pfSense » pfSense Packages

There are a couple considerations here to keep straight for GUI use as well.

• One cert with SANs for both hosts individually is probably the safest bet, the cert will sync to the secondary, but it should not try to issue or renew from the backup node.
• After issue, the cert should sync on its own. Will need manually chosen as the GUI cert on each node after
• After an update/renew, something will need to trigger a GUI restart on the secondary node so it starts using the new certificate

To confirm, with the latest Let's Encrypt package, you can get by with LE only on the primary node. It can generate the cert which is put in the cert store and synchronized as expected. Using a cert with multiple SAN entries -- one hostname for each node, plus a hostname that points to the CARP VIP -- works well on the latest version of the acme package.

I'm not convinced the ACME package should be installed on the secondary except, perhaps, as a backup of sorts. The primary node will sync the certs automatically the only things that have to happen on the secondary are restarting services to pick up new certs on renewal.

Since the certs automatically sync between active and passive nodes, I am inclined to agree that acme should not be installed on the secondary.

Relevant Commits:

2.4:
https://github.com/pfsense/FreeBSD-ports/commit/119d687658b46a0310a481c22f5a435e5de9625f

RELENG_2_3:
https://github.com/pfsense/FreeBSD-ports/commit/c0c0b2016c18f1624c30a0e320b297534c07060a
https://github.com/pfsense/FreeBSD-ports/commit/42cdd9af7b6ad02e73e3afa0ab1ccdc6b86b8e0f

2.3.4:
https://github.com/pfsense/FreeBSD-ports/commit/6c7072f47237045b84759f95848df2ae3d1bf68a
https://github.com/pfsense/FreeBSD-ports/commit/b1812e5ab586332410703353bc75ef61923af581