pfSense + Let's Encrypt + Cloudflare

I manage a few pfSense firewalls. A few days ago, I started getting emails that the webConfig certificate was due to expire soon on one box. Currently, pfSense doesn't have a built-in way to renew the webConfigurator TLS certificate. However, the ACME package will automatically renew certificates from Let's Encrypt, for example. Since I use Cloudflare for DNS on everything, I can use their APIs and Workers platform to automate a few things.

The pfSense ACME package uses acme.sh as it's ACME client and comes with support for the Cloudflare API. Now, since some of these pfSense boxes I manage are are of customer networks, I'm not too excited about giving out API keys that have the power to edit any DNS record for my domains. Fortunatly, there is a solution!

Another DNS challenge method available to me is acmeproxy, which is perfectly designed for my situation. It makes HTTP requests to a centralized ACME server which adds the necessary DNS TXT records. The CA can then verify that I infact control the domain and issue me a TLS certificate.

I decided to implement my own "server" using Cloudflare workers. This works very well since the whole operation (espically for my usecase) is stateless. I can provide the URL of my Worker to pfSense/ACME and proxy DNS challenges. When a request comes in for a DNS challenge record, the Worker uses Cloudflare's API to add/remove the record and pfSense receives a shiny new certificate from Let's Encrypt.

Here's the sourcecode:

GitHub - zaxbux/acmeproxy-cf-workers
Contribute to zaxbux/acmeproxy-cf-workers development by creating an account on GitHub.

It is still in the work-in-progress and use-at-your-own-risk stage and needs some adjustments to scale a bit better. I have successfully deployed it and it's serving a few pfSense boxes quite well.