Zum Inhalt springen

Let’s encrypt on PFsense & HAproxy

I got this running for a couple of years now and i’m pretty satisified. The main goal is to have the pfsense handle all the certificate stuff like issuing and renewing the lets-encrypt certificates and not to have those tasks on the backend servers. This includes having the pfsense and the HAproxy handling the acme-challenges as well.

pfSense does not do this out of the box – one has to install a package and and additional script for handling the validation process.

Unfortunatelly i never documented the setup nor did i save the links to some usefull sites….

So here we go to have at least some links and information saved.

To have the pfSense box getting a certificate by itself one has to install the “ACME”-client in the package manager of the web ui. The intallation should be a straightforward process as the installer takes care of all the dependencies. Next is the creation of an account in the acme client.

The ACME client is cappable of renewing certificates about to expire – but we need to handle the validation process – at least once for issuing a new certificate. To process acme challenges/ validations automated with pfsense and HAproxy we need to configure a local lua script served by HAproxy.

Right now i use this ACME domain validation plugin:

GitHub – janeczku/haproxy-acme-validation-plugin: Zero-downtime ACME / Let’s Encrypt certificate issuing for HAProxy

The haproxy-acme-validation plugin already has a good documentation about how and why one needs this kind of script.

So in the first step we need to register a new account key – i choose “testing” in the ACME Server Section:

  1. Fill in the marked fields
  2. Click “Create new account key”
  3. “Register ACME account key”
  4. “Save”

Now your newly created key should appear in th list:

Before we can issue a new TLS certificate with this key, we need to make sure that the CA can verify we are authorized to issue certificates for this domain. Usually you do this by signing a contract and name persons to do that – these persons authenticate theirselfes to the CA using apporpriate means, for example a smartcard or a certificate.

Let’s Encrypt provides multiple ways to prove your’re authorized to issue certificates for this domain – in this case here i choose to use the “HTTP-01 challenge” type. For this validation mechanism type we need to “install” the mentioned “haproxy-acme-validation plugin”.

For this we go to the haproxy configuration and define a http-only frontend for this:

In this frontend we define the following settings:

And actions:

Afterwards we have to “install” the script handling the validation challenge – this can be found under HAproxy -> Files . We do make a copy of the “errorfile” (which should already be there in a default setup i guess :-) ) ….

… and make the following changes and copy/paste the script in into the large textbox:

As we are using a pfSense here, haproxy run’s in a chroot-environment so we don’t have to configure the path inside the script :

8<<
-- When HAProxy is *not* configured with the 'chroot' option you must set an absolute path here and pass 
-- that as 'webroot-path' to the letsencrypt client

acme.conf = {
	["non_chroot_webroot"] = ""
}
>>8

So with this we’re now able to request a new certificate :-)

Create a new one – fill in the fields as shown and click save.

The “Root folder:” path here has to be: /tmp/haproxy_chroot/.well-known/acme-challenge/

Afterwards click “Issue/Renew” and a couple of seconds later you should see an output reporting the successfull issue of a certificate:

So that’s it – we setup the acme plugin, installed the haproxy-acme-validation plugin and issued a certificate :-)

From now on – if configured in the “general settings” tab – the certificate(s) will be renewed automatically.

4 Gedanken zu „Let’s encrypt on PFsense & HAproxy“

  1. Great article and thank you for sharing.
    I’ve got this up and running three month ago and we where really happy about that.

    But no I figured out that the automatic renew process didn’t work. And it turned out that the procedure is not running at all anymore, but so far I have no explanation for the reason.

    I just have all time a 404 Status on the request for the challenge file.

    Also I don’t see any file in the acme_-challenge folder, but I’m not sure if those get deleted after the script finished.

    Have you maybe observed similar issues and possibly also found a solution already?

    cheers

    1. Thanks – glad you like it.

      As far is can tell my pfSense Box still renews its certificates – last time end of August though. So I just now manually renewed a certificate without any issues. Looking through the output which is shown after the renewal process in the big green box looks good.
      Maybe an issue with the HAproxy config ?
      Can you reach the URL https://you-domain/.well-known/acme-challenge/ ?
      It schould answer with a “bad request”.

  2. Hi,

    thanks for the quick response.
    Yes I guess it might be an issue with the HAProxy configuration, also it was not changed since it was working. But I can imagine that it might be an issue with the separated frontend.

    Meaning I added one acme issue instance for a couple of domains, which are issued over DNS before. But we had to move the DNS to another System and unfortunately there is no API Setting in the pfsense. So I decided to change it to http-01 challenge.

    What’s happening now is that the SSL Instance answers my request on the Browser with exactly 404.
    Also the issuer calls http what I can see from the logs and that should be handled by the issuer instance, but seems its not.

    So at the moment quite hard to say what exactly is the problem.
    Any ideas are welcom. :-)

    1. I do run the acme-challenge script on a separate HAProxy frontend too – only on port 80. As far as I can remember it has to be reachable via plain http. Maybe you can check wether you can reach http://your-domain.tld/.well-known/acme-challenge/ => it should give you a “bad request” in the body of the answer.
      In case I get you right you changed the process of validation with some of the certificates you requested from DNS to http ? I’m not sure if this might be an issue when it comes to renewal but maybe it is worth a try to issue one of the certificates from scratch with the http approval workflow.

Schreibe einen Kommentar

Deine E-Mail-Adresse wird nicht veröffentlicht. Erforderliche Felder sind mit * markiert

Diese Website verwendet Akismet, um Spam zu reduzieren. Erfahre mehr darüber, wie deine Kommentardaten verarbeitet werden.