Let's Encrypt pfSense support
So there is this thing called https://letsencrypt.org and it is planned to launch in the week of November 16, 2015.
They offer free Domain Validation certificates in an automated way.
For those who are reaching the pfSense box from the internet using a domain name, it will be amazing if pfSense can take advantage of this service to provide an extra layer of security at no cost.
Did anyone dig into it?
As far as I can see, the "manual mode" looks promising.
Thanks for the hard work, pfSense rocks!
#1 Updated by Kill Bill over 5 years ago
Federico Castagnini wrote:
Did anyone dig into it?
Yeah, I did.
- the automated thing lacks lighttpd support
- depends on heaps of python stuff (on Debian, it pulls in both python 2.7 and python 3.x for good measure, plus a gcc compiler rolleyes
- the FreeBSD port in VIP and pretty buggy as I understand it: https://forums.freebsd.org/threads/lets-encrypt-tool-for-generating-web-server-keys.50939/
Until someone produces something lightweight usable for manual configuration, don't think it worth the time to even fiddle with this.
BTW, the public beta launch has been postponed till Dec. 3 - https://letsencrypt.org//2015/11/12/public-beta-timing.html
#7 Updated by Finn Herzfeld about 5 years ago
Hi there, pfSense user here, don't really know much about the packaging and stuff. I just wanted to point out that use of their CA doesn't require all of those dependencies. That's just for the official client. There are tons of alternate clients, and it's not that hard to build your own. They speak the ACME protocol to talk to the CA server. acme-tiny seems to be a popular one. The official client seems mostly targeted at people who didn't know how to setup SSL in the first place, so while (in theory) having nice automation for automated installation in Apache, it is extremely bloated. I encourage you to read up on how their stuff works and stuff, I'd love to see this available in pfSense. I really hate clicking through SSL errors.
#8 Updated by Brian Buchanan about 5 years ago
Hi, I'm also hoping for a LetsEncrypt client package for pfSense.
It seems to me that if a dynamic DNS service matching the hostname has been setup, and webConfigurator is configured for https on port 443, LetsEncrypt could work automatically, more or less.
For reference, here's a list of LetsEncrypt clients, https://community.letsencrypt.org/t/list-of-client-implementations/2103 and some only require bash, openSSL and curl, and I read that https://github.com/Neilpang/le might even be 'sh' compatible and good for non-bash systems.
#12 Updated by Pi Ba almost 5 years ago
Got some basic functionality working.. Pullrequest send for hopefully the first working version of the acme package on pfSense.. https://github.com/pfsense/FreeBSD-ports/pull/89
Making it actually pull a certificate might need some work on the webserver side of things, also the script to run/restart the webserver must be configured. Needs some testing though, if it even can be installed after the package is put together.. Hopefully it will be pulled in a day or two :). Ive been able to configure haproxy (with a small lua script found online..) to provide the domainvalidation response token, havn't tried with the webgui nginx server.. Basically it can put the token into a configured folder, and then saves a certificate to pfSense certificate store..
Comments / problems / feature requests are welcome.. Make sure to use the staging server when testing ;)
#14 Updated by Ernesto Victor Villarreal over 4 years ago
Sory, but now it's working via some simple manual steps...