Hi everyone,
I'm posting here after having upgrade to 23.7 and close https://forum.opnsense.org/index.php?topic=35061.msg169913#msg169913
I'm working with up to date OpnSense as a VM in Proxmox.
Single Wan and multiple LAN with virtual IP + NAT 1:1 for our DMZ.
A few days ago I was no more able to get a letsencrypt certificate from a VM.
I digged a litlle and I found that cerbot was not really the issue but letsencrypt certificates.
I've tested the certificate with the following command .
openssl s_client -debug -connect acme-v02.api.letsencrypt.org:443
- it failed to answer.
- I've tested the command from different OS/Openssl version, same failure for the letsencrypt domain .
- I've tested the command locally and it succeeed.
- I've also tested the command from the opnsense shell with success
I've tested the command from the same VM to another domain
openssl s_client -debug -connect google.com:443with success.
From here, looks like it's a FW issue concerning letsencrypt domain.
I've searched a lot and tested many things :
- added alias for letsencrypt => no more success
- added openbar rules for this alias => no more success
Finally I found some related issues but not all relevant.
The one that helps me a lot was this one https://forum.opnsense.org/index.php?topic=17002.msg77356#msg77356
The solution to
reapply the outbound setup for NAT solved my issue.
Also, another thread referencing strange issues https://forum.opnsense.org/index.php?topic=33409.msg161652#msg161652
At this point I think there is an Outbound NAT issue with certificates from cloudflare.
Do you think that's a bug? Can anyone leads me to a better diagnostic? Do I need to open a bug on https://github.com/opnsense/core/issues/?
Thanks in advance for the time spent
Oh oh....
Seems I found something relevant https://github.com/opnsense/core/issues/6650#issuecomment-1630492567