Let’s Encrypt SSL Certificate on pfSense 2.3

Just a quick tutorial on how to create and (manually) install a Let’s Encrypt SSL certificate on pfSense 2.3.

(EDIT: this quick tutorial caused a bit of a stir on /r/PFSENSE and I want to address that. First of all, regarding the piping of the curled code to shell, while true that it’s a bad thing, people do it everywhere and while I’ve modified the step below to avoid the pipe, the code that you’re downloading does some piping itself. So, yeah. Feel free to modify and improve that. Second, this guide could definitely be improved and expanded, as I’ve written below, but generally I consider that it falls into the category of It Works For Me™. Third, absolutely feel free to doubt, verify and/or comment the steps presented below and/or Let’s Encrypt itself and if you realize that something or all of it will kill your dog or burn your house down, by all means, do not use this guide. Thanks.)

For this we’ll use the acme.sh script which talks ACME protocol with Let’s Encrypt servers.

Steps:

  1. Make sure that you have a proper, public FQDN of the pfSense WAN address. If Let’s Encrypt can’t contact your WAN address via an FQDN, it’s not going to work.
  2. Make sure you enable the option “Disable webConfigurator redirect rule” under “System » Advanced » Admin Access » WebGUI redirect” and you already have pfSense running on HTTPS (on a self-signed certificate at this point) by enabling “HTTPS” under “System » Advanced » Admin Access » Protocol”
  3. Temporarily create a rule under “Firewall » Rules » WAN” to allow TCP on port 80 from anywhere, so acme.sh can do it’s magic.
  4. Log in to pfSense via ssh
  5. Download, check it yourself and run the acme.sh script:

    (Note that  contains *drama ensues yet again*)
  6. It will install under ~/.acme.sh. Let’s run it:
  7. It will create the certificate and the accompanying files in /root/.acme.sh/YOUR.FQDN.HERE
  8. Under “System » Certificate Manager » Certificates” add a new certificate (button on the bottom right) and paste the contents of YOUR.FQDN.HERE.cer to “Certificate data” and paste the contents of YOUR.FQDN.HERE.key to “Private key data”. Put a descriptive name in and you’re good.
  9. Go to “System » Advanced » Admin Access” and under “SSL Certificate” pick the newly created certificate as the active one.
  10. Disable the “allow TCP on port 80 from anywhere” firewall rule.

Note that this quick’n’dirty method implies that you’re going to be renewing the certificate in the same, manual way. I need to look it up how to do that in a more automated fashion, but for now, this is okay.

7 Comments

      1. You have to put a reminder or something.
        I create one cert with your tutorial, thanks, have only three or four months? little short.
        Apart from what you have to add the ca.cer created or downloaded with the creation of the custom certificate in the “Certificate Authorities” or “CAs” (Add > copy ca.cert to “Certificate data” put some description and Save).

        Thanks Ivan. I think i will copy your tutorial, more o less, to Portuguese lang and put in my new in construction blog, if you allow me.

  1. Very nice document, Really appreciate your hard work.
    Please update me on my email once you get the solution for auto renewal ssl on pfsense.

    Thanks

Leave a Comment

Your email address will not be published. Required fields are marked *