Let's Encrypt the router!

IT stuff Sep 5, 2020

In my home network I've been trying to get the "green lock" on all things possible, for years now.  
There are several ways to achieve this:

  • Buy a SSL certificate from a Certificate Authority (CA), which costs a lot of money, so not an option.
  • Create a self signed SSL certificate, from your own CA.
  • Use the "new" free CA from Let's Encrypt (LE) to get "official" SSL certificates.

First option, just to give an idea about the costs:

Annual cost for a wildcard subdomain certificate, you'll also need an extra domain certificate annually.
Annual cost for a wildcard subdomain certificate, you'll also need an extra domain certificate annually.

The second option was the norm for years in my home enviroment, but due the overhead necessary, I want to automate things as much as possible.  If possible, everything done with LE so that  I don't have to import my own CA on all my client devices (computer, phone etc.).

Not only because it's easier once it's set up, but it also saves a lot of annoyances like:

  • Some machines need specific way of a SSL certificate to be set up, in order to use them. Not a big issue once you know how to do it, but for example Proxmox I haven't renewed the certificate for about a year because I didn't have the energy to figure it out again.  It wasn't that much of a problem because the Proxmox web UI is firewalled pretty well, but it was still an annoyance to click "yes I know" every time.  
  • Re install or introduce a new client, and I forgot every time to import the CA.
    This went on for months sometimes, because I was so tired all day every day.
  • Changing situations, e.g. Apple changing the maximum allowed lifetime of new certificates, forcing you to renew the certificates way more often (which is a good thing).
  • Expiring SSL certificates, especially if you got 10-20 expiring within a short period of time. When I'm low on energy, this just won't happen.
Browser error due a missing certificate Authority, even due the SSL certificate itself is valid
Browser error due a missing certificate Authority, even due the SSL certificate itself is valid
Red "lock", should be green or gray with newer browsers
Red "lock", should be green or gray with newer browsers

All in all it's a good idea to use Let's Encrypt, I think.

So here's how I implemented it in my router, it's a pfSense machine based on FreeBSD. For the automated SSL certificate renewal, I'm going to use the "acme" client for Cloudflare.
Acme is short for "Automated Certificate Management Environment", for automated use of LetsEncrypt certificates.
Current versions are:

  • pfSense: 2.4.5-RELEASE-p1 (amd64)
  • acme: 0.6.8_2

The acme client does not come pre-installed on pfSense, you have to install it with the package manager (System >  Package Manager > Available Packages). Filter on acme and install, if everything went right, it shows up below Services > Acme Certificates. Click on that option to enter the configuration menu.  

acme client installed and available under the Services menu.
acme client installed and available under the Services menu.

First time you'll enter this menu, you can't do much without setting up an "account" first, under Account Keys.  

When adding new account keys, you have fill out at least the following things:

  • Name
  • A valid e-mail address for information regarding the certifitaces
  • An account key (click "Create new account key" to let pfSense generate one for your

Leave ACME Server on the gefault value for now, Staging for testing purposes.
With that done, you now can register the ACME account key with a click on a button.  
The "ACME account registration" button will show you a ✔ if this went all okay.  

Results of the previous steps, with a checkmark for successful registration
Results of the previous steps, with a checkmark for successful registration

Now, in order to achieve a real certificate, the ACME server has to be switched from the Staging/TESTING server to the real deal.  
Choose option "Let's Encrypt Production ACME v2 (Applies rate limits to certificate requests)" for this step, and apply the new setting with a click on the Save button.

Back in the "Certificates" menu, add a new certificate. A new menu pops up, where you again have to enter at least the following options if you do the same with Cloudflare:

  • Name, this will be the name for the certificate you have to apply later on.
  • Acme account is automatically filled in with the account you created previously
  • Private key is fine at 2048 bit, but I like overkill and went for 4096 bit.
  • Domain SAN list (click on add), Cloudflare credentials for the acme client,
  • Action list, to trigger a web interface reload after a new SSL certificate got downloaded.
First few options set up
First few options set up

Now for the Cloudflare Domain SAN list, you need following data:

  • Domain name, the FQDN you're going to use for this machine
  • Method, in this case "DNS-Cloudflare"
  • Cloudflare API Key
  • Cloudflare API Email Address (the email address you use to login to Cloudflare)
  • Cloudflare API Token
  • Cloudflare API Account ID
  • Cloudflare API Zone ID

Except for the email address, everything has to be pulled or created from the cloudflare dashboard.
This guide assumes everything necessary to get your domain on Cloudflare already has been done. If not, good luck!  
Because the first thing you see is the home tab, choose your domain and let's grab the API zone ID and Account ID first.

Cloudflare overview screen
Cloudflare overview screen

After selecting your domain, you get an overview with a lot of different menus and options. Scroll down, and in the bottom right corner you see both API tokens.  
I've cencored these values, but you have to copy them into the acme client accordingly.

Cloudflare Zone and Account tokens, censored.
Cloudflare Zone and Account tokens, censored.

Next things on the list are the Cloudflare account API Token and Key.
You can get these from entering "My Profile", top right corner, and switching to the "API Tokens" menu.    
Create a token with "Create Token", and use the "Edit zone DNS" template.

Except for your own zone under option "Zone resources" everything is fine as is.

Cloudflare token creation for a specific zone (domain)
Cloudflare token creation for a specific zone (domain)

Continue to summary and proceed with "Create token", and copy the newly created token in the acme client.

newly created censored API token
newly created censored API token

The last step: Global API key. Back in the API Tokens menu, click on the "View" button next to "Global API key". For this you need to log in with your password, answer some captchas etc.
Copy that value in the acme client.  
With everything done, the Domain SAN list should look something like this:

Because the acme client will not restart the web interface on it's own, which will lead to the web interface using the old certificate beyond it's intended lifecycle. This results in SSL error messages.
So in order to apply the new SSL certs after retrieval, do following steps:

Add a new command under option Action list:

  • command: "/etc/rc.restart_webgui"
  • Method: "Shell Command"

Hit the save button at the bottom. Now your certificate configuration will pop up under the Acme > Certificates option.

Certificate set up done, the newly created SSL certificate configuration is visible
Certificate set up done, the newly created SSL certificate configuration is visible

The SSL certificate is not issued yet, and two more steps are necessary to complete the whole set up.  
With a click on the button "Issue/Renew", ACME tries to get a certificate issued.
I'll just assume everything went well, if not then search for "message" in the file the acme client specifies. The text in that line will tell you what went wrong.  

In General settings, enable "Cron Entry" and save.

Under System > Advanced, change option "SSL/TLS Certificate" to the certificate name, in my case "webuipfsense" and save.  
PfSense will redirect you after a 20 second countdown, where you'll be greeted with a green lock in the navigation bar. Or with newer browsers, a grey lock. Any way you'll have no error message with current and future devices.

System > Advanced with the new SSL Let's Encrypt certificate
System > Advanced with the new SSL Let's Encrypt certificate
Let's Encrypt certificate got applied (LE = DST Root CA X3)
Let's Encrypt certificate got applied (LE = DST Root CA X3)

That's it!  

Any issues certificate wise will be brought to you per email, on the account specified in the Acme account key menu.
Currently the SSL certificates will be rotated every 90 days from let's encrypt itself, but acme defaults to 60 days.

Tags

Great! You've successfully subscribed.
Great! Next, complete checkout for full access.
Welcome back! You've successfully signed in.
Success! Your account is fully activated, you now have access to all content.