LetsEncrypt Cert Renewal behind pfsense running HAProxy & SSL Termination

Networking & Firewalls
1

I can’t find a solution for this use case, but I’m sure there has to be one…

I have an environment with pfsense running http->https redirect & SSL Termination in front of multiple servers, and auto cert renewal using LetsEncrypt - all of this is running flawlessly.

One of the boxes behind pfsense is a mail server, which again is configured and (aside from the issue described below) is also running trouble-free - mail can be sent & received, clients can connect, and web frontend works well.

My issue is with the self-signed cert the mail server uses to encrypt it’s own connections (i.e. STARTTLS). The server (running iRedMail) can use certbot to auto-renew this via LetsEncrypt, but the LetsEncrypt server can’t see the .well-known/acme-challenge folder to do the challenge authentication.

I’m not sure what I should do to resolve this, and I could use a fresh set of eyes. I could update the certs by hand (which is what I’ve been doing), but would very much like an automated solution - any and all help / suggestions would be appreciated.

2

Move to a system that support DNS auth for Let’s Encrypt, or have pfsense handle the certificates and use the “Write Certificates” to write the ACME certificates to /conf/acme/ in various formats for use by other scripts or daemons which do not integrate with the certificate manager and then use a script on the mail server to pull that in.

1 Like
3

Thanks @LTS_Tom - switching DNS auth did the trick. Not sure how I missed thinking of that - like I said, a fresh pair of eyes certainly helped :slight_smile:

Much obliged.

1 Like