pfSense Let's Encrypt CA expired

Emc · October 2, 2024, 3:58pm

Hello everyone,

I had installed ACME and configured it to renew certificates. I currently have two certificates which are successfully renewing.

A few days ago one of the certificates that ACME installed under “System/Certificate Manager/CAs” expired, and I’m not really sure how to renew it.

I’ve read on other forums that it needs to be imported from Let’s encrypt page directly. I’ve read other posts saying this is no longer necessary as it was an intermediate CA that is not needed after set up and can be deleted. This CA cert has expired and I’ve been able to renew/issue ACME certs and the servers using these certs are working fine.

Can this certificate be deleted without affecting the rest of my ACME certs?
How do you replace all of these CAs certs after expiration? Sooner or later they will expire and I want to be prepared.

Thank you in advanced!

ryan_g · October 3, 2024, 1:06am

I think this is the same issue that I had on CE 2.7.2. I had to get the pem files for Staging and Production and paste the content of each into the appropriate entry in pfSense. Had to up the serial number for each because there was an error but it moved the expiration date to 2035 and shows as self signed.

stildalf · October 3, 2024, 8:34am

You can’t renew that CA.

Create a pfSense config backup
Remove the expired CA
let ACME renew one of your own certs
- it should pull in any CA’s required, although it looks like you’ve got the current ones anyway.

refer netgate forums

LTS_Tom · October 3, 2024, 10:59am

Always make a backup first, but you should be able to delete the
Acmecert: 0=Internet Security Research Group, CN=ISRG Root one as that is their old no long used signing authority.