Topics

1

Web Proxy Filtering and Caching / CADDY/cloudflare - Not understanding why I am getting an SSL handshake failure

« on: October 25, 2024, 12:49:56 am »

Good day everyone. I am using the caddy plugin and am able to access my opnsense gui (only from inside my LAN) from my .com. I have 3 domains ( home/prod/testing ) that I want to have services work with. the OPN GUI is on my prod domain and it works. I tried two other services (qbittorrent on http, and portainer on https) and neither work. with my cloudflare SSL/TLS encryption set to full it shows the two failures are due to SSL handshake failed Error code 525. With it turned to flexable it fails due to ERR_TOO_MANY_REDIRECTS.



Im not sure what to look for in diagnosing this issue. Any guidance would be great. Thank you!

2

Web Proxy Filtering and Caching / Issues with ACME and Caddy; cannot delete certs - endpoint not found.

« on: August 16, 2024, 05:28:50 pm »

Good day everyone,

I have self hosted things in the past with nginx proxy manager and a few other containers in one deb server. I stopped the wan access side a while back but the need has risen again. I've been trying to get ACME and Caddy (the os plugins not external containers) to work and am having a hell of a time. At some point I remembered that prod certs have a rate limit and that I used to use staging to get around that.

Last night I got an acme cert to work for the OPNSense Web UI using a sub domain of a .ca that I own (although I had to block wan access with a rule that blocks wan traffic to the web ui port on the opnsense machine). I then created another subdomain to test hosting another docker service, and ACME kept throwing authentication issues. I tried redoing the cloudflare api setup which did not work. it was noticed that TXT files were showing up in my cloudflare DNS section with a TTL of 2 min. I had read that sometimes cloudflare needs more time so i deleted all the TXTs and tried to register the cert via ACME. As soon as the TXT showed up in cloudflare I changed it to 5 min and ACME was able to register it!

The test site will not load (connection timeout), and the subdomain for the Web UI now throws a 502 error. 

After trying to diagnose I came upon some posts that bring up having unused SANs can cause issues. I know I had used production certs earlier by mistake so I tried to delete them but it doesnt work. Looking in the trust section -> authorities I have 4 items; Staging and prod R11 & R10. Certificates show that both my subdomains are using Staging R10. The Revocation area has 5:

• 1. This row is completely blank
  2. R10
  3. R11
  4. R11 Staging
  5. R10 Staging

When I try to revoke a cert it states "Danger - Endpoint not found"

Any ideas?

Thought I should add, I have unbound enabled with DNS over TLS connected to Cloudflare. There are no DNS entries in settings, and my DNS cannot be set by my ISP.

3

General Discussion / Secure Connection fails when trying to access the Web UI; ACME plugin

« on: August 15, 2024, 07:00:44 pm »

Good day everyone.

 
I followed this [write up](https://homenetworkguy.com/how-to/replace-opnsense-web-ui-self-signed-certificate-with-lets-encrypt/) (also in [video format](https://www.youtube.com/watch?v=bY5mLytgDek)) in the hopes that I could start using Lets Encrypt and the ACME plugin. When I issued the cert and refreshed the page while logged into the IP of the Web UI, I had to accept the risk again, however I checked the cert and I had to accept the risk because the cert was for router.mydomain.ca.

When I try to use [router.mydomain.ca](http://router.mydomain.ca) it throughs Error code: SSL\_ERROR\_INTERNAL\_ERROR\_ALERT. I own my .ca and have it set up via cloudflare, although [router.mydomain.ca](http://router.mydomain.ca) is not listed in the DNS because I dont want my FW accessible via the WAN.

I've been trying to figure this out but I must have frustration goggles on. Any ideas on where to start diagnosing this?