pfSense Support Subscription

Author Topic: Supporting Let's Encypt certificate generation and automated renewal  (Read 2777 times)

0 Members and 1 Guest are viewing this topic.

Offline yonas

  • Newbie
  • *
  • Posts: 8
  • Karma: +1/-0
    • View Profile
Let's Encrypt works on FreeBSD:

http://www.freshports.org/security/py-letsencrypt
http://www.freshports.org/security/letsencrypt.sh
https://github.com/Neilpang/acme.sh - This is the script I've used.

I'm using HAProxy and Let's Encrypt certificates on pfSense 2.3 for SSL termination to my public websites.

It would be great if Let's Encrypt certificates could be generated within the pfSense UI.

Let's Encrypt's certificates expire within 90 days, so it would be great if we had a pfSense package that could run a renewal script to automatically renew the certificates. According to https://certbot.eff.org/#freebsd-haproxy it's recommended to run `letsencrypt renew --quiet ` from within cron twice every day.

An old related discussion can be found here: https://forum.pfsense.org/index.php?topic=101186.0

Offline mikerj

  • Newbie
  • *
  • Posts: 1
  • Karma: +0/-0
    • View Profile
Re: Supporting Let's Encypt certificate generation and automated renewal
« Reply #1 on: April 28, 2017, 08:03:04 am »
A bit +1 for this

Offline marcelloc

  • Hero Member
  • *****
  • Posts: 13408
  • Karma: +592/-7
    • View Profile

Offline psalm57

  • Newbie
  • *
  • Posts: 3
  • Karma: +0/-0
    • View Profile
Re: Supporting Let's Encypt certificate generation and automated renewal
« Reply #3 on: January 15, 2018, 07:29:48 pm »
Im sorry for bringing this back from the dead, but, can acme be used without:

a TLD or
b A dyn where you can manipulate TXT records or
c Some 80 or 433 port access (as u probably know, vivo has none)

I have none of that, just a plain dyn dns.

Offline Derelict

  • Global Moderator
  • Hero Member
  • *****
  • Posts: 9607
  • Karma: +1090/-309
    • View Profile
Re: Supporting Let's Encypt certificate generation and automated renewal
« Reply #4 on: January 15, 2018, 07:55:29 pm »
Probably not if it's the free version. Need the ability to add and remove TXT records. Details are in the package. The number of supported DNS providers grows about monthly.
Las Vegas, Nevada, USA
Use this diagram to describe your issue.
The pfSense Book is now available for just $24.70!
Do Not PM For Help! NO_WAN_EGRESSTM

Offline psalm57

  • Newbie
  • *
  • Posts: 3
  • Karma: +0/-0
    • View Profile
Re: Supporting Let's Encypt certificate generation and automated renewal
« Reply #5 on: January 15, 2018, 09:07:32 pm »
I got it! Well, almost!

From desec.io. But while fixing the shell script I wasted my 5 free attempts for this hour. You can add the proper TXT record with desec.

I also had to install certbot, and its annoyingly long dependancies.

After the temp ban is lifted (i think one hour) I let you know if I can really validate the service and install the cert.

-----------------------

Worked!

Code: [Select]
IMPORTANT NOTES:
 - Congratulations! Your certificate and chain have been saved at:
   /usr/local/etc/letsencrypt/live/xxxxxxx.dedyn.io/fullchain.pem
   Your key file has been saved at:
   /usr/local/etc/letsencrypt/live/xxxxxxx.dedyn.io/privkey.pem
   Your cert will expire on 2018-04-16. To obtain a new or tweaked
   version of this certificate in the future, simply run certbot
   again. To non-interactively renew *all* of your certificates, run
   "certbot renew"
« Last Edit: January 15, 2018, 09:18:49 pm by psalm57 »