Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Letsencrypt working in 2.3

    Scheduled Pinned Locked Moved pfSense Packages
    44 Posts 31 Posters 52.9k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • J
      jpns
      last edited by

      Great to see this is getting some traction. I don't get all the hate towards LE. It seems even cPanel have implemented Letsencrypt into their AutoSSL feature.

      I too am using a StartCom free DV cert to secure my pfsense webGUI, and a captive portal authentication page.

      I intend to start using HAProxy soon to serve content from local webservers to the outside world directly from pfsense, rather than from a transparent Apache proxy inside the LAN. I'm already using Letsencrypt on this but I would much prefer to have this moved to the firewall.

      I'll be watching this with great interest. Thanks for the great work guys.

      1 Reply Last reply Reply Quote 0
      • S
        stpq
        last edited by

        Hi All
        Initially thanks for the howto. I did use a different one, as it worked better for me.
        I also managed to have it automated.

        Im using acme.sh by Neilpang (i did install bash):
        https://github.com/Neilpang/acme.sh

        Im running the web if on different port, therefore i need the validation on that different port (666):
        for issue:
        /root/.acme.sh/acme.sh –issue -d domain.tld --standalone --tlsport 666 -w /usr/local/www/
        for renew:
        /root/.acme.sh/acme.sh --renew-all --standalone --tlsport 666 -w /usr/local/www/

        after that i modified script from here, especially the parts with write rights, and hardlinks:
        https://gist.github.com/mamedov/f3c63322dde1a73537b11c621a4fd02e

        Now it should work automagically. (of course you still need to change webconfigurator to https)

        its not really a comprehensive guide, but it has some inspiration, i hope.

        1 Reply Last reply Reply Quote 0
        • H
          heper
          last edited by

          @stpq:

          Hi All
          Initially thanks for the howto. I did use a different one, as it worked better for me.
          I also managed to have it automated.

          Im using acme.sh by Neilpang (i did install bash):
          https://github.com/Neilpang/acme.sh

          Im running the web if on different port, therefore i need the validation on that different port (666):
          for issue:
          /root/.acme.sh/acme.sh –issue -d domain.tld --standalone --tlsport 666 -w /usr/local/www/
          for renew:
          /root/.acme.sh/acme.sh --renew-all --standalone --tlsport 666 -w /usr/local/www/

          after that i modified script from here, especially the parts with write rights, and hardlinks:
          https://gist.github.com/mamedov/f3c63322dde1a73537b11c621a4fd02e

          Now it should work automagically. (of course you still need to change webconfigurator to https)

          its not really a comprehensive guide, but it has some inspiration, i hope.

          The PR above has been pulled in. 2.4 should have a working package

          1 Reply Last reply Reply Quote 0
          • S
            stpq
            last edited by

            @heper:

            @stpq:

            Hi All
            Initially thanks for the howto. I did use a different one, as it worked better for me.
            I also managed to have it automated.

            Im using acme.sh by Neilpang (i did install bash):
            https://github.com/Neilpang/acme.sh

            Im running the web if on different port, therefore i need the validation on that different port (666):
            for issue:
            /root/.acme.sh/acme.sh –issue -d domain.tld --standalone --tlsport 666 -w /usr/local/www/
            for renew:
            /root/.acme.sh/acme.sh --renew-all --standalone --tlsport 666 -w /usr/local/www/

            after that i modified script from here, especially the parts with write rights, and hardlinks:
            https://gist.github.com/mamedov/f3c63322dde1a73537b11c621a4fd02e

            Now it should work automagically. (of course you still need to change webconfigurator to https)

            its not really a comprehensive guide, but it has some inspiration, i hope.

            The PR above has been pulled it. 2.4 should have a working package

            Great news!
            https://redmine.pfsense.org/projects/pfsense/roadmap

            1 Reply Last reply Reply Quote 0
            • M
              Mats
              last edited by

              Any plans for Lets Encrypt support in a 2.3 release?
              Took a look at the 2.3 snapshot but couldn't find it

              1 Reply Last reply Reply Quote 0
              • D
                doktornotor Banned
                last edited by

                Already available in 2.3.3

                1 Reply Last reply Reply Quote 0
                • jimpJ
                  jimp Rebel Alliance Developer Netgate
                  last edited by

                  And now on 2.3.2_1

                  Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

                  Need help fast? Netgate Global Support!

                  Do not Chat/PM for help!

                  1 Reply Last reply Reply Quote 0
                  • mudmanc4M
                    mudmanc4
                    last edited by

                    Maybe I'm clueless as far as how acme/letsencrypt can help me on a inward facing network. Where the GUI is strictly accessible over internal / VPN network to start with.

                    So I allow an external influence to sort my internal certs, counter productive much?

                    Don't get me wrong, EFF has this thing going on, and I use them and trust them, by all means.

                    What am I missing here? I've got to be missing the larger picture, right?

                    1 Reply Last reply Reply Quote 0
                    • jimpJ
                      jimp Rebel Alliance Developer Netgate
                      last edited by

                      @mudmanc4:

                      So I allow an external influence to sort my internal certs, counter productive much?

                      Hardly "influence", but it provides a trust chain to ensure browsers can verify the validity of your firewall's GUI certificate.

                      @mudmanc4:

                      Don't get me wrong, EFF has this thing going on, and I use them and trust them, by all means.

                      What am I missing here? I've got to be missing the larger picture, right?

                      It eliminates the extra steps necessary for you to tell your browser to trust the otherwise invalid certificate on the firewall. If you get complacent in always clicking past certificate errors, you are more likely not to notice if something about it has changed. Especially with browsers like Chrome that make it more difficult to setup a persistent acceptance of an invalid or self-signed certificate.

                      Sure you could make your own CA and import it into your clients OS/browsers but that's a lot of extra overhead for little benefit. If the firewall has a valid certificate you don't have any of the "scary" browser warnings or concerns, and a lower barrier to entry is always better when it offers superior security.

                      Plus the certificates can be used by services such as HAproxy for adding/enhancing security to sites behind the firewall. If you only have HTTP now for hosted web sites and HTTPS certificates have been cost prohibitive, there is more incentive to go secure. Google prefers to list HTTPS sites and browsers are now displaying warnings for HTTP sites with login forms and other cases.

                      Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

                      Need help fast? Netgate Global Support!

                      Do not Chat/PM for help!

                      1 Reply Last reply Reply Quote 0
                      • R
                        roadfox
                        last edited by

                        @jimp:

                        And now on 2.3.2_1

                        Thanks was able to install the plugin, but:

                        When trying to create a cert with the setting "webroot local folder" i get an "cannot create directory" error messageand i'm not the only one, se here: https://forum.pfsense.org/index.php?topic=125293.0

                        When trying to create a cert with setting "webroot FTP" the process also fails.

                        So far i think some of the issues are:

                        • i have no rule who allows 80 or 443 over WAN, and from what i see in the logs letsencrypt tryes to access a temp file over WAN:80
                        • my webinterfaces is set to ssl so there is no webserver listening on port 80, so also even if i open 80/443 in the fw, letsencrypt cannot acces the file

                        so maybe the issue process should ensure that the correct port are open and has a listener and tell letsencrypt to use this port? or are there settings i missed?

                        1 Reply Last reply Reply Quote 0
                        • jimpJ
                          jimp Rebel Alliance Developer Netgate
                          last edited by

                          Doing local webroot is not going to be viable for most people. There are posts here on the forum that show how to do it using haproxy if you must, but it won't work with the GUI unless you drastically reduce security. tl;dr: don't do it.

                          If you're on the latest version of the ACME pkg, then FTP webroot should work, at least for sftp, that's what I tested. You do need to have a port forwarded to the web server hosting the files for that, but there isn't any way for the firewall to know what you have to validate that. At some point it's up to the user to make sure their config is correct.

                          We're looking into standalone mode to see if it's viable, though we tend to not like running extra services on the firewall like that. At least it's short-lived, but it would still need a persistent firewall rule.

                          Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

                          Need help fast? Netgate Global Support!

                          Do not Chat/PM for help!

                          1 Reply Last reply Reply Quote 0
                          • M
                            mrcola
                            last edited by

                            @jimp:

                            And now on 2.3.2_1

                            Where about please

                            Thanks

                            1 Reply Last reply Reply Quote 0
                            • jimpJ
                              jimp Rebel Alliance Developer Netgate
                              last edited by

                              @mrcola:

                              @jimp:

                              And now on 2.3.2_1

                              Where about please

                              Thanks

                              System > Package Manager, Available Packages tab: acme

                              Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

                              Need help fast? Netgate Global Support!

                              Do not Chat/PM for help!

                              1 Reply Last reply Reply Quote 0
                              • F
                                fairchild
                                last edited by

                                Is there a reason all of the implementations tried are not using the dns-01 challenge?

                                I find it crazy people are exposing 80 or 443 to issue a free cert, even temporarily. The dns challenge is perfect for internal systems and acme.sh has a ton of build in api clients to automate record changes.

                                Just trying to see if this is something everyone overlooked or if there is a glaring reason no one has set it up that way yet?

                                1 Reply Last reply Reply Quote 0
                                • D
                                  doktornotor Banned
                                  last edited by

                                  @artfulhacker:

                                  Is there a reason all of the implementations tried are not using the dns-01 challenge?

                                  Eeeeeh, huh? Have you actually had a look at the package?  ::) :o

                                  1 Reply Last reply Reply Quote 0
                                  • M
                                    maverick_slo
                                    last edited by

                                    Awesome package.
                                    I use it for all my websites via dns validation.
                                    Thanks guys!

                                    1 Reply Last reply Reply Quote 0
                                    • F
                                      fairchild
                                      last edited by

                                      @doktornotor:

                                      @artfulhacker:

                                      Is there a reason all of the implementations tried are not using the dns-01 challenge?

                                      Eeeeeh, huh? Have you actually had a look at the package?  ::) :o

                                      ahh, that would have been smart  :-X

                                      I was referring to all of the forum posts of people using "standalone"

                                      1 Reply Last reply Reply Quote 0
                                      • thedaveCAT
                                        thedaveCA
                                        last edited by

                                        It's worth noting that DNS validation via DNSMadeEasy doesn't seem to work:

                                        https://forum.pfsense.org/index.php?topic=125946.0
                                        https://forum.pfsense.org/index.php?topic=126025.0

                                        1 Reply Last reply Reply Quote 0
                                        • First post
                                          Last post
                                        Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.