Supporting Let's Encypt certificate generation and automated renewal
-
Let's Encrypt works on FreeBSD:
http://www.freshports.org/security/py-letsencrypt
http://www.freshports.org/security/letsencrypt.sh
https://github.com/Neilpang/acme.sh - This is the script I've used.I'm using HAProxy and Let's Encrypt certificates on pfSense 2.3 for SSL termination to my public websites.
It would be great if Let's Encrypt certificates could be generated within the pfSense UI.
Let's Encrypt's certificates expire within 90 days, so it would be great if we had a pfSense package that could run a renewal script to automatically renew the certificates. According to https://certbot.eff.org/#freebsd-haproxy it's recommended to run
letsencrypt renew –quietfrom within cron twice every day.An old related discussion can be found here: https://forum.pfsense.org/index.php?topic=101186.0
-
A bit +1 for this
-
Did you tried acme package?
https://forum.pfsense.org/index.php?topic=129376.0
-
Im sorry for bringing this back from the dead, but, can acme be used without:
a TLD or
b A dyn where you can manipulate TXT records or
c Some 80 or 433 port access (as u probably know, vivo has none)I have none of that, just a plain dyn dns.
-
Probably not if it's the free version. Need the ability to add and remove TXT records. Details are in the package. The number of supported DNS providers grows about monthly.
 -
I got it! Well, almost!
From desec.io. But while fixing the shell script I wasted my 5 free attempts for this hour. You can add the proper TXT record with desec.
I also had to install certbot, and its annoyingly long dependancies.
After the temp ban is lifted (i think one hour) I let you know if I can really validate the service and install the cert.
–---------------------
Worked!
IMPORTANT NOTES: - Congratulations! Your certificate and chain have been saved at: /usr/local/etc/letsencrypt/live/xxxxxxx.dedyn.io/fullchain.pem Your key file has been saved at: /usr/local/etc/letsencrypt/live/xxxxxxx.dedyn.io/privkey.pem Your cert will expire on 2018-04-16\. To obtain a new or tweaked version of this certificate in the future, simply run certbot again. To non-interactively renew *all* of your certificates, run "certbot renew"
