Let’s Encrypt Setup on pfSense using ACME

This post will list the steps to configure Let’s Encrypt SSL certificate on a pfSense box

  • Use Cloudflare DNS and point the subdomains to their DNS servers.
  • Install the “acme” package using the “Package Manager” (System / Package Manager / Available Packages)
  • After installation check if Acme Certificates option exist under Services and Click on Acme Certificates
  • Go to the “Account keys” option and click on the “Add” button
  • Provide values for Name, email-address and click on Create New Account key. Click on “Register ACME account key” and then “Save”.
  • Choose “Certificate” and provide following values:
  • Name: abc.def.com
  • Description: pfSense Certificate
  • Status – Set as Active
  • Acme Account -> account name provided in the previous step
  • Private Key – 2046-bit RSA
  • OSCP Must Staple – leave unchecked
  • Domain SAN List
    • Choose Mode as Enabled
    • Domain Name – abc.def.com
    • Method – DNS-Cloudflare
    • Key – API key from cloudfare website
    • Email – API email address
    • Enable DNS alias mode – leave blank
    • Enable DNS domain alias – leave blank
  • Click on Save
  • Click on “Issue / Renew” button to create a new certificate
  • Choose “General Settings” and click on Cron Entry – then Save

Reconfigure session to use HTTPS

Go to System / Advanced / Admin Access and make following changes:

  • Protocol – HTTPS
  • SSL Certificate – Choose the Let’s Encrypt certificate created previously
  • Max Processes – 2
  • WebGUI redirect – blank ( unchecked)
  • HSTS – blank ( unchecked)
  • OCSP Must-Staple – blank ( unchecked)
  • WebGUI Login Autocomplete – Toggle On
  • WebGUI login messages – ( unchecked)
  • Anti-lockout – ( unchecked)
  • DNS Rebind Check – Toggle On
  • Alternate Hostnames – provide if any
  • Browser HTTP_REFERER enforcement – Toggle On
  • Browser tab text – blank
  • Secure Shell
    • Secure Shell Server – toggle on
    • SSHd Key Only – Password or Public Key
    • Allow Agent Forwarding – ( unchecked)
    • SSH port – default 22
  • Login Protection
    • Threshold -default 30
    • Blocktime – 120
    • Detection Time – 1800
    • Whitelist – blank
  • Serial Comm – default values
  • Console Options
    • Console meu – ( unchecked)

Leave a Reply

Your email address will not be published. Required fields are marked *