For my homelab I've set up a custom ACME CA using this guide Build a Tiny Certificate Authority For Your Homelab (https://smallstep.com/blog/build-a-tiny-ca-with-raspberry-pi-yubikey/). I was able to verify the configuration worked with Traefik (https://smallstep.com/docs/tutorials/acme-protocol-acme-clients#traefik) on my server.
I started by adding an ACME account:
- I created the ACME Client account. Registration seems successful.
(https://i.imgur.com/JJUFIWl.png)
- I clicked "Issue or renew certificate". I see a validation failure and no such successful certificate.
(https://i.imgur.com/a9yyMoV.png)
- In you can see the challenge type. I used HTTP-01.
(https://i.imgur.com/ffATiR2.png)
- In the firewall we see a state violation.
(https://i.imgur.com/vIdJeVi.png)
- and a more detailed look:
(https://i.imgur.com/K5KS5L0.png)
I tried making some rules but it didn't seem to help anything.
What is interesting is curl does appear to work, so it's only the response to requesting a certificate.
So I have thought about this again, maybe it does make more sense to use the
DNS-01 challenge type. The goal is not to add too many moving parts to this so I wanted to keep the authoritative part on the opnsense device.
It seems it is possible to use BIND and Unbound together without conflict as this post on reddit (https://old.reddit.com/r/OPNsenseFirewall/comments/s8om2r/how_to_unbound_bind/htmot4u/) points out. Unfortunately no documentation was provided. Currently I am using unbound, and I have a few overrides there set up. I like unbound because it lets me set an outgoing interface, which is currently set to my preferred WAN link.
Currently some things about my network:
- The Raspberry PI which is running Step-CA is tinyca.bsmt-rpi1.home.arpa
- The OPSense Router is opnsense.bsmt-rt1.home.arpa
These are currently configured on Unbound's with "override" option.
- Unbound is currently configured, and forwarding DNS requests from my LAN, side VLANs.
- Unbound is currently configured with a few overrides for various devices on my LAN.
- I'm a bit stuck as to how to fill in the Challenge type for my OPNSense router:
(https://i.imgur.com/Dqmgpvx.png)
- The settings for the BIND Configuration
(https://i.imgur.com/Xji9NXx.png)
I noticed in the documentation (https://docs.opnsense.org/manual/how-tos/bind.html) it says to leave that as port 53530 so that it doesn't interfer with Unbound.
- How might I go about configuring the master zone?
(https://i.imgur.com/a2McQZv.png)
OPNSense BIND Plugin
(https://i.imgur.com/GOL1x10.png)
There seems to be no way to set the user apikey/token in the BIND plugin (https://docs.opnsense.org/manual/how-tos/bind.html).
I noticed some other options:
ACME DNS:
(https://i.imgur.com/xXXYW7b.png)
Not sure about this one. Perhaps something I could set up on my server in a container or something.
nsupdate:
(https://i.imgur.com/B0g8uoc.png)
Perhaps this is an option.
The main goal i am trying to achieve is to get signed certificates from my step-ca server without having to depend on services on the internet (ie using WAN).
I am using step-ca as well for all my home configs, and it is working... partially... with OPNSense.
In fact, trying to troubleshoot I stumbled across your post. My issue is different, I can get step-ca to work with HTTP validation, but I cannot get it to renew quickly as OPNSense seems to think that a renewal is not required.
My issue/thread is here:
https://forum.opnsense.org/index.php?topic=34054.0
Did you get yours working? If not, I can share my configs that got me to start the renewal - I am just trying to figure out how to get it to actually renew when the cron job tells it to do so.