This is a short articles for readers about how we are using let’s encrypt with pfsense. The pfsense itself is an application that help us to setup firewall against intruders with their feature like snort and many more. Services like HAProxy, Captive Portal, OpenVPN, Ipsec are provided by pfsense with completely different. They are easy to use, Graphical User Interface base. Pfsense has been chosen as an alternative approach for every stakeholders, because organizations of all sizes and industries struggle with budgeting for technology.

1. tifosilinux.wordpress.com
“LET’S ENCRYPT” YOUR TASKS
WITH PFSENSE
Preface
This is a short articles for readers about how we are using let’s encrypt with pfsense. The pfsense
itself is an application that help us to setup firewall against intruders with their feature like snort and
many more. Services like HAProxy, Captive Portal, OpenVPN, Ipsec are provided by pfsense with
completely different. They are easy to use, Graphical User Interface base. Pfsense has been chosen
as an alternative approach for every stakeholders, because organizations of all sizes and industries
struggle with budgeting for technology. Let’s have a look below forecast graph between 2020 – 2023
that I got from International Data Corporation.
According to the graph above, ICT or Information Communications Technology spending will remain
relatively flat on 2020 due to the COVID-19 pandemic. While traditional ICT spending is forecast to
broadly track GDP growth over the next decade. The new technologies such as robotics, artificial
intelligence, and VR also expand.
Technology Spending $M 2018 2019 2020 2021 2022 2023
Traditional Technologies $4,005,011 $4,146,194 $4,005,032 $4,130,413 $4,277,843 $4,453,674
New Technologies $653,808 $766,521 $891,760 $1,030,455 $1,189,208 $1,362,017

2. tifosilinux.wordpress.com
But i underlined that not only those will be our consideration to do our job in the future. Nowadays,
the ‘little tasks’ for programmer, developer, or system administrator in order to accomplished their
devops are always monitored by management department of finance and human capital operation
(corporate management) side or both of them.
Of course, this is related to how many budget consumed and allocated. In case we are doing BigData
business with large amount of servers, then we have to calculate how many budget spending for
domain if we use domain providers, ssl protocol to protect your business, etc. It would hurt you if
budget are not inline with your needs. So, this is one of example how we can use let’s encrypt as an
alternative way instead of your proprietary ssl either personal, business, ecommerce, or wildcard
package.
Pfsense
In this section, we are using 2.4.5-RELEASE-p1 community version with Acme certificates services
installed. Next will be the absolutely simple thing and technical to setup the let’s encrypt certificate.
Go to the Service / Acme / Certificates menu, first of all we can move to the Account keys tab then
adding some with preferred value like these and save it.
Name : put your account keys name.
Description : put your account keys description.
ACME Server : choose Let's Encrypt Production ACME v2 (Applies rate limits to certificate requests)
E-Mail Address : The e-mail address to register for this key. To send automated certificate exp. notices
Account key : + Create new account key
ACME account registration : Register ACME account key
Next, for the crucial step. Switch to Certificates tab then adding some with preferred value like these
and save it.
Name : the name set here
Description : description of name certificates
Status : set Active
Acme Active : Let’s Encrypt

3. tifosilinux.wordpress.com
Private Key : 2048-bit RSA
Domain SAN list : + Add. Input your Domainname field and Method you are using. (Ex : DNS-Manual
will be OK if you weren’t using any others domain providers like Azure, Cloudflare, DigitalOcean,
GoDaddy, etc)
Certificate renewal after : defaults to 60 (days)
Results
You will see that our new input certificates has been appeared in Certificates tab. The next step that
we have to do is ‘Issue’ it for the first time while TXT record will be generate on verbose output. Copy
and paste it to your DNS management dashboard providers. The prefix begin with _acme-challenge.
in general before your domain.
Make sure you used dig parameter before renew it to synchronized and get the latest valid expiration
certificate.
root@tifosilinux:~# dig _acme-challenge.<your domain> txt +short
If it’s already finished without any error, we can see our new Certificates on tab System – Cert.
Manager – Certificates. Your certificates name, issuer, distinguished name, and in use will be there.
Use your SSL Offloading by giving name Certificate and mark ‘Add ACL for cert. CommonName’ and
‘Subject Alternative Names’ on checkbox on HAProxy Frontend. Check your browsers.
Next
We’ve done it, final step that we have to do next is check the e-mail periodically if expiration date is
getting close. So renew it.