Creating a LetsEncrypt wildcard certificate for an internal domain using ACME-dns in pfSense

1. Install the ACME Package:

  1. Navigate to “System > Package Manager”.
  2. Click the “Available Packages” tab.
  3. Locate the “ACME” package and click the “Install” button.

2. Configure ACME Settings:

  1. Go to “Services > ACME Certificates”.
  2. Under “General Settings”:
    1. Enable the “ACME DNS Validation” option.
    2. Enter your desired email address for notifications.
  3. Under “DNS Settings”:
    1. Select “ACME-dns” as the “DNS API”.
    2. Provide the API endpoint URL for your ACME-dns server (if external).
    3. If using pfSense as the DNS server, leave this field blank.

3. Create a Domain Override

  1. Go to “Services > DNS Resolver”.
  2. Click the “Domain Overrides” tab.
  3. Click “Add”.
  4. Enter your internal domain name (e.g., *.mycompany.local).
  5. Select “A (Address)” as the type.
  6. Enter the IP address of your pfSense box itself as the IP address.
  7. Click “Save”.

4. Request a Wildcard Certificate:

  1. Navigate back to “Services > ACME Certificates”.
  2. Click the “Add” button.
  3. Enter your internal domain name with a wildcard prefix (e.g., *.mycompany.local).
  4. Select “DNS Validation” as the challenge type.
  5. Click “Create”.

5. Complete DNS Challenge: ACME-dns will present a DNS challenge record that needs to be added to your DNS server.

  1. Go to “Services > DNS Resolver”.
  2. Click the “Custom Options” tab.
  3. Add the challenge record as a custom option, following the format provided by ACME-dns.
  4. Click “Save”.

6. Finalize Certificate Issuance: Once the challenge is validated, ACME-dns will automatically obtain and install the wildcard certificate. You can view the issued certificate under “Services > ACME Certificates”.

Additional Notes:

Certificate Usage: Use the generated certificate for your internal services and applications. Renewals: ACME-dns can automatically renew certificates before they expire. Troubleshooting: If you encounter issues, consult pfSense documentation or community forums for assistance.

Remember:

Replace placeholders like mycompany.local with your actual domain name. If using an external ACME-dns server, provide its correct API endpoint URL. Ensure your pfSense box is accessible as the DNS server for your internal devices.