Pfsense Letsencrypt cert files

So after a bit of best practice here.
I have 5 names on my cert that PFSense firewall gets issued. I’m just trying to figure out the best way to get them from my pfsense /conf/acme/name.pem folder to my servers that need them.
There are three ways i can think of.

  1. PFSense exports as p12 (passworded) to a file share locationed on my network, each Linux box pulls them in and copys the files to where they need to be and restarts services.

  2. PFSense scps the files to the servers that need them, and triggers a restart of the each service on the servers.
    i.e.
    scp /conf/acme/LiveCert.key [email protected]:/etc/cert/privkey.pem
    scp /conf/acme/LiveCert.all.pem [email protected]:/etc/cert/fullchain.pem

  3. Create a new user on PFSense, with access only to /conf/acme/ and have each Linux box scp the files off, then restart services.

Many thanks

1 Like

I have not try this yet. But Barclay Howe put together a good howto.

Thanks, I not sure about using the p12 way as non of my boxes require a password file.

Also thanks for the reminder that my 90 days are nearly up on my cert :joy:

On my PFsense sense i have a script which copies (using a user with it’s keys added to the location server) the whole cert folder to a shared NAS.

#!/bin/sh
scp -r /conf/acme/* [email protected]:/export/Share/TEMP/TEMP/Cert/

Which i run using the built in script runner in PFsense once the cert has renewed.
Then once a month i have a cronjob running the following script (as root and with keys added)

#!/bin/bash
scp -q [email protected]:/export/Share/TEMP/TEMP/Cert/LiveCert.fullchain /home/homeassistant/.homeassistant/fullchain.pem
scp -q [email protected]:/export/Share/TEMP/TEMP/Cert/LiveCert.key /home/homeassistant/.homeassistant/privkey.pem
systemctl restart home-assistant@homeassistant
2 Likes

Hey past James ! thanks for posting this ! after the SDCard died in your firewall this was the part i was unable to recover.

How do you change the certs to pen I only have one pen xxxx.all.pem for example that must be the fullchain.pem but how to get the privacy.pem I do have one .key ?