Pfsense ACME certificate issuing with namecheap

I’m new here, but I’m trying to set up a certificate so I don’t get internal network SSL errors with things like plex, etc, internally on my network, but since namecheap doesn’t issue you an API key unless you spend a minimum amount (I believe $50) I can’t use that as the issuing service to validate ownership with only the one domain I have registered.

Is there any workaround to do it another way? Thanks in advance.

I would create an internal CA and create certs for your systems instead of using a 3rd party.

You can try this tutorial and get the job done. It’s been a while since I did this on my pfsense but it worked great.

I was hoping to use letsencrypt as a learning tool, and to have it all happen automagically.

I was watching Tom’s video and thought, “oh, that doesn’t look that hard” but since namecheap has hosed me on an API for the DNS process, I believe I’m SOL.

You have a domain name right?

Following is just a suggestion. Transfer the domain name to cloudflare. Process may take a few days but then you have control of your DNS records. Cloudflare is free for personal use. Cerbot/Acme.sh integrate nicely with Cloudflare and its extremely easy to obtain and renew SSL certs. Just my 2 cents.

As @kevdog has suggested you could port your entire domain, but you could probably also just set namecheap to use Cloudflare as the DNS servers. That’s what I’m doing as my domain provider doesn’t provide an API either and I can’t be bothered to move the domain.

Kevdog & Acestes,

I’ve ported the DNS for the domain I own (a .dev domain) over to Cloudflare; it’s all setup that way, the DNS resolves to my correct IP, it pings, that all looks good.

When I’m in the pfsense “ACME Certificates” package, I’m getting an error I’m unsure how to resolve. The 1st image is the error - “invalid domain”, the 2nd is the setup of the actual certificate, and the 3rd is the setup of the token.

Also, I’ve confirmed, as far as I can tell, I’ve got the right information in the 2nd image: the API key (I’m using the “Global API Key”, not the “Origin CA Key”, my email address for the Cloudflare is correct, the token key generated when you create the token is right, and the Cloudflare API Account ID is correct (although a bit harder to locate for anyone who might later follow this thread for a similar issue - click on the domain from the home screen, and its way down a tthe bottom right)

Any chance either of you have an idea why I’d get “invalid domain” even though I own the domain and can manually adjust the DNS settings myself just fine?

IMGUR pics

Self Reply:

Changing the token Zone Resources to the attached picture fixed it, and I was able to generate a LetsEncrypt certificate for CloudFlare. What a PITA!

@mooky

You don’t need all four paramaters for dns validation with cloudflare. You need either the email address with the global API key OR the Account ID with the API Token. The email/Global API method is the old tried and true method whereas the Account ID/API Token is the newer method where it would be possible to revoke/change permissions to a subset of clients using this method. Hopefully that made sense.

Only fill in criteria on the pfsense GUI for either one set or the other - not both. Leave the other set of criteria blank. I was originally receiving weird errors back in the day when I tried entering all four values.

In terms of your fix, I congratulate you on figuring that out, however I’ve really never needed to do that. I usually just pick Include All Zones. (Unless CF has changed something in the last 24 hours).

@mooky I’m just wondering where you found that minimum for namecheap. I only have one domain registered with them and didn’t run into any issues with turning on my API key, other than the couple days it takes to actually get activated. I’ve been doing DNS auth with namecheap for several months now with pfsense and ACME.

How’s long ago did you purchase your domain? You might be grandfathered in. I’ve had my domain about 6 months, when I go to the API link it actually says I don’t qualify.

It’s wasn’t entirely clear that it was an either/or with the token or the API, in the pfsense ACME GUI. I’m going to do some testing later just to play around and see.

Also, as for the token itself, I was trying to keep permissions as narrow as possible, initially.

Thanks to everyone into forum for the help, and to @LTS_Tom for the videos which make a dolt like me feel like a technical genius. Now onto the the haproxy part of the project.

I’ve gotten mine in the last two years, but I did several years at a time. So I’m over the $50 mark. Hopefully they don’t cut me off when I haven’t given them any money in two years.

@mooky
The Account ID/API Token keeps the permissions more narrow than the other option.

I’m aware the pfsense GUI doesn’t exactly spell out its an either/or option.