Open in app

Sign in

Write

Sign in

Copy pfSense acme certificate to another server

Victor Lopes
3 min readMay 24, 2020

--

If you landed here you have a pfSense firewall with the acme package installed and you know how great it is.

I assume that you already know how to issue Let’s Encrypt certificates using this module, and you happen to need the certificate files in another server on your network, to be used with a dedicated service somewhere (for TLS/SSL).

This can be done using scp, plus a SSH key and a “Action” hook in the certificate configuration to make this happen every time the certificate is renewed.

Here’s a really simple way to copy an acme certificate to another Unix/Linux server, from pfSense:

1. First of all, make sure you have the the “Write ACME certificates…” option enabled in Services > Acme Certificates > General settings:

2. Login to your pfSense box using SSH and enter the option 8 (shell). Then issue the following command to generate a private/public key pair:

ssh-keygen

Press enter to accept the default path and, most important, do not enter a passphrase, otherwise we won’t be able to automate the file transfer.

3. Copy your public key to your destination server, using the following command:

ssh-copy-id -i ~/.ssh/id_rsa.pub user@your_destination_server

Where “user” is a valid user in your destination server.

4. Limit permissions on your private key, otherwise scp won’t let you use it:

chmod 600 ~/.ssh/id_rsa

5. Test the file transfer:

scp -i /root/.ssh/id_rsa /conf/acme/your_cert.crt /conf/acme/your_cert.key /conf/acme/your_cert.fullchain user@destination_server:/path/to/save/cert

Acme saves every certificate in /conf/acme, including various formats, using (as a file name pattern) the certificate subject name you’ve specified in the configurations. Include every file you need in the scp command line, separated by space:

6. Finally, edit your certificate configuration in Services > Acme Certificates > Certificates and add the exactly same command line (that you just tested above) as an “Action”:

Then renew the certificate in order to test it and check if the certificate files have been correctly replaced in your destination server.

Off you go!

Now you can use the certificate files in you internal server. You’ll probably need a scheduled command in that server to apply the certificate to whatever service you’re trying to use it with.

If all you need on the destination server is a service restart, for example, you could add another “Action” and use an ssh command, like:

ssh -i /root/.ssh/id_rsa user@destination_server “service x restart”

Sign up to discover human stories that deepen your understanding of the world.

Free

Distraction-free reading. No ads.

Organize your knowledge with lists and highlights.

Tell your story. Find your audience.

Membership

Read member-only stories

Support writers you read most

Earn money for your writing

Listen to audio narrations

Read offline with the Medium app

Pfsense
Copy
Lets Encrypt
Certificate
Scp

--

--

Victor Lopes
Victor Lopes

Written by Victor Lopes

13 Followers
2 Following

Systems administrator. MCSA, Security+. Open source fan. Development enthusiast. And now apparently I write political articles too.

Responses (1)

Write a response

What are your thoughts?

Help

Status

About

Careers

Press

Blog

Privacy

Terms

Text to speech

Teams