Certificates: Pickup my own from a directory?
-
How do you configure pfSense to pickup certificate(s) from a local directory? E.g. from a SMB share mounted.
/tl;dr
pfSense LetsEncrypt integration is excellent. Been using it for a while. I am familiar with how that works and how pfSense renews and updates it.
However... I am setting up a new lab with dozens of VMs and they all need to share the same sets of certs, including pfSense's web GUI, OpenVPN, and so on.
I've configured most other software to pickup their certs from docker startup or on VM boot (by looking into a mounted folder from host). This way, all of the services and tools can pickup the certs on boot/startup.
This is important because I have a separate process managing LetsEncrypt for lots of testing - and I'd rather not have pfSense manage them.
So, I am trying to figure out how to tell pfSense to pickup certs from a local folder on each reboot. E.g., reboot the pfSense box once a week to capture any updated certs.
In linux, I can tweak the cert manager on boot to bring in the latest cert. Perhaps I should do the same within FreeBSD (e.g. pfSense CLI)?
Or, is there a way to configure this via the GUI?
-
@eduncan911 said in Certificates: Pickup my own from a directory?:
How do you configure pfSense to pickup certificate(s) from a local directory? E.g. from a SMB share mounted.
but you also said :
@eduncan911 said in Certificates: Pickup my own from a directory?:
pfSense LetsEncrypt integration is excellent
Well, look again.
This shell script /usr/local/pkg/acme/acme_command.shSee at the bottom how to use it - or modify the script.
-
@gertjan said in Certificates: Pickup my own from a directory?:
but you also said :
@eduncan911 said in Certificates: Pickup my own from a directory?:
pfSense LetsEncrypt integration is excellent
As I asked above, how does one configure pfSense's via the GUI to pickup certificates from a local directory? Nothing to do with LetsEncrypt. I was just mentioning that I know of its process, but I am not going to use it.
Well, look again.
This shell script /usr/local/pkg/acme/acme_command.shAgain, I do not want to use pfSense to manage any LetsEncrypt certs. I'm looking for a way just to import/refresh a cert on boot or alike.
Essentially, this post has nothing to do with LetsEncrypt. It's asking how to auto-load a cert from a local directory say on boot.
See at the bottom how to use it - or modify the script.
And any changes gets overwritten on pfSense upgrades. Don't think that's a solution.
Doing it via CLI seems to be the only way. Seems to be pretty simple to just specify what certs OpenVPN and the WebGUI would pickup from what directory on startup. But the GUI seems to be locked into some datastore/dropdown list, forcing you to choose from what's "imported." It's that "what's imported" that needs to be refreshed every 60 days.
I'll look at the script to see how things are being imported. That's a good start to setup in a cron.
-
@eduncan911 said in Certificates: Pickup my own from a directory?:
Again, I do not want to use pfSense to manage any LetsEncrypt certs. I'm looking for a way just to import/refresh a cert on boot or alike.
Essentially, this post has nothing to do with LetsEncrypt. It's asking how to auto-load a cert from a local directory say on boot.It's that package (acme Letenscrypt) that contains a script file that shows how you can incorporate cert files- where ever they are - into the pfSense (== the pfSense config). See it as an example.
@eduncan911 said in Certificates: Pickup my own from a directory?:
And any changes gets overwritten on pfSense upgrades. Don't think that's a solution.
Doing it via CLI seems to be the only way.The mentioned file was an example. Base your own script (won't get overwritten) on it.
Place it in your own /root/ directory - and keep a backup.
I've my own scripts living in /root/ for a decade or more, as from pfSense 1.0.@eduncan911 said in Certificates: Pickup my own from a directory?:
I'll look at the script to see how things are being imported. That's a good start to setup in a cron
Exactly.
