pfSense » pfSense Packages

Federico Castagnini wrote:

Did anyone dig into it?

Yeah, I did.

- the automated thing lacks lighttpd support
- depends on heaps of python stuff (on Debian, it pulls in both python 2.7 and python 3.x for good measure, plus a gcc compiler rolleyes
- the FreeBSD port in VIP and pretty buggy as I understand it: https://forums.freebsd.org/threads/lets-encrypt-tool-for-generating-web-server-keys.50939/

Until someone produces something lightweight usable for manual configuration, don't think it worth the time to even fiddle with this.

BTW, the public beta launch has been postponed till Dec. 3 - https://letsencrypt.org//2015/11/12/public-beta-timing.html

Yeah, it looks like it needs to mature.

I will stay tuned and check what is going on once in a while.

Thanks a lot for the fast response guys!

+1

Hi there, pfSense user here, don't really know much about the packaging and stuff. I just wanted to point out that use of their CA doesn't require all of those dependencies. That's just for the official client. There are tons of alternate clients, and it's not that hard to build your own. They speak the ACME protocol to talk to the CA server. acme-tiny seems to be a popular one. The official client seems mostly targeted at people who didn't know how to setup SSL in the first place, so while (in theory) having nice automation for automated installation in Apache, it is extremely bloated. I encourage you to read up on how their stuff works and stuff, I'd love to see this available in pfSense. I really hate clicking through SSL errors.

Hi, I'm also hoping for a LetsEncrypt client package for pfSense.

It seems to me that if a dynamic DNS service matching the hostname has been setup, and webConfigurator is configured for https on port 443, LetsEncrypt could work automatically, more or less.

For reference, here's a list of LetsEncrypt clients, https://community.letsencrypt.org/t/list-of-client-implementations/2103 and some only require bash, openSSL and curl, and I read that https://github.com/Neilpang/le might even be 'sh' compatible and good for non-bash systems.

le doesn't work for now in pfsense... im trying find solution, but... it is a bit complicated (
also, bash in pkg is different from linux systems and it doesn't allow some methods. :(

https://github.com/Neilpang/le !!!

now it works!

https://github.com/analogic/lescript has been working for a while. The part that needs work is making it into a proper pfSense package. (Slowly making something myself a.t.m.)

Got some basic functionality working.. Pullrequest send for hopefully the first working version of the acme package on pfSense.. https://github.com/pfsense/FreeBSD-ports/pull/89

Making it actually pull a certificate might need some work on the webserver side of things, also the script to run/restart the webserver must be configured. Needs some testing though, if it even can be installed after the package is put together.. Hopefully it will be pulled in a day or two :). Ive been able to configure haproxy (with a small lua script found online..) to provide the domainvalidation response token, havn't tried with the webgui nginx server.. Basically it can put the token into a configured folder, and then saves a certificate to pfSense certificate store..

Comments / problems / feature requests are welcome.. Make sure to use the staging server when testing ;)

Sory, but now it's working via some simple manual steps...

https://thedevops.party/lets-encrypt-ssl-certificate-on-pfsense-2-3/

Merged, done.