Using Let’s Encrypt with pfSense

I had trouble finding a guide for deploying certificates with Let’s Encrypt to pfSense instances (at least a guide without complex or questionable firewall rules going into pfSense), so here’s a guide for using Amazon Route 53 as for domain control validation—even if you don’t use Route 53 for anything else.

For this guide, the goal is deploying valid HTTPS to access the router via router.example.com for clients on the LAN. We’ll use the hostname router and the domain example.com. The domain portion can have more levels, like office.example.com or lax.office.example.com. In any case, replace example.com with whatever you’re using.

Step One: Find the WAN Addresses in pfSense

  1. Use Interfaces > WAN to look up the WAN IP address(es).
  2. Note these for use in the next step.

Step Two: Set Up AWS Route 53

  1. Create a new hosted zone in Route 53 for the domain being used on the pfSense router. Let’s say this is router.example.com. (The zone in Route 53 should match the router’s fully qualified domain name. If it doesn’t, the pfSense Acme client will run into an issue cleaning up the validation records.)
  2. Add the A and/or AAAA records (as appropriate based on what the pfSense WAN interface uses) to the router.example.com zone.
  3. Copy the NS records for the new zone in Route 53. Configure these as NS records for the base domain. In this case, that means adding NS records for router to example.com DNS (which does not need to be in Route 53).
  4. It should now be possible to visit https://router.example.com from the LAN — but with a certificate error.

Step Three: Set Up an AWS IAM Policy

  1. Obtain the Hosted Zone ID from Route 53 for router.example.com.
  2. Then, create a new AWS IAM policy, choosing “Create Your Own Policy.” This policy will allows updating the TXT record that Let’s Encrypt’s uses for ACME validation.

IAM Policy Document

Replace HOSTED-ZONE-ID with the one obtained in the first step:

{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "AllowListingHostedDomains",
"Effect": "Allow",
"Action": [
"route53:ListHostedZones"
],
"Resource": "*"
},
{
"Sid": "AlterRouterZone",
"Effect": "Allow",
"Action": [
"route53:ChangeResourceRecordSets",
"route53:ListResourceRecordSets"
],
"Resource": [
"arn:aws:route53:::hostedzone/HOSTED-ZONE-ID"
]
}
]
}

Step Four: Configure an AWS User for API Access

  1. Using AWS IAM, create a user with “Programmatic access.”
  2. Choose the new policy just created.
  3. Note the “Access key ID” and the “Secret access key.” We’ll need these when we configure the certificate on pfSense.

Step Five: Configure ACME Client on pfSense

  1. Go to System > Package Manager > Available Packages.
  2. Install the “acme” package.
  3. Go to Services > Acme Certificates > Account Keys > + Add.
  4. Name the new key.
  5. Set Acme Server to “Let’s Encrypt Production.”
  6. Click “Create new account key.”
  7. Click “Register acme account key.”
  8. Click “Save.”

Step Five: Configure a Certificate on pfSense

  1. Go to Services > Acme Certificates > Certificates > + Add.
  2. Name the new certificate. Something like router.example.com works.
  3. Add an entry for router.example.com to the “Domain SAN list.” Set the Method to “DNS-Amazon Route53.” Set the “Id” to the AWS “Access key ID” and the “Key” to the AWS “Secret access key.”
  4. Optionally, configure the “Actions list” to restart the web interface on certificate renewal.

Step Six: Set pfSense to Use the New Certificate

  1. Go to System > Advanced.
  2. Set the SSL Certificate to be the one just created.
  3. Save.

Step Seven: Set the pfSense Host and Domain

To protect against DNS rebinding, pfSense requires the configured Hostname and Domain to match the one used to access the administrative interface.

  1. Go to System > General Setup.
  2. Set Hostname to router.
  3. Set Domain to example.com.

It should now be possible to visit https://router.example.com from the LAN — this time with full validation!

)
Welcome to a place where words matter. On Medium, smart voices and original ideas take center stage - with no ads in sight. Watch
Follow all the topics you care about, and we’ll deliver the best stories for you to your homepage and inbox. Explore
Get unlimited access to the best stories on Medium — and support writers while you’re at it. Just $5/month. Upgrade