OPNsense
  • Home
  • Help
  • Search
  • Login
  • Register

  • OPNsense Forum »
  • Archive »
  • 17.7 Legacy Series »
  • letsencrypt on OPNsense
« previous next »
  • Print
Pages: [1]

Author Topic: letsencrypt on OPNsense  (Read 5593 times)

Julien

  • Hero Member
  • *****
  • Posts: 651
  • Karma: 32
    • View Profile
letsencrypt on OPNsense
« on: September 15, 2017, 12:20:18 am »
Hi Guys,
Can we use let encrypt on OPNsense to generate a SSL for web servers we have the LAN or it mean just to do so. for the OPNSESNE ?
I just been reading about this lately and thought it great feature.
« Last Edit: September 15, 2017, 12:28:06 am by Julien »
Logged
An intelligent man is sometimes forced to be drunk to spend time with his fool.

fabian

  • Hero Member
  • *****
  • Posts: 2768
  • Karma: 199
  • OPNsense Contributor (Language, VPN, Proxy, etc.)
    • View Profile
    • Personal Homepage
Re: letsencrypt on OPNsense
« Reply #1 on: September 15, 2017, 09:06:37 am »
Theoretically you could export the certificate and import it on the Server. However it makes more sense to terminate TLS on OPNsense and forward the connection unencrypted or protected with a self signed / internal CA signed certificate. Internal CAs can last longer and OPNsense can refresh the Let's Encrypt certificate automatically so the client will not see any warnings for TLS issues.
Logged

ChrisH

  • Jr. Member
  • **
  • Posts: 67
  • Karma: 6
    • View Profile
Re: letsencrypt on OPNsense
« Reply #2 on: September 15, 2017, 02:03:45 pm »
Is there some REST API to get a specific certificate from OPNsense?

I have an Exchange server behind OPNsense and I need the Let's encrypt certificate on the Exchange box (for explicit encryption via STARTTLS) AND on the OPNsense box (for HAProxy -> OWA).

Right now I export the certificate manually every three months, but it would be nice to automate that process.
Logged

fabian

  • Hero Member
  • *****
  • Posts: 2768
  • Karma: 199
  • OPNsense Contributor (Language, VPN, Proxy, etc.)
    • View Profile
    • Personal Homepage
Re: letsencrypt on OPNsense
« Reply #3 on: September 15, 2017, 03:05:32 pm »
System -> Trust has afaik not yet been migrated to MVC and therefore offers no API.

EDIT: There should be a download button for the certificate. You can use this request fo download it automatically.
« Last Edit: September 15, 2017, 03:07:16 pm by fabian »
Logged

ChrisH

  • Jr. Member
  • **
  • Posts: 67
  • Karma: 6
    • View Profile
Re: letsencrypt on OPNsense
« Reply #4 on: September 15, 2017, 03:41:26 pm »
The button points to system_certmanager.php?act=p12&id=12. I'm guessing this ID will change as soon as the LE plugin renews the certificate.
I don't particularly want to download the old one again ;)
Logged

Julien

  • Hero Member
  • *****
  • Posts: 651
  • Karma: 32
    • View Profile
Re: letsencrypt on OPNsense
« Reply #5 on: September 15, 2017, 05:14:30 pm »
Hi Chris,
you can try the lets encrypt win.
it works fine on the Windows server 2012/2016.
I am using this for over 6 months now and the renew works out of the box.
if you need help implanting this, I can help you so you won't need to do export and import the certificate.
Fabian
Code: [Select]
Theoretically you could export the certificate and import it on the Server. However it makes more sense to terminate TLS on OPNsense and forward the connection unencrypted or protected with a self signed / internal CA signed certificate. Internal CAs can last longer and OPNsense can refresh the Let's Encrypt certificate automatically so the client will not see any warnings for TLS issues.Can you explain more how to get this fixed ?
« Last Edit: September 16, 2017, 02:11:14 pm by Julien »
Logged
An intelligent man is sometimes forced to be drunk to spend time with his fool.

ChrisH

  • Jr. Member
  • **
  • Posts: 67
  • Karma: 6
    • View Profile
Re: letsencrypt on OPNsense
« Reply #6 on: September 17, 2017, 03:06:21 pm »
Thank you, that's what I had before. But I need the cert on both the OPNsense boxes (for OWA via HAProxy) and on the Exchange boxes (for SMTP + STARTTLS).
It's just a couple of clicks and a Powershell script, but I have to remember to do it - so automation would be nice.

(I could of course move OWA to another subdomain and have seperate certificates, but the customers are used to mail.domain.com, so I'd rather not.)
Logged

Julien

  • Hero Member
  • *****
  • Posts: 651
  • Karma: 32
    • View Profile
Re: letsencrypt on OPNsense
« Reply #7 on: September 18, 2017, 02:52:38 pm »
Quote from: ChrisH on September 17, 2017, 03:06:21 pm
Thank you, that's what I had before. But I need the cert on both the OPNsense boxes (for OWA via HAProxy) and on the Exchange boxes (for SMTP + STARTTLS).
It's just a couple of clicks and a Powershell script, but I have to remember to do it - so automation would be nice.

(I could of course move OWA to another subdomain and have seperate certificates, but the customers are used to mail.domain.com, so I'd rather not.)
Today I have tried tried the latest release and its does create a renewal task with in the windows server.
the ha proxy is still complicated to get stuff fixed. already spoke to Frankei and he mentioned that would be a new release which will simple things up.
so I use it now until the new release of the ha proxy .
« Last Edit: September 18, 2017, 11:47:10 pm by Julien »
Logged
An intelligent man is sometimes forced to be drunk to spend time with his fool.

  • Print
Pages: [1]
« previous next »
  • OPNsense Forum »
  • Archive »
  • 17.7 Legacy Series »
  • letsencrypt on OPNsense
 

OPNsense is an OSS project © Deciso B.V. 2015 - 2023 All rights reserved
  • SMF 2.0.19 | SMF © 2021, Simple Machines
    Privacy Policy
    | XHTML | RSS | WAP2