OPNsense Forum
Archive => 18.7 Legacy Series => Topic started by: tre4bax on September 20, 2018, 06:26:19 pm
-
This is a question I expected to find an easy answer to on the web or in FAQs.
With the default setup I can ask for opnsense to be HTTPS, which it does using a self generated certificate. This leads to a Not Secure flag in Google. Not too bothered about that as I understand the reason however it would be good to generate a certificate that changes this.
I want to make use of Let's encrypt so I thought that would be the logical place to get the certificate. I added the ACME plugin to do this. It appears though it is not as simple as all that ;-) I cannot generate a certificate and I'm sure I really don't understand what I am doing :-(
I have my own domain hosted with a provider. That also hosts my external DNS. I am using unbound on my opnsense as my internal DNS using the same domain name. Theory being from outside I can route in through the opnsense box. From inside people can use the same URL and potentially be routed to a different server to the one they see externally. At this point I have not tried to connect any other servers though. When I am providing a domain name for the certificate I'm assuming it will be generated using the external IP Address, which will always be the same. Am I right? Or am I way off beam and none of this will work? Is there an easy how to gety your router to sto saying "Not Secure" guide (without turning off https)?
Many thanks for your help.
-
For more info this is the error from ACME logs when I try to generate a certificate against the routers name
router.mydomain.com
new-authz error: {"type":"urn:acme:error:malformed","detail":"Error creating new authz :: DNS name does not have enough labels","status": 400}
router.mydomain.com is not specified in the external DNS. Only the internal one. I didn't really want to have my router accessible or discoverable from the outside.
-
I have only a tiny experience with ACME and Let's Encrypt as last night was the first time that I ever gave it a try (but I was able to successfully have a certificate issued to me).
If you primary goal is just to be able to browse to your server and have it show up as a valid certificate, you might want to consider creating your own certificate authority and server certificate(s) (both of which you can do from within opnsense) and have your computer/browser choose to trust all certificates that are signed from your own CA. Going this route, there is no messing around with ACME or Let's Encrypt or anything. You do have to manually add your CA to each client that will be connecting to it as a trusted CA, but if you only have a handful of computers that will connect to it perhaps that's acceptable?
If you want a real, LE certificate that will be more globally trusted, you have to run the agent that will handle all the back and forth talk that it will do with the LE servers. Installing the ACME plug-in provides all the necessary tools that you'll need to make this happen. But the LE servers need to talk to this agent and ultimately you're going to have to have your router be accessible or discoverable from the outside, which I think is what you were trying to avoid.
LE needs to know that you're in control of the domain that you're creating certificates for and will use a hostname record within that domain name to talk to that host and the agent running on that host to negotiate a certificate for it. Without it being accessible from the Internet at large, it can't do this.
That's a pretty high level overview, but hopefully it helps fill in some gaps?
-
Yeah thanks Drinyth,
I do want to use external certificates as I have some servers I will want to expose. My router is going to be exposed, I just meant I did not want to expose the admin interface to the web unless I have no other option. I'd prefer that it can only be modified by someone sitting on my cabled network.
-
I shouldn't have to expose your admin interface. You can keep that running as https (443) and have the ACME server run on http (80). Then with your firewall rules, just open up port 80 to the outside and that should allow them access to the ACME agent without being able to connect to the admin interface.
-
I have loaded up the ACME plugin, it just did not work so is there something missing in the setup? I assumed anything that needed to be opened would have been safely done when loading the plugin. How did you get it working?
-
you have to pass port 80/TCP if you want to use HTTP-01 challenges.
-
what do I need to open the port to? Do I need to setup a webserver target or does the Acme client function in that capacity?
-
Just open up the port itself on the WAN. You don't need to setup a port forward to anything.
Once the port is open and the ACME agent is running, the firewall will take care of setting up the webserver to handle all the LE traffic in the backend.
-
Many thanks, I will try and figure that out tonight. I'm assuming I need to add a firewall rule for it rather than just some tick box somewhere?
-
Yes. I ended up manually having to add a rule in after wondering why things weren't working. As soon as I allowed port 80 traffic for the HTTP-01 challenges, everything worked great.
-
Must still be doing something wrong. validation is still failing. Everything looks okay, I just added a WAN rule to allow 80(TCP) to "this firewall".
I have added the Certificate rule based on the internet address of the router so it should find the router.
Looks like one to solve tomorrow.
-
I already uninstalled the agent, but look around for the log files and tail them as you're trying to get your certificate issued. Lots of information in there that isn't otherwise available from the GUI.
In one case, everything I had was setup right (which I knew from using the development server instead of the production one) and there were a few errors on the LE side. I didn't change anything and just retried it a few times and it eventually went through.
Good luck.
-
Well I managed to get it to issue me a single machine certificate (wildcards are more of a challenge. I'm working on that still ;-))
Sadly even though it generated and let me apply it still shows as a bad certificate, just one generated by Let's Encrypt rather than self generated :(
Seems like this is way more difficult than it should be
-
After you got it working, did you change back from the development/test server over to the production one?
The certificates that are produced by the dev server aren't trusted, but the production ones should be?