OPNsense Forum

Archive => 18.1 Legacy Series => Topic started by: BeNe on February 11, 2018, 08:02:20 pm

Title: Let´s Encrypt Cert for the OPNSense Webgui itself ?
Post by: BeNe on February 11, 2018, 08:02:20 pm

Hello OPNsense Folks,

can i use the Let´s Encrypt Plugin to generate a valid SSL Cert for the OPNSense WebGUI itself ?

As far is know i can use HA-Proxy and the Let´s Encrypt Plugin to generate a Cert for Web-Services behind the Firewall, but not for the Firewall itself.

My Firwall has a external static dns entry.
Is there an option ?

Thanks!

Title: Re: Let´s Encrypt Cert for the OPNSense Webgui itself ?
Post by: elektroinside on February 11, 2018, 08:40:39 pm

You can use any certificate (including Let's Encrypt) for anything that uses certificates of such, including the GUI.
Generate one according to your external hostname (make sure your hostname points to your OPNsense box) and load it in System: Settings: Administration: SSL Certificate.
Mind you that the plugin is still outdated and it won't work, needs a refresh which supposedly will be ready soon.

More info about the issue here: https://forum.opnsense.org/index.php?topic=7139

Title: Re: Let´s Encrypt Cert for the OPNSense Webgui itself ?
Post by: BeNe on February 11, 2018, 10:30:54 pm

Hi elektroinside,

thank you for your answer
Will the Let´s encrypt plugin (if it is fixed) - also update/renew the Let´s encrypt Certificate for the WebGUI ?

Title: Re: Let´s Encrypt Cert for the OPNSense Webgui itself ?
Post by: elektroinside on February 11, 2018, 10:56:20 pm

The plugin "generates" a certificate that is signed by a trusted certificate authority called "Let's Encrypt".
This plugin only "generates" signed certificates by this CA. It is of your choice where are you going to install the cert and for what services (you can export them and use it for something else if you wish). If you choose to use it for the WebGUI (setting the option I mentioned before), then the web server behind the WebGUI will also use it, as it is using the same cert (by name), located in the same path of your OPNsense box.

More simply put: running the plugin will result in some files, saved somewhere on the HDD. Those files will be read by some services, including the web server ()if configured) and pushed towards the connected clients. The browser verifies it, validates it, and you get to have a connection trusted by the browser. Rerunning the plugin will result in files with the same name but different content (overwritten).

Anyway, the short answer is yes :)