Just a quick tutorial on how to create and (manually) install a Let’s Encrypt SSL certificate on pfSense 2.3.
(EDIT: this quick tutorial caused a bit of a stir on /r/PFSENSE and I want to address that. First of all, regarding the piping of the curled code to shell, while true that it’s a bad thing, people do it everywhere and while I’ve modified the step below to avoid the pipe, the code that you’re downloading does some piping itself. So, yeah. Feel free to modify and improve that. Second, this guide could definitely be improved and expanded, as I’ve written below, but generally I consider that it falls into the category of It Works For Me™. Third, absolutely feel free to doubt, verify and/or comment the steps presented below and/or Let’s Encrypt itself and if you realize that something or all of it will kill your dog or burn your house down, by all means, do not use this guide. Thanks.)
For this we’ll use the acme.sh script which talks ACME protocol with Let’s Encrypt servers.
- Make sure that you have a proper, public FQDN of the pfSense WAN address. If Let’s Encrypt can’t contact your WAN address via an FQDN, it’s not going to work.
- Make sure you enable the option “Disable webConfigurator redirect rule” under “System » Advanced » Admin Access » WebGUI redirect” and you already have pfSense running on HTTPS (on a self-signed certificate at this point) by enabling “HTTPS” under “System » Advanced » Admin Access » Protocol”
- Temporarily create a rule under “Firewall » Rules » WAN” to allow TCP on port 80 from anywhere, so acme.sh can do it’s magic.
- Log in to pfSense via ssh
- Download, check it yourself and run the acme.sh script:
12fetch https://get.acme.shsh get.acme.sh
(Note that get.acme.sh contains curl http://code | sh. *drama ensues yet again*)
- It will install under ~/.acme.sh. Let’s run it:
1~/.acme.sh/acme.sh --issue --standalone -d YOUR.FQDN.HERE
- It will create the certificate and the accompanying files in /root/.acme.sh/YOUR.FQDN.HERE
- Under “System » Certificate Manager » Certificates” add a new certificate (button on the bottom right) and paste the contents of YOUR.FQDN.HERE.cer to “Certificate data” and paste the contents of YOUR.FQDN.HERE.key to “Private key data”. Put a descriptive name in and you’re good.
- Go to “System » Advanced » Admin Access” and under “SSL Certificate” pick the newly created certificate as the active one.
- Disable the “allow TCP on port 80 from anywhere” firewall rule.
Note that this quick’n’dirty method implies that you’re going to be renewing the certificate in the same, manual way. I need to look it up how to do that in a more automated fashion, but for now, this is okay.