my ACME cert from letsencrypt is not a Internal CA

maverikh

... what do i need to do???

Im not sure what to do here. Lets encrypt worked just fine for my pfsense FQDN and my vpn FQDN

When i try to create a cpn user... the ROOT-CA is not available. litereally nothing in the list.
I though the letsencrypt key was a root-ca along with cert for FQDN

Did i do something wrong?

Gertjan

@maverikh

Internal ?
A Letsencrypt certicate isn't internal(ly) generated, it comes from Letsencrypt.
Here's mine :

This "R10" intermediate certificate is listed on the CA page :

I have them there because I imported them myself ;) (not really needed I guess)
From where ? From Lets-encrypt of course, do your chopping here :
https://letsencrypt.org/certificates/

Btw : a acme question belongs to the acme forum. Go check over there for more info.

Even if you haven't listed these R10, R11, ISRG Root X1 and ISRG Root X2 on the System > Certificate > Authorities page, you still have them in the pfSense FreeBSD certificate store, go have a look here : /etc/ssl/certs/
Like your PC, phone, tablet etc, these certs are known as the trusted ones.

Also : you use the Letsecrypt certificates for VPN ?
Isn't that a PITA ?
I've generated a 10 years 'self signed' CA first :

then a server certificate :

and based my VPN client certificates on this server certificate.

Maybe Letsencrypt certs work fine, but doesn't that means you have to re export the client config every 60-90 days ?

maverikh

@Gertjan Thank you, This helps!