pfSense 2.5.x + LetsEncrypt + haProxy – Proper mitigation of expiring LE-Intermediate-CA

Assuming you read the title of this article, it is very likely you are running the same setup I am: pfsense with haproxy as reverse-proxy for various webservices hosted from a single shared (probably domestic) IP, together with globaly trusted LE-Certs (that was a long one).

If you do so, you might have encountered the same problem as I do: The old intermediate CA (the one with R3 in the name) of LetsEncrypt is expiring, and pfSense (note that this currently only applies to 2.5.x, in 2.4.5 a different intermediate was used, and 2.4.5 did not notify you about the expiry) will send you mails (if properly configured) and notifications one month prior to expiry:

If you search this problem, the general advice is „just delete the old CA“, but I woudn’t, because you might experience a bad wake-up, at least if still certs are bound to the old intermediate…