pfSense, UniFi, HAProxy and Let's Encrypt

Hello team,

First of all, I’d like to give a big shout-out to LTS. Over the years your YouTube channel became one of the main information and inspiration sources of all kinds of IT related topics. It’s really great stuff!

That being said, I was hoping to get some ideas about a project I’m running in my lab.

I followed your video about ACME, Let’s Encrypt and HAProxy for HTTPS offloading on pfSense. That worked really well and saved lots of time as I was previously dropping LE certificates manually into my ESXi, pfSense, web servers, etc.

The challenge I am facing is regarding the captive / guest portal on my UniFi Cloud Key that I’d like to use for visitors. The connection between the UniFi AP and the Cloud Key is using a LE certificate, which can be refreshed manually or automatically by exposing port 80 on the Cloud Key every 90 days.

When guests connect to the AP via the captive portal this certificate is being used for the hotspot. And here comes my question. Do you have an idea how to utilize pfSense maybe with HAProxy to automate this process as well? I am essentially looking for a way to avoid exposing port 80 on the Cloud Key and was wondering if it’s possible to use SSL offloading between the AP to the CK.

Thanks for any ideas,


You could use the pfsense captive portal and then it should allow you to use the existing LE certs on the system.

1 Like

Hi Tom,

Thanks for the reply. This crossed my mind as well when going to bed. I’ll give it a shot later.



Do you not use the automated LE script that you can install on your cloud key? It works really well except when there is a firmware upgrade. You just need to manually re-enter the cronjob so the automated script can continue to function.

I went with Tom’s recommendation and used the pfSense Captive instead. It works like a charm and I don’t have to bother with certs anymore.

@kevdog Being a somewhat lazy admin, I like to automate as much as possible. The above solution is as simple as it gets :slight_smile:


1 Like

I guess it just depends where you want your encrypted traffic to end.