Project

General

Profile

Feature #5434

Let's Encrypt pfSense support

Added by Federico Castagnini over 5 years ago. Updated about 4 years ago.

Status:
Resolved
Priority:
Normal
Assignee:
-
Category:
-
Target version:
-
Start date:
11/12/2015
Due date:
% Done:

0%

Estimated time:

Description

So there is this thing called https://letsencrypt.org and it is planned to launch in the week of November 16, 2015.

They offer free Domain Validation certificates in an automated way.

For those who are reaching the pfSense box from the internet using a domain name, it will be amazing if pfSense can take advantage of this service to provide an extra layer of security at no cost.

Did anyone dig into it?
As far as I can see, the "manual mode" looks promising.

Thanks for the hard work, pfSense rocks!

History

#1 Updated by Kill Bill over 5 years ago

Federico Castagnini wrote:

Did anyone dig into it?

Yeah, I did.

- the automated thing lacks lighttpd support
- depends on heaps of python stuff (on Debian, it pulls in both python 2.7 and python 3.x for good measure, plus a gcc compiler rolleyes
- the FreeBSD port in VIP and pretty buggy as I understand it: https://forums.freebsd.org/threads/lets-encrypt-tool-for-generating-web-server-keys.50939/

Until someone produces something lightweight usable for manual configuration, don't think it worth the time to even fiddle with this.

BTW, the public beta launch has been postponed till Dec. 3 - https://letsencrypt.org//2015/11/12/public-beta-timing.html

#2 Updated by Jeremy Porter over 5 years ago

  • Target version set to 24

We're in the Lets encrypt beta, but won't be looking at this until after 2.3.

#3 Updated by Federico Castagnini over 5 years ago

Yeah, it looks like it needs to mature.

I will stay tuned and check what is going on once in a while.

Thanks a lot for the fast response guys!

#4 Updated by Jim Thompson over 5 years ago

  • Assignee set to Chris Buechler

#5 Updated by Chris Buechler over 5 years ago

  • Target version changed from 24 to 2.4.0

#6 Updated by Elias Gabrielsson about 5 years ago

+1

#7 Updated by Finn Herzfeld about 5 years ago

Hi there, pfSense user here, don't really know much about the packaging and stuff. I just wanted to point out that use of their CA doesn't require all of those dependencies. That's just for the official client. There are tons of alternate clients, and it's not that hard to build your own. They speak the ACME protocol to talk to the CA server. acme-tiny seems to be a popular one. The official client seems mostly targeted at people who didn't know how to setup SSL in the first place, so while (in theory) having nice automation for automated installation in Apache, it is extremely bloated. I encourage you to read up on how their stuff works and stuff, I'd love to see this available in pfSense. I really hate clicking through SSL errors.

#8 Updated by Brian Buchanan about 5 years ago

Hi, I'm also hoping for a LetsEncrypt client package for pfSense.

It seems to me that if a dynamic DNS service matching the hostname has been setup, and webConfigurator is configured for https on port 443, LetsEncrypt could work automatically, more or less.

For reference, here's a list of LetsEncrypt clients, https://community.letsencrypt.org/t/list-of-client-implementations/2103 and some only require bash, openSSL and curl, and I read that https://github.com/Neilpang/le might even be 'sh' compatible and good for non-bash systems.

#9 Updated by Y N about 5 years ago

le doesn't work for now in pfsense... im trying find solution, but... it is a bit complicated (
also, bash in pkg is different from linux systems and it doesn't allow some methods. :(

#10 Updated by Y N almost 5 years ago

#11 Updated by Pi Ba almost 5 years ago

https://github.com/analogic/lescript has been working for a while. The part that needs work is making it into a proper pfSense package. (Slowly making something myself a.t.m.)

#12 Updated by Pi Ba almost 5 years ago

Got some basic functionality working.. Pullrequest send for hopefully the first working version of the acme package on pfSense.. https://github.com/pfsense/FreeBSD-ports/pull/89

Making it actually pull a certificate might need some work on the webserver side of things, also the script to run/restart the webserver must be configured. Needs some testing though, if it even can be installed after the package is put together.. Hopefully it will be pulled in a day or two :). Ive been able to configure haproxy (with a small lua script found online..) to provide the domainvalidation response token, havn't tried with the webgui nginx server.. Basically it can put the token into a configured folder, and then saves a certificate to pfSense certificate store..

Comments / problems / feature requests are welcome.. Make sure to use the staging server when testing ;)

#13 Updated by Chris Buechler over 4 years ago

  • Assignee deleted (Chris Buechler)

#14 Updated by Ernesto Victor Villarreal over 4 years ago

Sory, but now it's working via some simple manual steps...

https://thedevops.party/lets-encrypt-ssl-certificate-on-pfsense-2-3/

#15 Updated by Renato Botelho about 4 years ago

  • Target version deleted (2.4.0)

Remove target. When PR is done and merged it's going to be available to stable versions

#16 Updated by Kill Bill about 4 years ago

Merged, done.

#17 Updated by Jim Pingle about 4 years ago

  • Status changed from New to Resolved

Also available in: Atom PDF