Self signing and CA's - anyone make this work?

[tre4bax]

Using the Let'sEncrypt pluggin I have happily provided a certificate for my NAS that works well, with one little exception.  Let'sEncryp only allows a short renewal and this means I therefore have to keep updating my certificate.  Surprisingly there seems no good universal way to achieve this renewal of certificates so I thought I would create my own CA and issue my own certificates to use internally.

followed the instructions and all that works.  Issued a certificate, great.  Can I get a browser to see it is allowable?  Not a chance.  They show it is a valid certificate, however they refuse to have the padlock in place.

I've added the CA to the certificate authorities and the Intermediate to the intermediate version.  Still no dice.  Has anyone anywhere managed to get this to work?

[hbc]

Where did you add it? Which client OS, which browser?
For Windows you usually add it to users cert store.

Run mmc.exe, load certificate snap-in for current user and and certificates to specific sections. This can also be done via group policies or you need to provide oh in an ad domain.

Some.browsers use their own cert store, then you have to add it directly to it.

[tre4bax]

I added the certificate into the browser.  I'm using the new version of Edge, which is really kind of Chrome, though I have tried it in chrome too with no success.

I am pretty sure that the Manage certificates part of the new Edge just access the underlying store as the certificates listed in the snap in look the same.  Can't be totally sure right now though as I am looking at it through my work computer so will try on my home computer tonight.  If only you could get longer expiry times on Let'sEncrypt certificates...

[hbc]

Let's encrypt has this acme client that handles certificate renewal automatically. Usually you just have to set it up and do not have to care for renewals any more.

[tre4bax]

I use the ACME script to do this on the box that generates the certificates (opnsense).  The challenge is getting the certificate to all of the other boxes that use it.  This is a pretty manual job.

Most of the boxes could separately be setup with ACME, the challenge of this is all of the other boxes are within my local network and to let Let'sEncrypt get to them I would have to have multiple rules etc to deliver port 80 to the boxes and it all feels a bit complex when all I need is for the right certificate to be in the right places on each box.  I guess I might have to manually adapt each box.

[hbc]

Why a centralized acme box and not running the acme client on each box itself? Or if stripped down linux boxes with missing dependencies, then just use secure copy for distribution?

If you use an own CA and have to trust these certs by importing cert chain, then you could just use the built-in/generated self-signed certs that those boxes usually provide. No much difference. Import once a 2 years valid root/intermedia ca on each client pc or just trust these 2years self-signed certs. Make no difference.

[tre4bax]

I use the centralised opnsense box as it is the only one directly attached to the internet.   When Let'sEncrypt certificates are created they need to access port 80 on the boxes and this breaks the certificate creation.

Port 80 on the router is used in HAProxy to reroute certain services I want available outside so that I can access with URL and have HAProxy reroute them internally to the right service and port number.  I think it would be tricky to have 80 routed through for LE and still have the HAProxy stuff work too.