Blog

A Real pfsense HTTPS Certificate

Planted January 12, 2023

pfsense_logo

Yesterday, I learned how to get Let’s Encrypt working on our PfSense router.

First I set ssh to only use public keys, then installed the sudo package and the acme.sh package in the GUI.

https://gaurangpatel.net/installing-nano-in-pfsense (this was very handy, as I am a nano user.)

https://jarrodstech.net/how-to-pfsense-haproxy-setup-with-acme-certificate-and-cloudflare-dns-api/

The kicker was getting /etc/resolv.conf to not use internal DNS routing. We use OpenDNS Umbrella’s free teir and we block the VPN category. acme.sh was trying to hit some DNS addresses like “cloudflare-dns.com” which was getting blocked by OpenDNS.

So, after getting acme.sh all set up with my Cloudflare API token inside of pfsense, it would just loop and loop until I killed the process manually. It would constantly output curl error 60, which turns out it means that the https certificate of the request was insecure.

I believe removing the dnscheck would fix the issue, too. https://github.com/acmesh-official/acme.sh/wiki/dnscheck

Now, visiting https://my.fqdn.net actually gives no certificate errors!

Since we have two campuses at work, now I get to do it again for the second pfsense box.

img source