If you want to use LetsEncrypt on the administration web interface on routers running pfSense:

Log into the router

Menu: System – Package Manager
Select the “Available Packages” tab
Find “acme Automated Certificate Management Environment, for automated use of LetsEncrypt certificates” and select Install – Confirm

Wait for the installation to complete – the last line of the log should be “Success”

Menu:  System – Advanced
Find “WebGUI redirect” and check the box
Scroll to the bottom and select “Save”

Menu:  Firewall – Rules
in the WAN tab – select Add (with the up arrow)
Action Pass
Interface Wan
Address Family IPv4
Protocol TCP
Source Any
Destination Any
Destination Port Range (From) HTTP 80 (to) HTTP 80
Set Description “LetsEncrypt Certificates”
Select Save
On the rules/wan page – select “Apply Changes”

Menu: Services – Acme Certificates
Gernal Settings Tab
check Cront Entry and select Save

Account Keys tab
select Add
name (give this key a name – example – router-key)
ACME Server – Lets Encrypt Production ACME v2 (not the TESTING version)
email address – your email address so you can get notified of certificate expiration
click the “Create new account key” and wait for the Account Key box to be filled
once there is a check mark next to “Create new account key” Select the “Register ACME account key” Wait for a check mark to appear next to “Register ACME account key”
Select “Save”

Select The “Certificates” tab
select Add
create a name for this certificate (ex: router-cert)
status Active
Acme Account (by default this should be the same as the name you gave the key you just created)
Private Key : 2048 bit RSA
leave OCSP unchecked
leave preferred chain blank
In Domain SAN list – set domainame to be the FQDN for your router (ex router.mydomain.com) and set the method to standalone http server
Jump down to Actions list and “add” set modem enabled – command “/etc/rc.restart_webgui” and method “Shell Command”
scroll down and select save
When the Certificates tab is re-displayed – select “Issue/Renew” after about 30 seconds you should see the log where the certifcate was generated – at the ned you should see “reload successful”

System – Advanced
find the line SSL/TLS Certificate – and in the dropdown select the name of the certificate you just created (ex router-cert) then scroll to bottom and select save

The page will refresh in 30 seconds and you should be now using your new certificate (depending on the browser you may need to flush your cache)