References:
Prerequisite: own a domain through Cloudflare
Steps:
- Create a Cloudflare Account API token with DNS edit permissions
- In OPNsense
- System → Firmware → Plugins
- Search for and install
os-acme-client
- Search for and install
- Services → ACME Client → Accounts, add
- Name: cloudflare
- Email: whatever you want to register with Lets Encrypt
- ACME CA: Let’s Encrypt
- Save and register the account
- Services → ACME Client → Challenge Types
- Name: cloudflare
- Challenge Type: DNS-01
- DNS Service: CloudFlare.com
- CF API Token: your API token
- Services → ACME Client → Certificates
- Enabled: checked
- Common name: opn.domain.com (whatever subdomain)
- ACME account: cloudflare (previously created)
- Challenge type: cloudflare (previously created)
- Rest at defaults
- Use the button to issue/renew certificate
- Add a DNS entry to point to the router’s new subdomain (I use Unbound DNS)
- Couple settings to edit in System → Settings → Administration
- SSL Certificate: newly created
- Disable DNS Rebinding Checks
- Disable HTTP_REFERER enforcement check
- System → Firmware → Plugins
EOF