OPNsense
  • Home
  • Help
  • Search
  • Login
  • Register

  • OPNsense Forum »
  • Archive »
  • 18.1 Legacy Series »
  • ACME - Let's Encrypt Client Certs
« previous next »
  • Print
Pages: [1]

Author Topic: ACME - Let's Encrypt Client Certs  (Read 4749 times)

DanMc85

  • Jr. Member
  • **
  • Posts: 68
  • Karma: 3
    • View Profile
ACME - Let's Encrypt Client Certs
« on: February 05, 2018, 01:38:40 pm »

Has anyone else on 18.1 had issues with issuing Let's Encrypt certs using the ACME plugin?
HTTP Challenge Type

First I had to change my OPNSense firewall HTTPS port from a custom one back to 443.
Then I originally had a multi domain (SAN) filled out with a few subdomains.

Whenever I issued the cert it would have validation failed.
However, when I edited the cert just to be the main domain with no SAN's, it completed successfully.
I never had this issue before and always had a full multi-domain cert on prior releases.


Notes: All the subdomains are just CNAME entries pointing to the main domain IP to resolve through DNS.
Logged

elektroinside

  • Hero Member
  • *****
  • Posts: 574
  • Karma: 51
    • View Profile
Re: ACME - Let's Encrypt Client Certs
« Reply #1 on: February 06, 2018, 12:36:40 am »
There's an issue with the plugin, but it is getting fixed soon :) Basically, it needs an upgrade. And if i'm not mistaken, the next version will also support wildcard certs :)
Logged
OPNsense v18 | HW: Gigabyte Z370N-WIFI, i3-8100, 8GB RAM, 60GB SSD, | Controllers: 82575GB-quad, 82574, I221, I219-V | PPPoE: RDS Romania | Down: 980Mbit/s | Up: 500Mbit/s

Team Rebellion Member

DanMc85

  • Jr. Member
  • **
  • Posts: 68
  • Karma: 3
    • View Profile
Re: ACME - Let's Encrypt Client Certs
« Reply #2 on: February 06, 2018, 04:56:19 am »
Nice find...

I just did a search and found this article which confirms what you said:
https://letsencrypt.org/2017/07/06/wildcard-certificates-coming-jan-2018.html

Looks like wildcard will only support DNS validation instead of HTTPS validation for issuing cert.

I use google domains so it would be nice to see API support added... or the ability to generate and manually add a TXT DNS record for validation purposes which the regular ACME plugin supports but the OPNSense GUI does not appear to.
Logged

elektroinside

  • Hero Member
  • *****
  • Posts: 574
  • Karma: 51
    • View Profile
Re: ACME - Let's Encrypt Client Certs
« Reply #3 on: February 06, 2018, 08:14:55 am »
Please request your needed feature here: https://github.com/opnsense/plugins/issues
Thanks
Logged
OPNsense v18 | HW: Gigabyte Z370N-WIFI, i3-8100, 8GB RAM, 60GB SSD, | Controllers: 82575GB-quad, 82574, I221, I219-V | PPPoE: RDS Romania | Down: 980Mbit/s | Up: 500Mbit/s

Team Rebellion Member

  • Print
Pages: [1]
« previous next »
  • OPNsense Forum »
  • Archive »
  • 18.1 Legacy Series »
  • ACME - Let's Encrypt Client Certs
 

OPNsense is an OSS project © Deciso B.V. 2015 - 2023 All rights reserved
  • SMF 2.0.19 | SMF © 2021, Simple Machines
    Privacy Policy
    | XHTML | RSS | WAP2