Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Supporting Let's Encypt certificate generation and automated renewal

    General pfSense Questions
    5
    6
    4.2k
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • Y
      yonas
      last edited by

      Let's Encrypt works on FreeBSD:

      http://www.freshports.org/security/py-letsencrypt
      http://www.freshports.org/security/letsencrypt.sh
      https://github.com/Neilpang/acme.sh - This is the script I've used.

      I'm using HAProxy and Let's Encrypt certificates on pfSense 2.3 for SSL termination to my public websites.

      It would be great if Let's Encrypt certificates could be generated within the pfSense UI.

      Let's Encrypt's certificates expire within 90 days, so it would be great if we had a pfSense package that could run a renewal script to automatically renew the certificates. According to https://certbot.eff.org/#freebsd-haproxy it's recommended to run letsencrypt renew –quiet from within cron twice every day.

      An old related discussion can be found here: https://forum.pfsense.org/index.php?topic=101186.0

      1 Reply Last reply Reply Quote 0
      • M
        mikerj
        last edited by

        A bit +1 for this

        1 Reply Last reply Reply Quote 0
        • marcellocM
          marcelloc
          last edited by

          Did you tried acme package?

          https://forum.pfsense.org/index.php?topic=129376.0

          Treinamentos de Elite: http://sys-squad.com

          Help a community developer! ;D

          1 Reply Last reply Reply Quote 0
          • P
            psalm57
            last edited by

            Im sorry for bringing this back from the dead, but, can acme be used without:

            a TLD or
            b A dyn where you can manipulate TXT records or
            c Some 80 or 433 port access (as u probably know, vivo has none)

            I have none of that, just a plain dyn dns.

            1 Reply Last reply Reply Quote 0
            • DerelictD
              Derelict LAYER 8 Netgate
              last edited by

              Probably not if it's the free version. Need the ability to add and remove TXT records. Details are in the package. The number of supported DNS providers grows about monthly.

              ![Screen Shot 2018-01-15 at 5.53.07 PM.png](/public/imported_attachments/1/Screen Shot 2018-01-15 at 5.53.07 PM.png)
              ![Screen Shot 2018-01-15 at 5.53.07 PM.png_thumb](/public/imported_attachments/1/Screen Shot 2018-01-15 at 5.53.07 PM.png_thumb)

              Chattanooga, Tennessee, USA
              A comprehensive network diagram is worth 10,000 words and 15 conference calls.
              DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
              Do Not Chat For Help! NO_WAN_EGRESS(TM)

              1 Reply Last reply Reply Quote 0
              • P
                psalm57
                last edited by

                I got it! Well, almost!

                From desec.io. But while fixing the shell script I wasted my 5 free attempts for this hour. You can add the proper TXT record with desec.

                I also had to install certbot, and its annoyingly long dependancies.

                After the temp ban is lifted (i think one hour) I let you know if I can really validate the service and install the cert.

                –---------------------

                Worked!

                IMPORTANT NOTES:
 - Congratulations! Your certificate and chain have been saved at:
   /usr/local/etc/letsencrypt/live/xxxxxxx.dedyn.io/fullchain.pem
   Your key file has been saved at:
   /usr/local/etc/letsencrypt/live/xxxxxxx.dedyn.io/privkey.pem
   Your cert will expire on 2018-04-16\. To obtain a new or tweaked
   version of this certificate in the future, simply run certbot
   again. To non-interactively renew *all* of your certificates, run
   "certbot renew"
                1 Reply Last reply Reply Quote 0
                • First post
                  Last post
                Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.