pfSense » pfSense Packages

I'll add my voice to this request. I just set up a local step-ca ACME server and would love to use it with pfSense.

Michael Long wrote:

I'll add my voice to this request. I just set up a local step-ca ACME server and would love to use it with pfSense.

+1. Any progress on this?

Stanislav Dimov wrote:

+1. Any progress on this?

+1 on this as well. Have recently setup an ACME server locally and would be great if I could easily use it with pfSense. This Reddit comment helped somewhat (https://www.reddit.com/r/PFSENSE/comments/fukt7b/acme_with_custom_private_server/fmdjqnk/) but having trouble now due to errors such as these:

[Sun Jan 3 11:02:01 EST 2021] Using CA: https://@@@/acme/acme/directory
[Sun Jan 3 11:02:01 EST 2021] Please refer to https://curl.haxx.se/libcurl/c/libcurl-errors.html for error code: 60
[Sun Jan 3 11:02:01 EST 2021] Can not init api.
[Sun Jan 3 11:02:01 EST 2021] Please refer to https://curl.haxx.se/libcurl/c/libcurl-errors.html for error code: 60
[Sun Jan 3 11:02:01 EST 2021] Can not init api.
[Sun Jan 3 11:02:01 EST 2021] Only RSA or EC key is supported. keyfile=/tmp/acme/webConfigurator//ca/@@@/account.key
[Sun Jan 3 11:02:01 EST 2021] Please check log file for more details: /tmp/acme/webConfigurator/acme_issuecert.log

Essentially CURLE_PEER_FAILED_VERIFICATION errors, so I need to figure out how to add my Root/Intermediate CA certs to the system trust store.

EDIT: I could get around this error by manually adding my certs to the system stores: /usr/local/etc/ssl/cert.pem and /usr/local/share/certs/ca-root-nss.crt
Now faced with a new issue where ACME fails to issue the cert due to "Only RSA or EC key is supported" errors.

+1 Would be nice to have this. Invalid certs are just not cool anymore with ACME available. Should be possible to select the interface where ACME starts the webserver.

+ 1 for this as well. This is critical for proper security in a homelab in 2021+ Invalid certs aren't cool and make everything, from management of certs to user xp, worse for all.

Manny Tew wrote in #note-5:

+ 1 for this as well. This is critical for proper security in a homelab in 2021+ Invalid certs aren't cool and make everything, from management of certs to user xp, worse for all.

Just leaving a note, since I noticed recent update to ACME.

+1 for this as well.
Just started looking into sorting out the self-signed cert and thought there would be a better way to run an internal CA.
Would be great to be able to use step-ca with pfSense.

+1 for this! Just set up step-ca and would love having this functionality too.

+1 for this.
Using hacky scripts to add my domain to config files is not a suitable solution

+1, we have completed a rollout of step-ca to our enterprise and would really appreciate this feature as well.
This would also apply to EJBCA Enterprise customers as well as they have also introduced ACME support.
https://download.primekey.com/docs/EJBCA-Enterprise/7_2_0/ACME.html

Another +1. Just got Step CA installed, and it's really great. Right now I'm just creating CSR's and creating certs that way for PFSense, but the ACME integration would be fantastic.

+1 here as well. I also have set up Step CA as an internal CA with ACME. I want to be able to set up a custom ACME server config for ACME on Pfsense, so that it could use the internal Step CA service.

+1 as well. Also a shout out to Step CA. There are more and more options for ACME endpoints hosted privately, this would be a tremendous feature.

+1 for me too. I'd like to set it up with FreeIPA 4.9 as it starts to support the ACME protocol for certificates.

+1 as well. Many of the other servers running on-premises use the Step CA that is hosted internally. Allowing pfsense to also use the internal ca would help us out a lot.

+1 also.

+1 also

there is a FreeBSD port of step-ca

https://www.freshports.org/security/step-certificates/

+1 for this as well.

+1 also

+1 more

+1, a game changer when working with PKI (so typical for pfSense deployments)