Last Updated on October 17, 2022 by Thiago Crepaldi
In a previous post, I have described how to issue Let’s Encrypt certificates for free. SSL certificates have many applications, including replacing self-signed certificates that are not recognized by browsers. That is the goal of this post. Replace pfSense’s self-signed certificate by the one we have created using Let’s Encrypt API.
Let’s Encrypt setup
If you don’t have a SSL certificate yet, just follow this post first. As an additional step, every time the certificate is renewed, we want to reload pfSense’s webConfigurator to start using the latest version of the new certificate. For such, go to Services >> Acme certificates and click on the edit icon (pencil). Next, scroll down to Actions list and click on Add:
- Mode: Enabled
- Command: /etc/rc.restart_webgui
- Method: Shell command
Click on Save to complete the update. At this point, if you go to System >> Cert. Manager >> Certificates, you should see your Let’s Encrypt certificate.
pfSense setup
On your pfSense, go to System >> Advanced >> Admin Access page. There are many options, but the following are the most relevant:
- Protocol: HTTPS
- SSL/TLS Certificate: select the certificate created using Let’s Encrypt
- HSTS: unchecked
- DNS Rebind Check:
- If you intend to use only internal IP to access your router, you can uncheck this.
- However, if you want to use your DDNS URL (e.g. pfsense.mydomain.com), you have to check this box
- Browser HTTP_REFERER enforcement: Same as DNS Rebind Check
Click Save and you should be redirected to the https version of your router portal. A manual refresh is faster, though!
DNS Resolver
Go to Services >> DNS Resolver >> General page and at the SSL/TLS Certificate field, select the certificate created using Let’s Encrypt service. Click Save and Apply changes to start using your new certificates for your DNS services.