Messages

Good day everyone. I am using the caddy plugin and am able to access my opnsense gui (only from inside my LAN) from my .com. I have 3 domains ( home/prod/testing ) that I want to have services work with. the OPN GUI is on my prod domain and it works. I tried two other services (qbittorrent on http, and portainer on https) and neither work. with my cloudflare SSL/TLS encryption set to full it shows the two failures are due to SSL handshake failed Error code 525. With it turned to flexable it fails due to ERR_TOO_MANY_REDIRECTS.



Im not sure what to look for in diagnosing this issue. Any guidance would be great. Thank you!

I think my frustration goggles stopped me from reading

ACME clients on reverse proxied upstream destinations will not be able to issue certificates. Caddy intercepts /.well-known/acme-challenge. This can be solved by using the HTTP-01 Challenge Redirection option in the advanced mode of domains. Please check the tutorial section for an example.

Thank you so much for the nudge in the right direction.

Thank you for taking the time to respond.

I thought I needed ACME to get self signed certs for all my self hosted items so that I could have https names on the LAN vice having to use ip addresses, while also not having to "accept the risk" each time.

Are you saying that I can delete ACME from OPNsense, and use the os-caddy plugin to manage my certs? I remember this process being way easier two years ago lol.

How do I make it so that when clients on my LAN use the subdomains it connects right to the server via the LAN?

EDIT: are you the author of this? https://www.youtube.com/watch?v=1IykZemclVA is this what I should be doing?

Good day everyone,

I have self hosted things in the past with nginx proxy manager and a few other containers in one deb server. I stopped the wan access side a while back but the need has risen again. I've been trying to get ACME and Caddy (the os plugins not external containers) to work and am having a hell of a time. At some point I remembered that prod certs have a rate limit and that I used to use staging to get around that.

Last night I got an acme cert to work for the OPNSense Web UI using a sub domain of a .ca that I own (although I had to block wan access with a rule that blocks wan traffic to the web ui port on the opnsense machine). I then created another subdomain to test hosting another docker service, and ACME kept throwing authentication issues. I tried redoing the cloudflare api setup which did not work. it was noticed that TXT files were showing up in my cloudflare DNS section with a TTL of 2 min. I had read that sometimes cloudflare needs more time so i deleted all the TXTs and tried to register the cert via ACME. As soon as the TXT showed up in cloudflare I changed it to 5 min and ACME was able to register it!

The test site will not load (connection timeout), and the subdomain for the Web UI now throws a 502 error.  :-\

After trying to diagnose I came upon some posts that bring up having unused SANs can cause issues. I know I had used production certs earlier by mistake so I tried to delete them but it doesnt work. Looking in the trust section -> authorities I have 4 items; Staging and prod R11 & R10. Certificates show that both my subdomains are using Staging R10. The Revocation area has 5:

• 1. This row is completely blank
  2. R10
  3. R11
  4. R11 Staging
  5. R10 Staging

When I try to revoke a cert it states "Danger - Endpoint not found"

Any ideas?

Thought I should add, I have unbound enabled with DNS over TLS connected to Cloudflare. There are no DNS entries in settings, and my DNS cannot be set by my ISP.

So I would have to go to my cloudflare account and create an A record for router.mydomain.ca ? Would that not make my web ui accessible from the WWW? Should I be limiting the listening devices to just one of my vlans?

Thank you for taking the time.  I'm new to this.

Are you saying that I should be using the LAN IP for the firewall itself as the DNS server?

"System > Settings > General" -> Change DNS servers to FW LAN IP vice 1.1.1.1 and 1.0.0.1? or considering the below, should I leave it blank?

I have Unbound enabled, thanks to you nudge I found this info:

"Unbound DNS service: If the "Allow DNS server list to be overridden by DHCP/PPP on WAN" option is disabled and the DNS server list is populated, the Unbound DNS service will only use the servers in the DNS servers list as the upstream DNS servers. If the DNS server list is empty, the Unbound DNS service will recursively resolve DNS queries (originally I tested this in a virtual machine behind my primary OPNsense router and the lookups failed– most likely that was due to having a recursive resolver behind another recursive resolver).

and

OPNsense system: If the "Allow DNS server list to be overridden by DHCP/PPP on WAN" option is disabled and the DNS server list is populated, the OPNsense system will use localhost (which uses the Unbound DNS service), and the servers in DNS list. If the DNS server list is empty, the OPNsense system will recursively resolve DNS queries (as stated earlier, I was testing in a VM behind my primary OPNsense router so I had a recursive resolver behind another recursive resolver which likely caused problems)."

Did you ever figure this out?

Good day everyone.

 
I followed this [write up](https://homenetworkguy.com/how-to/replace-opnsense-web-ui-self-signed-certificate-with-lets-encrypt/) (also in [video format](https://www.youtube.com/watch?v=bY5mLytgDek)) in the hopes that I could start using Lets Encrypt and the ACME plugin. When I issued the cert and refreshed the page while logged into the IP of the Web UI, I had to accept the risk again, however I checked the cert and I had to accept the risk because the cert was for router.mydomain.ca.

When I try to use [router.mydomain.ca](http://router.mydomain.ca) it throughs Error code: SSL\_ERROR\_INTERNAL\_ERROR\_ALERT. I own my .ca and have it set up via cloudflare, although [router.mydomain.ca](http://router.mydomain.ca) is not listed in the DNS because I dont want my FW accessible via the WAN.

I've been trying to figure this out but I must have frustration goggles on. Any ideas on where to start diagnosing this?