OPNsense Forum

Archive => 18.1 Legacy Series => Topic started by: drjack87 on April 30, 2018, 11:29:54 pm

Title: Web GUI SSL certificate - Let's Encrypt
Post by: drjack87 on April 30, 2018, 11:29:54 pm
I'd like to set up a certificate Let's Encrypt and replace Web GUI SSL certificate auto-generaited,
someone can give me two tips?

thanks
Title: Re: Web GUI SSL certificate - Let's Encrypt
Post by: guest15389 on May 02, 2018, 03:58:56 pm
Probably not the most helpful answer, but I just setup a VPN and use HTTP as anything I consider inside is trusted for me.

I didn't see much in terms of automating the letsencrypt that was working all the way as if it's not automated, you kind of lose the appeal of letsencrypt.
Title: Re: Web GUI SSL certificate - Let's Encrypt
Post by: SecAficionado on September 01, 2018, 06:34:49 pm
I got tired of trying to make the plugin work, so I resorted to doing it manually. If your setup meets these conditions:
You can follow these steps (please read the disclaimer below before attempting!):
DISCLAIMER: I have to say that there is absolutely no reason why the plug-in shouldn't work, or couldn't be altered to make it work. Unfortunately, I am not familiar with the GUI code and did not have the time to learn how to make the changes.
This is a faster way to do it and it works for me until I or someone else invests the time to figure things out and makes the necessary changes in the GUI.
If you are not comfortable with the command line or debugging scripts, this is probably not a good solution for you, because this will require understanding the commands being issued and their impact.
Title: Re: Web GUI SSL certificate - Let's Encrypt
Post by: fabian on September 01, 2018, 08:16:59 pm
The plugin should work but as long as you have the web interface running on the standard ports (80/443) the port cannot be used by the plugin to renew the certificate. with nginx or haproxy you should not have an issue. If you have the web interface on another port, acme.sh may work as well because it can temporary start a web server. There are different methods.
Title: Re: Web GUI SSL certificate - Let's Encrypt
Post by: SecAficionado on September 02, 2018, 01:10:48 am
Thanks Fabian. Is there an updated guide for the plug-in? Many things have changed in the acme.sh script and many registrars now support the DNS API. I am willing to give it a try but I don't know where to start.
Title: Re: Web GUI SSL certificate - Let's Encrypt
Post by: fabian on September 02, 2018, 09:35:50 am
I am not using the plugin because my OPNsense is not directly attached to the internet but if you point an A or AAAA record like firewall.example.com to your public IP and use the HTTP-01 method, only a special file must be served from a special directory via HTTP via port 80. The nginx plugin has a checkbox to serve this file but the maintainer of the ACME did not do anything in the ACME plugin yet:
https://github.com/opnsense/plugins/issues/711 (if anything is needed to adjust, the nginx part is there).

If you are not using port 80, acme.sh comes with an integrated script to start nginx to serve the request or if you are using HAProxy, the plugin has some integration to support it by routing the request to an internal web server serving the file.
Title: Re: Web GUI SSL certificate - Let's Encrypt
Post by: SecAficionado on September 03, 2018, 01:21:24 am
Thank you, Fabian.

I went through the scripts and searched the forum and things have changed quite a bit. It looks like it's much, much better than when I tried. After going through the entire process manually, all I have to do now is log in and issue one single command, so I'll stick to that for this cycle.

I'm also holding out for the Google DNS fix in the acme.sh script. When that gets incorporated in the plug-in, I will be there, testing.