Skip to content

ACME Certificates

pfSense's ACME package issues and renews public TLS certificates for devhome.cloud services, validated via DNS-01 challenge against an Azure Public DNS zone — not HTTP-01, since most of these services aren't (and shouldn't be) reachable from the public internet.

Why DNS-01 against Azure

  • No need to expose any lab service to the internet just to prove domain ownership.
  • One Azure Public DNS zone (devhome.cloud) is authoritative for the domain, so ACME just needs a service principal / API credential scoped to create and delete TXT records in that zone — the credential lives in Vault, not in pfSense's config directly where possible.
  • Works uniformly whether the certificate is for something purely internal (vcsa.devhome.cloud) or something that will eventually be internet-facing.

Renewal

Certificate renewal is also automated outside pfSense's own package via an Ansible playbook (ansible/ssl-renew-playbook.yml) wired into an Azure DevOps pipeline (pipelines/ssl-renew.yml) — see Playbook Reference and Developer Setup for how that pipeline actually runs against lab infrastructure from a self-hosted agent.