Web GUI SSL certificate - Let's Encrypt

[drjack87]

I'd like to set up a certificate Let's Encrypt and replace Web GUI SSL certificate auto-generaited,
someone can give me two tips?

thanks

[guest15389]

Probably not the most helpful answer, but I just setup a VPN and use HTTP as anything I consider inside is trusted for me.

I didn't see much in terms of automating the letsencrypt that was working all the way as if it's not automated, you kind of lose the appeal of letsencrypt.

[SecAficionado]

I got tired of trying to make the plugin work, so I resorted to doing it manually. If your setup meets these conditions:

• Opnsense box on your perimeter, with the WAN on your public IP address
• You have a registered domain name
• You have a properly set up [Dyn]DNS

You can follow these steps (please read the disclaimer below before attempting!):

• Install the os-acme-client plug-in on your opnsense box, which provides Let's Encrypt support.
• SSH into your opnsense box (terminal will work too, but SSH is better for a step below).
• Execute the script from the command prompt (you may need to make some changes until it executes properly for your needs and setup).
• Once the script completes, you will have the new certificate and key in the folder you configured. Navigate to that folder and do a cat on both files.
• Log in to the GUI on your opnsense and go to System/Trust/Certificates and click on Add
• (This is the part where SSH comes in handy) Copy and paste the text of the certificate and private key to the appropriate text boxes in the GUI, give the certificate a name you can later recognize, and save it.
• In the GUI, go to System/Settings/Administration, choose the new certificate (with the name you entered above), and save.
• Test to make sure the new certificate works and is recognized by different browsers. I had to create a chain certificate, which includes the certificate you create, plus the intermediate certificates needed for validation.
• Once you are happy, it is a good idea to clean up. Delete extra files from any temporary locations. Wipe unneeded private keys (unless you have an SSD), etc.
• Take detailed notes of the changes you made to the script or configuration files. Copy the exact command you issued when the script completed successfully. Save all this where you can later find it
• Repeat every three months or so.

DISCLAIMER: I have to say that there is absolutely no reason why the plug-in shouldn't work, or couldn't be altered to make it work. Unfortunately, I am not familiar with the GUI code and did not have the time to learn how to make the changes.
This is a faster way to do it and it works for me until I or someone else invests the time to figure things out and makes the necessary changes in the GUI.
If you are not comfortable with the command line or debugging scripts, this is probably not a good solution for you, because this will require understanding the commands being issued and their impact.

[fabian]

The plugin should work but as long as you have the web interface running on the standard ports (80/443) the port cannot be used by the plugin to renew the certificate. with nginx or haproxy you should not have an issue. If you have the web interface on another port, acme.sh may work as well because it can temporary start a web server. There are different methods.

[SecAficionado]

Thanks Fabian. Is there an updated guide for the plug-in? Many things have changed in the acme.sh script and many registrars now support the DNS API. I am willing to give it a try but I don't know where to start.

[fabian]

I am not using the plugin because my OPNsense is not directly attached to the internet but if you point an A or AAAA record like firewall.example.com to your public IP and use the HTTP-01 method, only a special file must be served from a special directory via HTTP via port 80. The nginx plugin has a checkbox to serve this file but the maintainer of the ACME did not do anything in the ACME plugin yet:
https://github.com/opnsense/plugins/issues/711 (if anything is needed to adjust, the nginx part is there).

If you are not using port 80, acme.sh comes with an integrated script to start nginx to serve the request or if you are using HAProxy, the plugin has some integration to support it by routing the request to an internal web server serving the file.

[SecAficionado]

Thank you, Fabian.

I went through the scripts and searched the forum and things have changed quite a bit. It looks like it's much, much better than when I tried. After going through the entire process manually, all I have to do now is log in and issue one single command, so I'll stick to that for this cycle.

I'm also holding out for the Google DNS fix in the acme.sh script. When that gets incorporated in the plug-in, I will be there, testing.