a certificate is :
    SSL Management server :-

    certbot /renew
    scp manager@remote.server.one /etc/letsencrypt/live/remote.server.one/fullchain.pem /etc/ssl/
    scp manager@remote.server.one /etc/letsencrypt/live/remote.server.one/private.pem /etc/ssl/
    ssh manager@remote.server.one /usr/sbin/service nginx reload

    I know nginx uses /var/etc/cert.crt/key and that some form of the certificate is stored in /cf/conf/config.xml but i can't work out how to push a new certificate in the correct format (and where that certificate should be pushed to so it is loaded after restart of webconfig or a full system restart)

    Can anyone point me in the right direction? Also how can you reload the web frontend from the command prompt (non interactively)?

    As I already have my ssl management server setup, I don’t want to use the letsencrypt acme package on pfsense itself and I want to use the same system to push certificates to multiple pfsense servers.

    Any tips/suggestions would be welcome.

  • Hi,

    The acme package uses this command (shell script) to reload the NGINX web servers after a new cert was imported.

    The acme package also contains the scripts that can show you how to import the certs into pfSense config.