Ok - I didn’t know DIgitial Ocean worked with ACME – good information.
Ok. So it looks like you have your SSL certs installed on pfsense.
Awesome
So - just to clarify – do you have any other listening services either on pfsense itself or a server within your LAN that is listening on port 443 for SSL connections?
Even with HA proxy in the mix I would think technically you could leave your webGUI listening on port 443 (but then your telling me that doesn’t work either so what do I know).
So try this experiment.
Backup current working configuration. (just in case we have to revert)
Verify a few things on pfsense:
Under Services->Acme Certificates —Make sure your certificate is shown
Under System->Advanced->Admin Access->SSL certificate-> Make sure your certificate is selected
Under System->Certificate Manager ->Certificates — You’ll see current and old certificates. Look at the in Use column and make sure Acme and webConfigurator is listed attached to the SSL LE cert. HA proxy will probably also be listed with this cert
Under Service->HA proxy->Settings -> Make sure Enable HA proxy is disabled.
Make sure you can still access pfsense via an IP address (it will bitch about cert name doesn’t match name – which yes your SSL cert doesn’t have the IP address attached – but just choose to bypass and proceed). Just make sure you can do that.
Also as precaution I’d just make sure you can SSH into pfsense box (in case you need to do some “rescue”). You could restore working configuration if needbe this way
AND finally System->Advanced->Admin Access->change TCP port to 443. You might need to SSH into pfsense to restart webConfigurator (maybe not). And just see what happens.
Your firewall rules will actually dictate if your pfsense Webgui is accessible from outside.
To listening services on ports
ssh into pfsense, pick 8 for shell
Then netstat -l -4 will show all listening services on ipv4 ports.
Does that help?