Messages

1

General Discussion / Re: Possible NAT issue with letsencrypt certificate / SSL behind FW

« on: August 02, 2023, 05:22:46 pm »

Finally,

It was not at all due to NAT .
It was due to the Anti DDOS option and sync cookies .
With this option set, impossible to get a certificate form letsencript behind the FW.
Without this option everything works fine.
Any chance to add this to the documentation ?

Regards

2

General Discussion / [SOLVED]Anti DDOS option prevent to get letsencrypt certificate behind FW

« on: July 31, 2023, 11:10:48 pm »

Hi everyone,

New in favor of https://forum.opnsense.org/index.php?topic=35061.0

I'm posting here after having upgrade to 23.7 and close https://forum.opnsense.org/index.php?topic=35061.msg169913#msg169913

I'm working with up to date OpnSense as a VM in Proxmox.
Single Wan and multiple LAN with virtual IP + NAT 1:1 for our DMZ.

A few days ago I was no more able to get a letsencrypt certificate from a VM.
I digged a litlle and I found that cerbot  was not really the issue but  letsencrypt certificates.

I've tested the certificate with the following command .

Code: [Select]

openssl s_client -debug -connect acme-v02.api.letsencrypt.org:443

• it failed to answer.
• I've tested the command from different OS/Openssl version, same failure for the letsencrypt domain .
• I've tested the command locally and it succeeed.
• I've also tested the command from the opnsense shell with success

I've tested the command from the same VM to another domain 
 

Code: [Select]

openssl s_client -debug -connect google.com:443with success.

From here, looks like it's a FW issue concerning letsencrypt domain.
I've searched a lot and tested many things :

• added alias for letsencrypt => no more success
• added openbar rules for this alias => no more success

Finally I found some related issues but not all relevant.
The one that helps me a lot was this one https://forum.opnsense.org/index.php?topic=17002.msg77356#msg77356
The solution to reapply the outbound setup for NAT solved my issue.

Also, another thread referencing strange issues https://forum.opnsense.org/index.php?topic=33409.msg161652#msg161652

At this point I think there is an Outbound NAT issue with certificates from cloudflare.

Do you think that's a bug? Can anyone leads me to  a better diagnostic? Do I need to open a bug on https://github.com/opnsense/core/issues/?
Thanks in advance for the time spent

3

23.1 Legacy Series / Re: Possible NAT issue with letsencrypt certificate / SSL for machine behind the FW

« on: July 31, 2023, 11:06:02 pm »

Closed in favir of https://forum.opnsense.org/index.php?topic=35126.0

4

23.7 Legacy Series / Re: Upgraded to 23.7. Wow.

« on: July 31, 2023, 10:56:31 pm »

I confim, same thing for the update with wireguard. Perfect.
Still have a setup issue obviously https://forum.opnsense.org/index.php?topic=35088.0

5

23.1 Legacy Series / Re: Possible NAT or routing issues with new opnsense setup + L3 Cisco switch

« on: July 31, 2023, 08:49:45 am »

my bad, wrong thread

6

23.1 Legacy Series / Re: Possible NAT FW issue with letsencrypt certificate / SSL for machine in the DMZ

« on: July 27, 2023, 11:16:41 pm »

And also there https://forum.opnsense.org/index.php?topic=34925.0

7

23.1 Legacy Series / Re: Possible NAT FW issue with letsencrypt certificate / SSL for machine in the DMZ

« on: July 27, 2023, 11:13:34 pm »

Oh oh....

Seems I found something relevant https://github.com/opnsense/core/issues/6650#issuecomment-1630492567

8

23.1 Legacy Series / [CLOSED]Possible NAT issue with letsencrypt certificate / SSL

« on: July 27, 2023, 11:07:36 pm »

Hi everyone,

I'm posting here after having upgrade to 23.7 and close https://forum.opnsense.org/index.php?topic=35061.msg169913#msg169913

I'm working with up to date OpnSense as a VM in Proxmox.
Single Wan and multiple LAN with virtual IP + NAT 1:1 for our DMZ.

A few days ago I was no more able to get a letsencrypt certificate from a VM.
I digged a litlle and I found that cerbot  was not really the issue but  letsencrypt certificates.

I've tested the certificate with the following command .

Code: [Select]

openssl s_client -debug -connect acme-v02.api.letsencrypt.org:443

• it failed to answer.
• I've tested the command from different OS/Openssl version, same failure for the letsencrypt domain .
• I've tested the command locally and it succeeed.
• I've also tested the command from the opnsense shell with success

I've tested the command from the same VM to another domain 
 

Code: [Select]

openssl s_client -debug -connect google.com:443with success.

From here, looks like it's a FW issue concerning letsencrypt domain.
I've searched a lot and tested many things :

• added alias for letsencrypt => no more success
• added openbar rules for this alias => no more success

Finally I found some related issues but not all relevant.
The one that helps me a lot was this one https://forum.opnsense.org/index.php?topic=17002.msg77356#msg77356
The solution to reapply the outbound setup for NAT solved my issue.

Also, another thread referencing strange issues https://forum.opnsense.org/index.php?topic=33409.msg161652#msg161652

At this point I think there is an Outbound NAT issue with certificates from cloudflare.

Do you think that's a bug? Can anyone leads me to  a better diagnostic? Do I need to open a bug on https://github.com/opnsense/core/issues/?
Thanks in advance for the time spent