pfSense running ACME and HAProxy can be a great combination to protect your network, allow for a publicly trusted certificate on your website, and avoid directly exposing HTTP and HTTPS connections to your web servers. The only exception is what happens when ACME doesn’t automatically renew your certificate. This might be caused by HAProxy not allowing ACME to serve the verification page to Let’s Encrypt to verify that you own the domain or sub-domain. While below isn’t a permanent fix to the problem, it can help you get back up and running without the untrusted page warnings your users get when the certificate does expire.
- Login to your pfSense Admin interface
- Go to Services > HAProxy
- Once the page is loaded, stop the HAProxy service
- Go to Services > Acme
- Go to the Certificates tab, go ahead and attempt to do a Issue/Renew
- As long as the verification method is Standalone HTTP Server or Webroot, then the renewal should work
- Once done with the renewals, go to General settings and you can try to check the Enable Acme client renewal job…
- Go back to Services > HAProxy
- Make sure to start the HAProxy service
- You should be good to go with a renewed certificate
- Consider switching from a local HTTP verification to a DNS based verification if your DNS provider supports it