A Real pfsense HTTPS Certificate
Planted January 12, 2023
Yesterday, I learned how to get Let’s Encrypt working on our PfSense router.
First I set ssh to only use public keys, then installed the sudo package and the acme.sh package in the GUI.
https://gaurangpatel.net/installing-nano-in-pfsense (this was very handy, as I am a nano user.)
https://jarrodstech.net/how-to-pfsense-haproxy-setup-with-acme-certificate-and-cloudflare-dns-api/
The kicker was getting /etc/resolv.conf to not use internal DNS routing. We use OpenDNS Umbrella’s free teir and we block the VPN category. acme.sh was trying to hit some DNS addresses like “cloudflare-dns.com” which was getting blocked by OpenDNS.
So, after getting acme.sh all set up with my Cloudflare API token inside of pfsense, it would just loop and loop until I killed the process manually. It would constantly output curl error 60, which turns out it means that the https certificate of the request was insecure.
I believe removing the dnscheck would fix the issue, too. https://github.com/acmesh-official/acme.sh/wiki/dnscheck
Now, visiting https://my.fqdn.net actually gives no certificate errors!
Since we have two campuses at work, now I get to do it again for the second pfsense box.