Blog

Pfsense Https V2

Well, well, well, exactly 90 days later (the expiration date of the previous HTTPS certificate…) I had to dig in and manually renew the cert. I believe I’m the only one using it, so the impact was quite small. This time, I started from the PfSense web GUI and just clicked “renew”. It took a really long time and I didn’t notice any popups when it was done. I eventually logged into the unit via ssh and found the log file with cat /tmp/acme/us-pfsense/acme_issuecert.

Unifi Controller HTTPS

Here’s another HTTPS certificate story. This time, a self-hosted Unifi Controller was the “invalid certificate” annoyance. Yesterday, it began with attempting to use acme.sh from GitHub on our Ubuntu 22.04.1 LTS server which has unifi running on it. I did encounter a similar error to my last story, and I had to change my DNS servers again. That probably deserves another blog post so I don’t forget how to do it next time.

A Real pfsense HTTPS Certificate

Yesterday, I learned how to get Let’s Encrypt working on our PfSense router. First I set ssh to only use public keys, then installed the sudo package and the acme.sh package in the GUI. https://gaurangpatel.net/installing-nano-in-pfsense (this was very handy, as I am a nano user.) https://jarrodstech.net/how-to-pfsense-haproxy-setup-with-acme-certificate-and-cloudflare-dns-api/ The kicker was getting /etc/resolv.conf to not use internal DNS routing. We use OpenDNS Umbrella’s free teir and we block the VPN category. acme.

Hello World

First post!

A Real pfsense HTTPS Certificate

Planted January 12, 2023

pfsense_logo

Yesterday, I learned how to get Let’s Encrypt working on our PfSense router.

First I set ssh to only use public keys, then installed the sudo package and the acme.sh package in the GUI.

https://gaurangpatel.net/installing-nano-in-pfsense (this was very handy, as I am a nano user.)

https://jarrodstech.net/how-to-pfsense-haproxy-setup-with-acme-certificate-and-cloudflare-dns-api/

The kicker was getting /etc/resolv.conf to not use internal DNS routing. We use OpenDNS Umbrella’s free teir and we block the VPN category. acme.sh was trying to hit some DNS addresses like “cloudflare-dns.com” which was getting blocked by OpenDNS.

So, after getting acme.sh all set up with my Cloudflare API token inside of pfsense, it would just loop and loop until I killed the process manually. It would constantly output curl error 60, which turns out it means that the https certificate of the request was insecure.

I believe removing the dnscheck would fix the issue, too. https://github.com/acmesh-official/acme.sh/wiki/dnscheck

Now, visiting https://my.fqdn.net actually gives no certificate errors!

Since we have two campuses at work, now I get to do it again for the second pfsense box.

img source