Certificate renewal

james.doe · March 11, 2021, 11:04am

Hi

I'm using pfSense and I have two Let's Encrypt acme certificates
Folder /etc/letsencrypt doesn't exist on this device, so I believe that both certificates were generated on another host and brought on this one via web-interface
Guess those are intermediate certificates, as soon as I have some test servers with self-signed acme certificates
Is there any way I can make sure what are those certificates for and renew both of them?

schoen · March 12, 2021, 7:08am

Hi @james.doe,

/etc/letsencrypt is used by Certbot, but there are also other ACME clients out there, so it's also possible that your certificates were obtained on the device itself, just using some other software.

The best way to find out the content of a certificate file on Unix is

openssl x509 -text -noout -in filename.pem

replacing filename.pem with the name of the certificate file you're interested in. This will give you a complete textual version of the certificate's contents.

If they were obtained via a web interface, your best option for the future would be to pick an ACME client that works well on this device, install it, and start from scratch using it to request certificates for the same set of domain names as your existing certificates. Automated renewal is handled differently by each ACME client, and most of them don't have a way to import a pre-existing certificate that was obtained with other software (nor is there typically any technical or policy benefit to doing so).

james.doe · March 16, 2021, 3:17pm

Thanks for the anwser and openssl tip

I've found some *.pem files but none of them has the same date as the one that's going to be expired

Haven't checked any files from /usr/share/certs/blacklisted and /usr/share/certs/trusted - guess those are root certs and I have no authority on their renewal

Those are files and folders I've checked:
/usr/local/etc/ssl/cert.pem
/usr/local/openssl/cert.pem
/var/unbound/unbound_server.pem
/var/unbound/unbound_control.pem
/etc/ssl/cert.pem
/var/etc/haproxy/ - there I've found one expired cert that I've acknowledged via web-interface. It has nothing common with info from there except the date though.
And some letsencrypt certs that I've succesfully renewed some days before starting this topic - not the one I'm looking for.

UPD:
A bit afterwards I found out I can export expiring certificate as .crt file

So... Am I supposed to install certbot on another host and renew my .crt using that installation or are there any other ways?

schoen · March 16, 2021, 7:31pm

I think acme.sh is supposed to work well directly on pfSense, or you could try Certbot on another host and then copy things over. You don't need to give either client your old certificate; you can just start from scratch and specify the domain names that you want to have covered in the new certificate.

The .crt file is the same as a .pem file, just under a different name to be more explicit about what kind of PEM object it is.

system · April 15, 2021, 7:32pm

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.