Menu
Article DevOps

Automate ACME Certificate Transfer and Service Restart on pfSense

Leandro Toledo

• 2 min read
Automate ACME Certificate Transfer and Service Restart on pfSense

Managing certificates and ensuring services are up-to-date is crucial for maintaining security and uptime. Automating these tasks can save time and reduce errors. In this guide, we'll walk through a script to automate copying ACME-issued certificates from pfSense to a server and restarting the necessary services.

Prerequisites

Before proceeding with the script, make sure that pfSense is configured to write ACME certificates to disk.

  1. Navigate to Services > ACME Certificates > General Settings.
  2. Check the box for Write Certificates.
1. Generate SSH Keys on pfSense

First, generate an SSH key pair on your pfSense box. This key pair will be used to authenticate to the server without a password.

ssh-keygen -t rsa -b 2048 -f /cf/conf/ssh_key -N ""

2. Start the SSH Agent and Add Your Key

Start the SSH agent and add your newly created SSH key.

eval `ssh-agent -c`
ssh-add /cf/conf/ssh_key

3. Copy the Public Key to the Server

Copy the public key to your server to enable passwordless SSH login.

ssh-copy-id -i /cf/conf/ssh_key.pub your_user@your_server_ip

4. Create the Automation Script

Create a script on your pfSense box to automate the certificate transfer and service restart. Save the following script as /cf/conf/update_certs.sh:

5. Make the Script Executable

Make the script executable by running:

chmod +x /cf/conf/update_certs.sh

6. Test the Script

Run the script with the appropriate arguments:

/cf/conf/update_certs.sh <destination> <domain> <service_name>

For example:

/cf/conf/update_certs.sh \
  [email protected]:/home/klipper/printer_data/certs/moonraker \
  klipper.mydomain.com \
  moonraker

7. Enable Scription Execution with ACME

Configure pfSense to automatically run the script after certificates are renewed.

  1. Navigate to Services > ACME Certificates > Certificates.
  2. Select your certificate and click Edit.
  3. Scroll down to the Actions list and add a new action:
    • Mode: Enabled
    • Command: /cf/conf/update_certs.sh <destination> <domain> <service_name>
    • Method: Shell Command
  4. Click Save.

This step ensures that the script is executed automatically whenever the certificate is renewed.

Disclaimer

This article was reviewed and written with the assistance of AI technology to ensure clarity, cohesiveness, and accuracy. The use of AI helped streamline the writing process, ensuring that all technical steps and instructions are correct and easy to follow.

Share