Netgate SG-1000 microFirewall

Author Topic: Let's Encypt w Acme package working, but not ideal  (Read 186 times)

0 Members and 1 Guest are viewing this topic.

Offline MervinCM

  • Jr. Member
  • **
  • Posts: 66
  • Karma: +2/-0
    • View Profile
Let's Encypt w Acme package working, but not ideal
« on: November 23, 2017, 09:13:51 pm »
pfSense 4.1.2
acme 0.123 package installed
dynamic DNS configured and functional in pfSense
I use namecheap for my domain name and to host DNS 
I only own one domain name, and I want to use it externally to VPN home, as well internally on a few devices so I can use https.
acme configured and working, Certificate issued, Installed working and have since renewed it. Standalone HTTP Server is the authentication option configured.

I would like to move to another authentication option because
-this option requires that I have an entry in my External namecheap DNS, and this entry is the Internal name for my router. I do not want that to ever respolve to my external IP address, I want it to fail, or to resolve to my internal IP via my pfsense Internal DNS resolver. So Right now, I have to manually make the A record in my External DNS, renew, then manually delete it.
-I have to manually enable firewall rule and port forward rule to redirect the port to allow Let's Encrypt to reach the temp http server.

These steps prevent me from scheduling the renewal.

any suggestions?

https://doc.pfsense.org/index.php/ACME_package

suggests in order
nsupdate - can't see how to make this work with namecheap DNS
DNS-Manual - seems to only work to create certs, not renew them
FTP webroot - seems to need fixed IP address
webroot local folder - seems easy to make an error that would comprimise security



 

 

Offline jimp

  • Administrator
  • Hero Member
  • *****
  • Posts: 21404
  • Karma: +1437/-26
    • View Profile
Re: Let's Encypt w Acme package working, but not ideal
« Reply #1 on: December 01, 2017, 03:27:31 pm »
The namecheap API is not feasible to use, partially because it's closed/paid access so the folks at acme.sh can't implement it easily. Additionally, last I looked, the API was not very good. You had to read all records, change one thing and then push the entire zone back. Lots of room for error.

Your best bet is moving your DNS to an alternate provider that is supported by the ACME package.

I love Namecheap, all of my domains are registered there, but they have not been very good for API/dynamic updates for anything other than A records.
Need help fast? Commercial Support!

Co-Author of pfSense: The Definitive Guide. - Check the Doc Wiki for FAQs.

Do not PM for help!