Pfsense ACME certificate issuing with namecheap

I’m new here, but I’m trying to set up a certificate so I don’t get internal network SSL errors with things like plex, etc, internally on my network, but since namecheap doesn’t issue you an API key unless you spend a minimum amount (I believe $50) I can’t use that as the issuing service to validate ownership with only the one domain I have registered.

Is there any workaround to do it another way? Thanks in advance.

I would create an internal CA and create certs for your systems instead of using a 3rd party.

You can try this tutorial and get the job done. It’s been a while since I did this on my pfsense but it worked great.

I was hoping to use letsencrypt as a learning tool, and to have it all happen automagically.

I was watching Tom’s video and thought, “oh, that doesn’t look that hard” but since namecheap has hosed me on an API for the DNS process, I believe I’m SOL.

You have a domain name right?

Following is just a suggestion. Transfer the domain name to cloudflare. Process may take a few days but then you have control of your DNS records. Cloudflare is free for personal use. Cerbot/ integrate nicely with Cloudflare and its extremely easy to obtain and renew SSL certs. Just my 2 cents.

As @kevdog has suggested you could port your entire domain, but you could probably also just set namecheap to use Cloudflare as the DNS servers. That’s what I’m doing as my domain provider doesn’t provide an API either and I can’t be bothered to move the domain.

Kevdog & Acestes,

I’ve ported the DNS for the domain I own (a .dev domain) over to Cloudflare; it’s all setup that way, the DNS resolves to my correct IP, it pings, that all looks good.

When I’m in the pfsense “ACME Certificates” package, I’m getting an error I’m unsure how to resolve. The 1st image is the error - “invalid domain”, the 2nd is the setup of the actual certificate, and the 3rd is the setup of the token.

Also, I’ve confirmed, as far as I can tell, I’ve got the right information in the 2nd image: the API key (I’m using the “Global API Key”, not the “Origin CA Key”, my email address for the Cloudflare is correct, the token key generated when you create the token is right, and the Cloudflare API Account ID is correct (although a bit harder to locate for anyone who might later follow this thread for a similar issue - click on the domain from the home screen, and its way down a tthe bottom right)

Any chance either of you have an idea why I’d get “invalid domain” even though I own the domain and can manually adjust the DNS settings myself just fine?

IMGUR pics

Self Reply:

Changing the token Zone Resources to the attached picture fixed it, and I was able to generate a LetsEncrypt certificate for CloudFlare. What a PITA!


You don’t need all four paramaters for dns validation with cloudflare. You need either the email address with the global API key OR the Account ID with the API Token. The email/Global API method is the old tried and true method whereas the Account ID/API Token is the newer method where it would be possible to revoke/change permissions to a subset of clients using this method. Hopefully that made sense.

Only fill in criteria on the pfsense GUI for either one set or the other - not both. Leave the other set of criteria blank. I was originally receiving weird errors back in the day when I tried entering all four values.

In terms of your fix, I congratulate you on figuring that out, however I’ve really never needed to do that. I usually just pick Include All Zones. (Unless CF has changed something in the last 24 hours).

@mooky I’m just wondering where you found that minimum for namecheap. I only have one domain registered with them and didn’t run into any issues with turning on my API key, other than the couple days it takes to actually get activated. I’ve been doing DNS auth with namecheap for several months now with pfsense and ACME.

How’s long ago did you purchase your domain? You might be grandfathered in. I’ve had my domain about 6 months, when I go to the API link it actually says I don’t qualify.

It’s wasn’t entirely clear that it was an either/or with the token or the API, in the pfsense ACME GUI. I’m going to do some testing later just to play around and see.

Also, as for the token itself, I was trying to keep permissions as narrow as possible, initially.

Thanks to everyone into forum for the help, and to @LTS_Tom for the videos which make a dolt like me feel like a technical genius. Now onto the the haproxy part of the project.

I’ve gotten mine in the last two years, but I did several years at a time. So I’m over the $50 mark. Hopefully they don’t cut me off when I haven’t given them any money in two years.

The Account ID/API Token keeps the permissions more narrow than the other option.

I’m aware the pfsense GUI doesn’t exactly spell out its an either/or option.

I just registered a domain with namecheap after watching Tom’s domain video…

Only to now find out when watching the haproxy/acme video again, that namecheap appears to be uselss for this as they don’t give out API keys… so as someone suggested I just created a cloudflare free account and trying to manage DNS from there…

Did they stop giving API access to new users? I use namecheap for a wildcard cert in pfsense. I do remember it took a few hoops to get API access though, but it’s been a few years.

They do, but you have to spend $50 before you get access.

Also, its pointless anyways, because yes, you can get it to work to do LetsEncrypt, that’s fine. But the other part of namesheap is updating your IP when it shifts, which you cannot do that I know of in any easy way.

You have to whitelist access to the API to a static singular IP, or multiple, but all individually, a range is not possible, which is the other reason you want an API in the first place. If your IP changes, your access to the API is cut until you manually go to namecheap’s website, whitelist the new IP address, than the dyndns pfsense package will work.

Pretty freaking useless in the grand sense of things. If anyone has a workaround for that, I’m all ears.

namecheap has a dynamic dns updating option, that I have used.

I think that still won’t work with pfsense/haproxy… Or not in a way that I would be able to configure through the pfsense UI… But I’m now using cloudflare so I think that will work.

Let me fix what I said above, since it had been a while since I looked at it and apparently my memory is rusty. I just refreshed and DynDNS package in pfSense works, it doesn’t require a white listed IP. It does require a “Dynamic DNS Password” which is available on namecheap’s website (for free), and that is NOT IP locked, which is good.

The API ($50 buy-in on namecheap for access) to use for issuing/renewing ACME Let’s Encrypt certificates does require the IP be white-listed by Namecheap’s API (Profile → Tools → API Access (Manage) → Whitelisted IP’s) for ACME to do it’s thing. No work-around but manual for that, which is stupid.

If anyone has a work-around for the ACME/LetEncrypt issue, please!! My IP doesn’t change often, which is in itself bad because I almost never check if it has.

EDIT: The only reason I don’t use Cloudflare anymore and actually switched back to Namecheap is the Email aliasing of namecheap.