This is a short howto for automatic cert renew with the acme-plugin and HAProxy on pfSense. I’am using pfSense and opnSense and I like the way opnsense solved the automatic cert renew with HAProxy. The easiest way on pfSense is too use the DNS-Auth, but its necessary to use the API from your provider or do it manually. There is a better way and I show you how…
The HTTP-Standalone method issues a url call to a specific location (.well-known/acme-challenge/<random-key>) on port 80. If you are running HAProxy the port is in use and the acme script/server can not use it. BUT you can run the script on a different free port internally and catch the call in HAProxy. HAProxy redirects the call to the standalone acme-server on port 8080 or whatever you want and what’s free.
So here is how I’m doing it:
First we have to add a new backend for the standalone server. In
Servies/HAProxy/Backend add a new backend and use these settings. Pick a Name like „ACME-Challange“ and a free Port like 8443 or 8080. The Address in the Server list is the address where the standalone-acme-server will run on. I think the best choice is your LAN-IP-Address from the inner side of your pfSense, because it must be reachable and secure. Maybe 127.0.0.1 will work too… The name in Server list is not important.
Servies/HAProxy/Frontend add or edit the Frontend for port 80. I have a common redirect rule for http2https on port 80 in HAProxy.
Now we need to add a ACL for
.well-known/acme-challenge/ and redirect it to our new ACME-Backend.
I added two ACLs one is matching all calls from LetsEncrypt and one negates the match (so everything else – this is not necessary). Important is the
Path contains within slashes expression to work. The Actions are one for the ACME-Url to use our new backend and the other for my redirects to https.
If the LetsEncrypt service calls the URL the HAProxy will redirect the traffic to port 8443 and the acme-standalone server can handle the request. Now we need the ACME stuff.
Servies/ACME/Certificates add or edit your certificate with these settings.
Make sure to reload the involved services and click on issue/renew to get a new certificate. Thats it.