In a previous post, I have described how to issue Let’s Encrypt certificates for free. SSL certificates have many applications, including replacing self-signed certificates that are not recognized by browsers. That is the goal of this post. Replace pfSense’s self-signed certificate by the one we have created using Let’s Encrypt API.
Let’s Encrypt setup
If you don’t have a SSL certificate yet, just follow this post first. At this point, if you go to System >> Cert. Manager >> Certificates, you should see your Let’s Encrypt certificate.
On your pfSense, go to System >> Advanced >> Admin Access page. There are many options, but the following are the most relevant:
- Protocol: HTTPS
- SSL/TLS Certificate: select the certificate created using Let’s Encrypt
- HSTS: unchecked
- DNS Rebind Check:
- If you intend to use only internal IP to access your router, you can uncheck this.
- However, if you want to use your DDNS URL (e.g. pfsense.mydomain.com), you have to check this box
- Browser HTTP_REFERER enforcement: Same as DNS Rebind Check
Click Save and you should be redirected to the https version of your router portal. A manual refresh is faster, though!
Go to Services >> DNS Resolver >> General page and at the SSL/TLS Certificate field, select the certificate created using Let’s Encrypt service. Click Save and Apply changes to start using your new certificates for your DNS services.