Encrypt pfSense w/ Let’s Encrypt

Ever wonder if someone is watching you while you configure pfSense? While setting up pfSense for the first time, the software will generate a self-signed SSL certificate and use that to secure the connection between the router and your web browser when making configuration changes. While this is better than no SSL at all, it is still not secure enough.

So let’s fix that. To ensure that the pfsense management portal that your browser is connecting to is authentic, you’ll need an SSL certificate. By following the steps listed below, you’ll have a valid SSL certificate installed on pfSense is less than 10 minutes.

1. First, you’ll need to install the Automated Certificate Management Environment (ACME) package by going to System, and then click on the Package Manager link.

2. Click on the Available Packages link under the main navigation menu, and install the ACME package.

3. After it installs, go to Services, then click on Acme Certificates menu link.

4. First, we’ll need to register an account with Let’s Encrypt. Click on Account keys, then Add.

5. Give the account a name, select Let’s Encrypt Production ACME v1 (Applies rate limits to certificate requests) for the ACME Server, enter an email address, If the account key is blank, click the Create new account key button. After the account key has been generated, click the Register ACME account key. Once that finishes, click save.

6. Click on the Certificates link next to the Account keys link, then click the Add button on the page.

7. Give the certificate a name, select the ACME account you just created, select 4096-bit RSA. Enter the domain you want to use with the SSL certificate (pfsense.example.com). Next you’ll need to prove you own the domain you want to generate an SSL certificate for. Since the domain I configured pfSense for uses Cloudflare, I verified the domain that way. There are other ways, but for me, using the Cloudflare verification method was the easiest.

8. You can leave the rest at the default values and click Save.

9. After that’s done, you’ll be redirected to the main certificate page where you’ll need to click the blue Issue/Renew button to generate the SSL certificate. This might take about five minutes to complete or longer depending on the hardware you have pfSense installed on.

10. Click on the General Settings link next to the Certificates link. Enable the Cron Entry option to automatically renew the SSL certificate.

11. Next, click on the System menu bar link, and click on the Advanced link. Select the Let’s Encrypt SSL certificate you just generated under the SSL Certificate option.

12. Click on the System menu bar link, then General Settings. Enter the hostname for pfSense as well as the domain you configured the SSL certificate for. Then click save.

13. Configure pfSense to use your custom DNS server as one of the DNS servers given DHCP. This should be configured automtically by pfSense.

14. Next, you’ll need to configure a DNS server to point the domain you configured the SSL certificate for. I would recommend using pfSense’s internal DNS server.

And that’s it. You can now manage pfSense through a secure connection without having to worry if someone is performing a man-in-the-middle attack on your connection to pfSense.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.