pfSense support for LetsEncrypt that doesn't constantly break

Is there a reliable way to integrate LetsEncrypt into pfSense without having to load files onto the web server?

I've been using "DNS-NSupdate / RFC 2136" in pfSense for a few years now, using a Bind 9 backend, and yet again the pfSense plugin is not renewing. I usually get a page of log text and have to read the last few lines to see if it failed or not, but today there's no log text, just a broken link.

In the past, sometimes it fails to renew inexplicably and I've had to recreate the configuration, othertimes (often) it is Bind complaining that there are already .jnl files and it can't do the update.

Unfortunately, I cannot inject http://<YOUR_DOMAIN>/.well-known/acme-challenge/ files into the webservers.

None of this seems to be a fault in LetsEncrypt, just problems dealing with Bind - I can ditch Bind and switch to another server, just wondering what my options are and what anybody else is using?

My domain is: fnd.li
I ran this command: pfSense ACME plugin
It produced this output: nothing
My web server is (include version): N/A
The operating system my web server runs on is (include version): Centos 9
My hosting provider, if applicable, is: None
I can login to a root shell on my machine (yes or no, or I don't know): yes
I'm using a control panel to manage my site (no, or provide the name and version of the control panel): pfSense
The version of my client is: 3.0.3 (inside pfSense v2.6.0; with the acme plug in v 0.7.1_1)

Hi @littlejohnuk, and welcome to the LE community forum :slight_smile:

Can you add a proxy to handle those challenge requests [and proxy the rest to your web service]?

Can the pfSense, itself, be used as such a proxy?
[if so, then the internal web sites could, none-the-wiser, remain in HTTP]

2 Likes

pfSense has HAProxy built in, but that already has a pretty complicated setup - I did think about it, but decided that adding interceptors for urls could make it unmaintainable.

Having something that is API based and completely separate to HAProxy would be ideal; it's Bind that seems to be causing a lot of the issues (although today's problem is new and an Acme issue).

There's lots of DNS support for third party services, but we self host and have a lot built into our setup (scripts and tools) so I would like to keep it that way.

So, what would be great is if there is a open source (or commercial) DNS server that has an API which is supported by Acme.

You mean...?:
GitHub - joohoi/acme-dns: Limited DNS server with RESTful HTTP API to handle ACME DNS challenges easily and securely.

Since you are pro in-house DNS [so am I]...
Have you considered "outsourcing" only the ACME DNS challenges?
[you can CNAME them anywhere you like]

5 Likes

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.