Quick & Easy Let’s Encrypt Setup on pfSense using ACME

There is a wonderful new capability in pfSense to use Let’s Encrypt to automatically and securely generate fully recognized TLS certificates.

This is a great thing because security is important. Using self-signed certs is annoying at best. You still completely control your private key when using ACME via services such as Let’s Encrypt, so there is no security downfall to using it.

How-to use Let’s Encrypt on pfSense

Under System / Package Manager / Available Packages you should find a package called acme. Click the install button and allow it to complete.

Once installed you should find Acme Certificates under the Services menu.

The first step is to create your account keys. Enter a name, select the production server if you want this to be live.
Click “Create new account key” to generate a key and insert it into the Account key box.
Finally click the Register button and Save.

The next step is to create your certificate. Under Certificates click the Add button.
Enter the details such as the name.

In the Table you will see I selected “standalone HTTP server” and in the options set the listen port to 8082. This is important because the ACME server needs to be able to access this standalone HTTP server on port 80. We will accomplish this with a port forward rule in the next step.

Under Firewall / NAT / Port Forward create a new rule that forwards port 80 HTTP to your pfSense IP address which is by default.
This allows the ACME server to communicate with your device to verify ownership.

Of course you can use other methods, I just found this to be the simplest option assuming that you have something already running on port 80 like I do.

Now let’s go back to Acme Certificates, and click the Issue/Renew button. If the domain name you used has correctly configured DNS, you should have a freshly minted certificate available for use under System / Cert. Manager.

To use this new certificate from the pfSense webConfigurator like I am, go to System / Advanced / Admin Access and select your new certificate under the SSL Certificate drop down menu.

Onward to TLS everywhere!

4 Replies to “Quick & Easy Let’s Encrypt Setup on pfSense using ACME”

  1. Thank you for your write-up. For the automatic renewal the NAT rule should remain in place. Is this considered a security risk?

  2. It is a small issue. As long as nothing is listening on the port that you choose other than when the ACME task runs, I don’t believe it’s a big issue. But as the package in pfsense develops I’m sure there will be a way soon to dynamically add and remove the firewall rule.

  3. If the domain name you used has correctly configured DNS ? excuse my ignorance. But I do not understand that part. My use is in the home. You posted this in the pfsense forum

  4. By that I’m assuming that you’ve already pointed the public A record for the domain name you are trying to configure to your pfSense WAN IP.

Leave a Reply

Your email address will not be published. Required fields are marked *