OPNsense Forum
English Forums => General Discussion => Topic started by: bughatti on December 15, 2020, 05:21:20 pm
-
Hello all, new to the forums and OPNSense.
Here is what I want to do and Im sure I am not understanding something. Any step by step guides are greatly appreciated.
I setup a new opnsense box, it is sitting behind a palo alto firewall. The purpose of this opnsense box is to solely be a central point for all lets encrypt certs within our network. Many of the machines that host some form of a service do have access to the internet, some are on 80, some are on 443, but they all have their own external IP address that is separate from the opnsense machine. We want to do this to avoid logging into 20+ machines continuously checking certs. We would much rather have 1 place that does the certs and script out each machine either with bash scripts or powershell scripts to pull the new certs and update each box. We do have a few boxes internally that do not have external access and I have been able to accomplish what I want by setting a dns A record for that machine that points to the opnsense box so that lets encrypt issues the cert and I copy the cert using ssh keys from opnsense to the other machine and then I added a windows local host record pointing the name in the cert to the internal ip.
Currently my opnsense box is setup and is running on opnsense.domain.com:4343. Lets encrypt is setup also and has issued a cert for the opnsense box. Lets encrypt has also issued a cert for dsm.domain.com(this is the server that has no external access). Lets say opnsense.domain.com sits at 100.100.100.10 externally. Now I have website1.domain.com sitting at 100.100.100.11 and website2.domain.com sitting at 100.100.100.12. Both of these servers do not sit behind opnsense, all servers sit behind the palo alto using NAT and firewall rules.
The current certs that have been issued are using the http-01 challenge. The certs that have failed is because website1 and website2 are on completely different servers from opnsense. I have looked into doing the dns-01 challenge but I have not found a good step by step walkthrough describing how to do dns-01 with opnsense. I do have the ability to add to our external dns server to make records.
So I guess my overall question is, what is the best way to accomplish what I am looking to do.
-
I've written a script to distribute Letsencrypt certs: https://github.com/bartsmit/distcerts
Bart...