(1 votes, average: 5.00 out of 5)
Loading...How to Install an ACME SSL Certificate on OPNsense Firewall?
(1 votes, average: 5.00 out of 5)Loading...
There are many reasons why managing SSL certificates at the network edge is so important when dealing with services such as VPNs, reverse proxies, and firewall interfaces.
The OPNsense software provides a built-in plugin (the ACME Client) for automating the issuing, deploying, and renewing of SSL certificates via the Internet. Therefore, you will not require the use of other script files and will not have to worry about complex configuration settings.
This tutorial will show you all the steps involved in installing and configuring an ACME SSL certificate on your OPNsense Firewall using the os-acme-client (also known as the ACME Client) and utilising External Account Binding (EAB), which will allow for a full automation of the process and provide an additional layer of security.
Prerequisites
To be able to complete these steps successfully, please ensure you have met the following prerequisites:
- Administrative access to the OPNsense web graphical user interface (GUI);
- Domain pointed directly to your firewall’s public Internet Protocol (IP) address;
- Internet port 80 open for validation of your certificate via HTTP-01 method; and
- All ANME credentials provided by your SSL Certificate provider:
- ACME Directory URL
- EAB Key Identifier (KID)EAB HMAC Key
Steps to Install an ACME SSL Certificate on OPNsense Firewall
Step 1: Install and Enable the ACME Plugin
The ACME client requires installing and enabling the ACME client plugin. To do this:
- Log in to your OPNsense web interface
- Click on System → Firmware → Plugins
- Locate the plugin called os-acme-client.
After installing this plugin, you can refresh your web interface.
Next, go to Services → ACME Client → Settings to enable the ACME client in your configuration. Once you have saved your configuration, you will have enabled the ACME backend and can manage certificates through the normal certificate management user interface.
Step 2: Create an ACME Account (EAB Configuration)
Next, we will need to create an ACME account by registering your firewall with your Certificate Authority (CA). You will do this via EAB credentials.
- Navigate to Services → ACME Client → Accounts and choose to add a new account.
- Populate the descriptive name, e-mail address, and choose a custom URL for the ACME CA from your SSL provider’s provided ACME directory URL, which will also contain your EAB Key ID and HMAC key.
- After saving, click register.
- Completing this step will register OPNsense with your SSL provider’s ACME backend
- Create a trusted relationship, allowing OPNsense to make certificate requests in the future.
Step 3: Configure the Validation Method
To issue an SSL certificate, the ACME client will need to be able to confirm domain ownership. In OPNsense, this is done through a challenge:
- Go to Services → ACME Client → Challenge Types
- Create an HTTP-01 validation challenge.
For the challenge to be successful, your ACME client must be able to access the challenge on port 80 so that the Certificate Authority can confirm that you are the owner of the domain. After setting up the validation method, be sure to save and apply your changes.
If you are using a firewall that restricts port 80 or you have complex DNS records, you can use an alternate method for validation. Each version of OPNsense may support different alternate methods of validation, and some may be more widely validated than others.
Step 4: Create and Issue the SSL Certificate
Now that you have your account created and validation methods, it’s time to request a certificate at the Certificate as described above under Services → ACME Clients → Certificate, and add a new certificate.
- You will need to specify your domain name (e.g. vpn.yourdomain.com)
- Specify the ACME Account that you created in 1st Step above
- Click on the HTTP-01 from the drop-down box of the ACME Account, then click on Save & Apply Changes.
OPNsense will then start the ACME process, validate your domain, and automatically issue a certificate. Once this is complete, your certificate will be in the OPNsense system and ready for use.
Step 5: Assign the Certificate to Services
After issuance, you can assign the certificate to various OPNsense services. Depending on your use case, you can apply it to:
- Web GUI (for secure firewall access)
- OpenVPN (for encrypted remote access)
- HAProxy (for reverse proxy setups)
- Other plugins and services
This centralised approach allows a single certificate to secure multiple entry points in your network.
Step 6: Confirm Installation and Auto-Renewal
Once you have set up the required configuration, your Certificate will be automatically renewed before its expiration date. You can confirm that your certificate was successfully installed by attempting to access the web service that the certificate was issued for over HTTPS and ensuring that a valid Certificate is returned.
To Manually Renew an Existing Certificate:
- Go to Services → ACME Client → Certificates
- Select the Certificate to renew
- Select the Issue/Renew button to Issue/Renew an existing Certificate.
The plugin will be responsible for scheduling all future renewals of Certificates you issue so that your services remain secure without having to manually remind you to renew your Certificates.
Conclusion
To ensure that you have a smooth and reliable set-up, it is important that you utilize a trusted certificate provider. Through CheapSSLWeb, you will be able to purchase enterprise-class SSL certificates at a low cost from the leading certificate authorities (e.g., DigiCert and Sectigo) that are compatible with OPNsense and ACME integration.
