pfSense 2.5.x + LetsEncrypt + haProxy – Proper mitigation of expiring LE-Intermediate-CA

Assuming you read the title of this article, it is very likely you are running the same setup I am: pfsense with haproxy as reverse-proxy for various webservices hosted from a single shared (probably domestic) IP, together with globaly trusted LE-Certs to do ssl-offloading for some sites (that was a long one).

If you do so, you might have encountered the same problem as I do: The old intermediate CA (the one with R3 in the name) of LetsEncrypt is expiring, and pfSense (note that this currently only applies to 2.5.x, 2.4.5 did just not notify you about the expiry) will send you mails (if properly configured) and notifications one month prior to expiry:

If you search this problem, the general advice is „just delete the old CA“, but I wouldn’t, because you might experience a bad wake-up, at least if still certs are bound to the old intermediate…