Quick & Easy Let’s Encrypt Setup on pfSense using ACME


There is a wonderful new capability in pfSense to use Let’s Encrypt to automatically and securely generate fully recognized TLS certificates.

This is a great thing because security is important. Using self-signed certs is annoying at best. You still completely control your private key when using ACME via services such as Let’s Encrypt, so there is no security downfall to using it.

How-to use Let’s Encrypt on pfSense

Under System / Package Manager / Available Packages you should find a package called acme. Click the install button and allow it to complete.

Once installed you should find Acme Certificates under the Services menu.

The first step is to create your account keys. Enter a name, select the production server if you want this to be live.
Click “Create new account key” to generate a key and insert it into the Account key box.
Finally click the Register button and Save.

The next step is to create your certificate. Under Certificates click the Add button.
Enter the details such as the name.

In the Table you will see I selected “standalone HTTP server” and in the options set the listen port to 8082. This is important because the ACME server needs to be able to access this standalone HTTP server on port 80. We will accomplish this with a port forward rule in the next step.

Under Firewall / NAT / Port Forward create a new rule that forwards port 80 HTTP to your pfSense IP address which is 192.168.1.1 by default.
This allows the ACME server to communicate with your device to verify ownership.

Of course you can use other methods, I just found this to be the simplest option assuming that you have something already running on port 80 like I do.

Now let’s go back to Acme Certificates, and click the Issue/Renew button. If the domain name you used has correctly configured DNS, you should have a freshly minted certificate available for use under System / Cert. Manager.

To use this new certificate from the pfSense webConfigurator like I am, go to System / Advanced / Admin Access and select your new certificate under the SSL Certificate drop down menu.

Onward to TLS everywhere!


10 Replies to “Quick & Easy Let’s Encrypt Setup on pfSense using ACME”

  1. Thank you for your write-up. For the automatic renewal the NAT rule should remain in place. Is this considered a security risk?

  2. It is a small issue. As long as nothing is listening on the port that you choose other than when the ACME task runs, I don’t believe it’s a big issue. But as the package in pfsense develops I’m sure there will be a way soon to dynamically add and remove the firewall rule.

  3. If the domain name you used has correctly configured DNS ? excuse my ignorance. But I do not understand that part. My use is in the home. You posted this in the pfsense forum

  4. By that I’m assuming that you’ve already pointed the public A record for the domain name you are trying to configure to your pfSense WAN IP.

  5. It works, thanks. Some questions…

    a) So do I have to keep port 80 permanently redirected to 8082, which opens briefly at renewal time every 60 days, then closes again. This makes my port 80 useless for other servers, unless I have virtual host listener and reverse proxy for the certificated name? Is there another solution? Why can’t LE be told to connect back to me on a port other than 80?

    b) My pfSense has an internal domain name, like firewall.inside.company.com This (deliberately) doesn’t have a publically resolvable dns name. Is the only way to use LetsEncrypt, with a resolvable DNS name?

  6. It’d be better the use these hosts for NAT’s Source:

    outbound1.letsencrypt.org
    outbound2.letsencrypt.org

    So you can share TCP/80 with our services and keep ACME access for Let’s Encrypt secure.

  7. Thanks for the tutorial.

    After successfully issuing a certificate, I selected the certificate in the Adv. Settings and save.
    Every time, is creates a new “default certificate” and set it to be used… :/

  8. I followed the instructions to the letter (multiple times), but the “Issue/Renew” step always fails with:

    Array
    (
    [path] => /etc:/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/bin/
    [PATH] => /etc:/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/bin/
    [port] => 8082
    )
    [Tue Jun 6 18:24:18 CDT 2017] Standalone mode.
    [Tue Jun 6 18:24:18 CDT 2017] Single domain=’MySubdomain.MyDomain.win’
    [Tue Jun 6 18:24:18 CDT 2017] Getting domain auth token for each domain
    [Tue Jun 6 18:24:18 CDT 2017] Getting webroot for domain=’MySubdomain.MyDomain.win’
    [Tue Jun 6 18:24:18 CDT 2017] Getting new-authz for domain=’MySubdomain.MyDomain.win’
    [Tue Jun 6 18:24:25 CDT 2017] The new-authz request is ok.
    [Tue Jun 6 18:24:25 CDT 2017] Verifying:MySubdomain.MyDomain.win
    [Tue Jun 6 18:24:25 CDT 2017] Standalone mode server
    [Tue Jun 6 18:24:29 CDT 2017] Pending
    [Tue Jun 6 18:24:31 CDT 2017] Pending
    [Tue Jun 6 18:24:33 CDT 2017] MySubdomain.MyDomain.win:Verify error:Could not connect to MySubdomain.MyDomain.win
    GET / HTTP/1.1
    Host: localhost:8082
    User-Agent: acme.sh/2.6.7 (https://github.com/Neilpang/acme.sh)
    Accept: */*

    [Tue Jun 6 18:24:34 CDT 2017] Please check log file for more details: /tmp/acme/BSD/acme_issuecert.log

    Note: I have a Linux box that serves https traffic with LetsEncrypt with no problems. I have followed the steps in this guide, including setting up the port forward to 8082 on the pfSense machine.

    MyDomain.win and Subdomain.MyDomain.win are both CNAME records (via duckdns.org), because this is all running on computers in my basement. Is that the reason for the trouble? The Linux box has been set up with LetsEncrypt and everything worked on the first try.

    I just want to be able to access the webUI on my pfSense without my browser going red alert every time.

Leave a Reply

Your email address will not be published. Required fields are marked *