Feature #5434
closedLet's Encrypt pfSense support
Added by Federico Castagnini about 9 years ago. Updated almost 8 years ago.
0%
Description
So there is this thing called https://letsencrypt.org and it is planned to launch in the week of November 16, 2015.
They offer free Domain Validation certificates in an automated way.
For those who are reaching the pfSense box from the internet using a domain name, it will be amazing if pfSense can take advantage of this service to provide an extra layer of security at no cost.
Did anyone dig into it?
As far as I can see, the "manual mode" looks promising.
Thanks for the hard work, pfSense rocks!
Updated by Kill Bill about 9 years ago
Federico Castagnini wrote:
Did anyone dig into it?
Yeah, I did.
- the automated thing lacks lighttpd support
- depends on heaps of python stuff (on Debian, it pulls in both python 2.7 and python 3.x for good measure, plus a gcc compiler rolleyes
- the FreeBSD port in VIP and pretty buggy as I understand it: https://forums.freebsd.org/threads/lets-encrypt-tool-for-generating-web-server-keys.50939/
Until someone produces something lightweight usable for manual configuration, don't think it worth the time to even fiddle with this.
BTW, the public beta launch has been postponed till Dec. 3 - https://letsencrypt.org//2015/11/12/public-beta-timing.html
Updated by Jeremy Porter about 9 years ago
- Target version set to 24
We're in the Lets encrypt beta, but won't be looking at this until after 2.3.
Updated by Federico Castagnini about 9 years ago
Yeah, it looks like it needs to mature.
I will stay tuned and check what is going on once in a while.
Thanks a lot for the fast response guys!
Updated by Chris Buechler almost 9 years ago
- Target version changed from 24 to 2.4.0
Updated by Finn Herzfeld almost 9 years ago
Hi there, pfSense user here, don't really know much about the packaging and stuff. I just wanted to point out that use of their CA doesn't require all of those dependencies. That's just for the official client. There are tons of alternate clients, and it's not that hard to build your own. They speak the ACME protocol to talk to the CA server. acme-tiny seems to be a popular one. The official client seems mostly targeted at people who didn't know how to setup SSL in the first place, so while (in theory) having nice automation for automated installation in Apache, it is extremely bloated. I encourage you to read up on how their stuff works and stuff, I'd love to see this available in pfSense. I really hate clicking through SSL errors.
Updated by Brian Buchanan almost 9 years ago
Hi, I'm also hoping for a LetsEncrypt client package for pfSense.
It seems to me that if a dynamic DNS service matching the hostname has been setup, and webConfigurator is configured for https on port 443, LetsEncrypt could work automatically, more or less.
For reference, here's a list of LetsEncrypt clients, https://community.letsencrypt.org/t/list-of-client-implementations/2103 and some only require bash, openSSL and curl, and I read that https://github.com/Neilpang/le might even be 'sh' compatible and good for non-bash systems.
Updated by Y N almost 9 years ago
le doesn't work for now in pfsense... im trying find solution, but... it is a bit complicated (
also, bash in pkg is different from linux systems and it doesn't allow some methods. :(
Updated by Y N over 8 years ago
https://github.com/Neilpang/le !!!
now it works!
Updated by Pi Ba over 8 years ago
https://github.com/analogic/lescript has been working for a while. The part that needs work is making it into a proper pfSense package. (Slowly making something myself a.t.m.)
Updated by Pi Ba over 8 years ago
Got some basic functionality working.. Pullrequest send for hopefully the first working version of the acme package on pfSense.. https://github.com/pfsense/FreeBSD-ports/pull/89
Making it actually pull a certificate might need some work on the webserver side of things, also the script to run/restart the webserver must be configured. Needs some testing though, if it even can be installed after the package is put together.. Hopefully it will be pulled in a day or two :). Ive been able to configure haproxy (with a small lua script found online..) to provide the domainvalidation response token, havn't tried with the webgui nginx server.. Basically it can put the token into a configured folder, and then saves a certificate to pfSense certificate store..
Comments / problems / feature requests are welcome.. Make sure to use the staging server when testing ;)
Updated by Ernesto Victor Villarreal over 8 years ago
Sory, but now it's working via some simple manual steps...
https://thedevops.party/lets-encrypt-ssl-certificate-on-pfsense-2-3/
Updated by Renato Botelho almost 8 years ago
- Target version deleted (
2.4.0)
Remove target. When PR is done and merged it's going to be available to stable versions