As we progress in the internet age, we put more and more emphasis on security. This has previously been a bit more difficult to do for someone who hosts their own sites and services. Dealing with self-signed certificates or having to shell out hard earned cash for a “legit” cert has always been a hassle. More recently however — the last few years –, this has become a lot more attainable — especially to the homelabber — to create fully trusted certificates without all the headache of having to purchase them from a “trusted” party. Enter Let’s Encrypt, a service which allows anyone to obtain certificates for free.
“Great, Let’s Encrypt, yes yes, we’ve all heard about it. The title says wildcard certs on pfSense, get to the good stuff!”, yea yea, I hear ya.
In this article I’m going to cover how to add an ACMEv2 Account Key, and a wild card cert using the ACME package in pfSense.
Prerequisites:
- A pfSense installation
- In this article I’ll be showing you how to do this on pfSense version 2.4.4-RELEASE-p3 .
Step 1 – Adding the package
First thing you’ll want to do is make sure you have the ACME package installed.
From the Package Manager screen go to Available Packages and search for and install “acme”. Once it’s installed it will show up on your Installed Packages list.
Step 2 – Register your Account Key
Once you’ve gotten the package installed, you’ll want to register an account key with Let’s Encrypt.
Under Services, go to Acme Certificates.
Go to the Account keys tab, and click “Add”.
Fill out the form ensuring you select “Let’s Encrypt Production ACME v2” from the ACME Server drop down. If you’re in a testing environment, or want to test certificates out you can select the “Staging” server instead. This helps when you’re having issues with your certs and don’t want to run into the rate limits that are imposed on the production servers.
Also make sure you enter a valid email address you have access to, this will be the address all notifications go to in regards to the certificates you create using this key.
After you’ve fill everything out, click “Create new account key” and then click “Register ACME account key”. Once that’s been successfully completed, you’ll get an Account Key in the Account Key field.
Lastly, click “Save”.
Step 3 – Add your Wildcard Certificate
Now that we have an account key, we can start creating certificates.
Go to the Cerficates tab and click “Add”
Fill out the form making sure you choose the ACME v2 Account Key you created in the previous step.
Under the Domain SAN list, you’ll want to add two entries for each domain you want a wildcard for. One plain, one with the wildcard.
For example, if I wanted a wildcard domain for *.myexample.com, I’d have to add both myexample.com and *.myexample.com.
This is also where things differ between setups. Depending on where your domain names come from, and what process you want to use, you’ll follow different directions. I, for example, have my domains through GoDaddy. Using the DNS Method is quite easy and doesn’t require you to have certain ports open (ie: port 80).
Under action list, you can specify things to happen after a cert is issued or renewed. I have mine set to run scripts which copy the certs out to my various web servers and recycle the server daemons. You can do whatever you like š
Fill out the required fields for your provider — remember that you’ll have to add two domain entries at a minimum — and then click “Save”.
Step 4 – Set the General Settings (Optional)
If you want to do something with your certs after they’ve been issued/renewed (Actions under the Action List in the previous step), writing them to a location on the pfSense server is convenient.
To do this, on the General tab, check the “Write Certificates” option and click “Save”.
Step 5 – Issue the Certificate
Now we’re set to get some certs!
Under the Certificates tab, you should see your newly created cert, click the “Issue/Renew” button. This will start the process of requesting a cert and validating that you have ownership of the domain. Once the process completes you’ll be prompted with a big green wall of text. Be sure to read it carefully! Even though it’s green and the top may say success, there could be errors listed that you’ll want to resolve.
Now that you’ve got your cert, you’ll probably want to host a bunch of stuff! I’ll cover that in my next post, Reverse Proxy with Squid.
Great post Dan! So easy to follow! Thank you! You mention in this post, “I have mine set to run scripts which copy the certs out to my various web servers and recycle the server daemons.”, can you write another blog on how you accomplished this?
Thank You! Excellent tutorial.