Messages

Finally,

It was not at all due to NAT .
It was due to the Anti DDOS option and sync cookies .
With this option set, impossible to get a certificate form letsencript behind the FW.
Without this option everything works fine.
Any chance to add this to the documentation ?

Regards

[same failure]

Hi everyone,

New in favor of https://forum.opnsense.org/index.php?topic=35061.0

I'm posting here after having upgrade to 23.7 and close https://forum.opnsense.org/index.php?topic=35061.msg169913#msg169913

I'm working with up to date OpnSense as a VM in Proxmox.
Single Wan and multiple LAN with virtual IP + NAT 1:1 for our DMZ.

A few days ago I was no more able to get a letsencrypt certificate from a VM.
I digged a litlle and I found that cerbot  was not really the issue but  letsencrypt certificates.

I've tested the certificate with the following command .

Code Select Expand

openssl s_client -debug -connect acme-v02.api.letsencrypt.org:443

• it failed to answer.
• I've tested the command from different OS/Openssl version, same failure for the letsencrypt domain .
• I've tested the command locally and it succeeed.
• I've also tested the command from the opnsense shell with success

I've tested the command from the same VM to another domain 

Code Select Expand

openssl s_client -debug -connect google.com:443
with success.

From here, looks like it's a FW issue concerning letsencrypt domain.
I've searched a lot and tested many things :

• added alias for letsencrypt => no more success
• added openbar rules for this alias => no more success

Finally I found some related issues but not all relevant.
The one that helps me a lot was this one https://forum.opnsense.org/index.php?topic=17002.msg77356#msg77356
The solution to reapply the outbound setup for NAT solved my issue.

Also, another thread referencing strange issues https://forum.opnsense.org/index.php?topic=33409.msg161652#msg161652

At this point I think there is an Outbound NAT issue with certificates from cloudflare.

Do you think that's a bug? Can anyone leads me to  a better diagnostic? Do I need to open a bug on https://github.com/opnsense/core/issues/?
Thanks in advance for the time spent

Closed in favir of https://forum.opnsense.org/index.php?topic=35126.0

I confim, same thing for the update with wireguard. Perfect.
Still have a setup issue obviously https://forum.opnsense.org/index.php?topic=35088.0

my bad, wrong thread

And also there https://forum.opnsense.org/index.php?topic=34925.0

Oh oh....

Seems I found something relevant https://github.com/opnsense/core/issues/6650#issuecomment-1630492567

[same failure]

Hi everyone,

I'm posting here after having upgrade to 23.7 and close https://forum.opnsense.org/index.php?topic=35061.msg169913#msg169913

I'm working with up to date OpnSense as a VM in Proxmox.
Single Wan and multiple LAN with virtual IP + NAT 1:1 for our DMZ.

A few days ago I was no more able to get a letsencrypt certificate from a VM.
I digged a litlle and I found that cerbot  was not really the issue but  letsencrypt certificates.

I've tested the certificate with the following command .

Code Select Expand

openssl s_client -debug -connect acme-v02.api.letsencrypt.org:443

• it failed to answer.
• I've tested the command from different OS/Openssl version, same failure for the letsencrypt domain .
• I've tested the command locally and it succeeed.
• I've also tested the command from the opnsense shell with success

I've tested the command from the same VM to another domain 

Code Select Expand

openssl s_client -debug -connect google.com:443
with success.

From here, looks like it's a FW issue concerning letsencrypt domain.
I've searched a lot and tested many things :

• added alias for letsencrypt => no more success
• added openbar rules for this alias => no more success

Finally I found some related issues but not all relevant.
The one that helps me a lot was this one https://forum.opnsense.org/index.php?topic=17002.msg77356#msg77356
The solution to reapply the outbound setup for NAT solved my issue.

Also, another thread referencing strange issues https://forum.opnsense.org/index.php?topic=33409.msg161652#msg161652

At this point I think there is an Outbound NAT issue with certificates from cloudflare.

Do you think that's a bug? Can anyone leads me to  a better diagnostic? Do I need to open a bug on https://github.com/opnsense/core/issues/?
Thanks in advance for the time spent