Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    ACME 60 day renewal schedule and scheduled Firewall Rule for HTTP & HTTPS allow

    Scheduled Pinned Locked Moved ACME
    5 Posts 4 Posters 807 Views 4 Watching
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • Josho_SAIJ Offline
      Josho_SAI
      last edited by

      Hi Team
      A month ago I successfully setup the Lets Encrypt ACME certificates for my pfSense edge appliance and some internal servers within. In creating the ACME certs, I added the 60 day auto-renewal.

      My pfSense appliance doesn't normally allow HTTP and HTTPS connections from the world so i (unsuccessfully) created a Firewall alias to allow HTTP and HTTPS connections from ACME's FQDN's Screenshot from 2023-08-31 11-29-29.png I don't think this is thorough enough for Lets Encrypt as manually renewing the certs created LOTS of inbound connections from LOTS of sources in the firewall logs.

      Option 2: Create a Firewall schedule that allows HTTP and HTTPS inbound connections from the world for the same 60 day / time period. The Firewall schedule has a 15 minute min time period. (the below s/shots are 3 separate pfSense tabs)
      pfsense acme and firewall schedule screenshots.png

      Has anyone had any success doing this -or- are there better ways to accomplish what I'm trying to do? Would I be better off to combine the 2 separate cron job commands into 1 cron job?

      keyserK 1 Reply Last reply Reply Quote 0
      • keyserK Offline
        keyser Rebel Alliance @Josho_SAI
        last edited by

        @Josho_SAI Does ACME cert renewal require inbound HTTP/HTTPS sessions??? I can’t believe that is needed as it would be impossible to handle/allow in bigger organisations.

        Love the no fuss of using the official appliances :-)

        Josho_SAIJ 1 Reply Last reply Reply Quote 0
        • Josho_SAIJ Offline
          Josho_SAI @keyser
          last edited by

          @keyser
          Big organisations wouldn't be using the Let's Encrypt Webroot certificates

          GertjanG 1 Reply Last reply Reply Quote 0
          • GertjanG Online
            Gertjan @Josho_SAI
            last edited by

            @Josho_SAI

            Even for small entities, or even for individuals : use RFC 2136 or something that's close to that.
            Most serious ( ? ) domain name registrars offer such a service.

            It works like this :
            It cert renewal time.
            Ask Letenscrypt for a random hash.
            Place this txt record in the domain name's DNS zone (in the registrar). That's what all these acme dns methods are al about.
            Wait for a minute or two to give DNS the time to update the zone over all the DNS slaves.
            Then tell Letsencrypt : go ahead, check.
            Undo the txt recods.
            Get the certificate.
            Done.

            No "help me" PM's please. Use the forum, the community will thank you.
            Edit : and where are the logs ??

            1 Reply Last reply Reply Quote 0
            • D Offline
              darcey
              last edited by

              Another benefit of using the ACME DNS method is wildcard names. I'd previously been using the http method with my namecheap hosted domain. I could not use their DNS API with my account. I then realised I could switch nameservers, on my namecheap account, to cloudflare and can now use the DNS method with pfSense ACME package.

              1 Reply Last reply Reply Quote 1
              • First post
                Last post
              Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.