Supporting Let's Encypt certificate generation and automated renewal


  • Let's Encrypt works on FreeBSD:

    http://www.freshports.org/security/py-letsencrypt
    http://www.freshports.org/security/letsencrypt.sh
    https://github.com/Neilpang/acme.sh - This is the script I've used.

    I'm using HAProxy and Let's Encrypt certificates on pfSense 2.3 for SSL termination to my public websites.

    It would be great if Let's Encrypt certificates could be generated within the pfSense UI.

    Let's Encrypt's certificates expire within 90 days, so it would be great if we had a pfSense package that could run a renewal script to automatically renew the certificates. According to https://certbot.eff.org/#freebsd-haproxy it's recommended to run letsencrypt renew –quiet from within cron twice every day.

    An old related discussion can be found here: https://forum.pfsense.org/index.php?topic=101186.0


  • A bit +1 for this



  • Im sorry for bringing this back from the dead, but, can acme be used without:

    a TLD or
    b A dyn where you can manipulate TXT records or
    c Some 80 or 433 port access (as u probably know, vivo has none)

    I have none of that, just a plain dyn dns.

  • LAYER 8 Netgate

    Probably not if it's the free version. Need the ability to add and remove TXT records. Details are in the package. The number of supported DNS providers grows about monthly.

    ![Screen Shot 2018-01-15 at 5.53.07 PM.png](/public/imported_attachments/1/Screen Shot 2018-01-15 at 5.53.07 PM.png)
    ![Screen Shot 2018-01-15 at 5.53.07 PM.png_thumb](/public/imported_attachments/1/Screen Shot 2018-01-15 at 5.53.07 PM.png_thumb)


  • I got it! Well, almost!

    From desec.io. But while fixing the shell script I wasted my 5 free attempts for this hour. You can add the proper TXT record with desec.

    I also had to install certbot, and its annoyingly long dependancies.

    After the temp ban is lifted (i think one hour) I let you know if I can really validate the service and install the cert.

    –---------------------

    Worked!

    IMPORTANT NOTES:
     - Congratulations! Your certificate and chain have been saved at:
       /usr/local/etc/letsencrypt/live/xxxxxxx.dedyn.io/fullchain.pem
       Your key file has been saved at:
       /usr/local/etc/letsencrypt/live/xxxxxxx.dedyn.io/privkey.pem
       Your cert will expire on 2018-04-16\. To obtain a new or tweaked
       version of this certificate in the future, simply run certbot
       again. To non-interactively renew *all* of your certificates, run
       "certbot renew"