Posted on by will

Using pfSense’s ACME Package to Generate Let’s Encrypt Certs (ver 2.3.4-RELEASE-p1)

Important note before proceeding:  Let’s Encrypt certificates are non-self-signed certificates and completely free, but do require that you own and be able to verify a domain name.

Similar to other pfSense packages start the installation by simply going to:

  • System: Package Manager: Available Packages

From there locate the “ACME” package and select install. Once installed then go to:

  • Services: ACME Certificates

We’ll now start the process by generating an account key.  Under the “Account Key” tab fill in:

  • Name:  Whatever name or domain you prefer
  • Description: Again, whatever description you like.
  • ACME Server: Unless you will be deploying a certificate to a test-only environment temporarily you will likely want to select Let’s Encrypt Production

Hit “Create new security key” to generate a new key then finalize by selecting “Register acme account key” and then “Save”.

The next step is to create a profile for our new certificate.  Now go to the “Certificates” tab and select “Add”.

For the fields here:

  • Name: As before, whatever name for the cert you prefer.
  • Description: Likewise, whatever you want.
  • Status: Active (unless generating to be used at a later date so they should remain unused)
  • ACME Account: Should match the key name you just generated in previous step.
  • Key Size:  This is up to you and might depend on what you are going to use the certificate for.  If it is just for logging into your pfSense console there isn’t much reason not to use 4096 or ec-384.  However, if you’re going to be using it extensively with VPN connections or something else more demanding you may want to lower the key size to improve performance.  For a home connection like mine there should be no discernible performance impact.
  • Domain SAN List:  Here list the domain(s) you wish to use to verify and tie the certificates to.  There are multiple methods of verification, but I’ve picked “DNS Manual” as my method in this example as it seemed to be the most straight forward and easy to setup.
  • Actions List: If using the certificate with the portal GUI or HAProxy, examples are given to use if you would like services restarted upon renewal.  If you’re unsure you can leave these blank for now until you configure the cert with services later.
  • DNS Renewel & DNS-Sleep:  Unless you have a specific reasons to customize these settings you can leave them blank (default values)

Click “Save”.

Now we will start the process to issue and verify our certificate profile.

Press the “Issue” button and wait for it to process the request.  You’ll be presented with instructions you’ll need to complete the verification process.
How to update your host records will depend on who you have registered your domain with, but once you have found your way to the appropriate place to update DNS/host records you will want to add a new host record entry as stated in the instructions:
  • Host Name: _acme-challenge (so effective address is _acme-challenge.domainname.com)
  • Address: The txt/key value given in your instructions
  • Record Type: TXT

After adding the record then go back in the “Certificates” tab and hit “Renew”.  It should take a moment to verify your domain record ownership and give you the following response along with your certificate details below:

[TIMESTAMP] Success
[TIMESTAMP] Verify finished, start to sign.
[TIMESTAMP]  Cert success.
—–BEGIN CERTIFICATE—–

If it didn’t work the first time, don’t worry too much (it didn’t for me the first time either).  Hit “Issue” again, and copy the new TXT key to a new TXT record and delete your previous entry.  Then try the renew process again.

Once successful go into System: Cert Manager and you should now have your very own non-self-signed certificate!  Feel free to utilize certs from here for use with the pfSense Admin WebGUI, VPN, or whatever else you want.