OPNSense HAProxy and Cloudflare

Started by lilsense, July 18, 2021, 02:21:09 PM

Previous topic - Next topic
Print
Go Down Pages 1 2
User actions
July 22, 2021, 04:22:12 PM #15
You must create an API token that has DNS permissions in Cloudflare and then configure that token for your validation in OPNsense.
2x 23.7 VMs & CARP, 4x 2.1GHz, 8GB
Cisco L3 switch, ESXi, VDS, vmxnet3
DoT, Chrony, HAProxy + NAXSI, Suricata
VPN: IPSec, OpenVPN, Wireguard
MultiWAN: Fiber 500/500Mbit dual stack + 4G failover

--
Available for private support.
Did my answer help you? Feel free to click [applaud] to the left
July 22, 2021, 04:56:58 PM #16 Last Edit: July 22, 2021, 05:11:54 PM by lilsense
so I ran:
./acme.sh --issue --home . -d 'domain.com' --dns dns_cf --debug 2

and got this:

[Thu Jul 22 10:49:09 EDT 2021] Can not find dns api hook for: dns_cf
[Thu Jul 22 10:49:09 EDT 2021] You need to add the txt record manually.
[Thu Jul 22 10:49:09 EDT 2021] Add the following TXT record:
[Thu Jul 22 10:49:09 EDT 2021] Domain: '_acme-challenge.domain.com'
[Thu Jul 22 10:49:09 EDT 2021] TXT value: '5PDYWLn6JD8_some_value_M4clBfO8vkwkgg'
[Thu Jul 22 10:49:09 EDT 2021] Please be aware that you prepend _acme-challenge. before your domain
[Thu Jul 22 10:49:09 EDT 2021] so the resulting subdomain will be: _acme-challenge.domain.com
[Thu Jul 22 10:49:09 EDT 2021] Dns record not added yet, so, save to ./domain.com/domain.com.conf and exit.
[Thu Jul 22 10:49:09 EDT 2021] Please add the TXT records to the domains, and re-run with --renew.
[Thu Jul 22 10:49:09 EDT 2021] _on_issue_err
[Thu Jul 22 10:49:09 EDT 2021] Please add '--debug' or '--log' to check more details.
[Thu Jul 22 10:49:09 EDT 2021] See: https://github.com/acmesh-official/acme.sh/wiki/How-to-debug-acme.sh
[Thu Jul 22 10:49:09 EDT 2021] _chk_vlist
[Thu Jul 22 10:49:09 EDT 2021] Diagnosis versions:

what do I need to add to the conf file?  It looks like it has a certain format.

This may be a bug, as I see this in the script attempting to use http-01...

challenges":[{"type":"http-01",
July 22, 2021, 06:10:44 PM #17
I decided to uninstall the letsencrypt and used the CF origin and CF cert directly. Now back to the original issue of setting up HAP. LOL.
July 22, 2021, 06:42:29 PM #18
Why are you doing stuff from cli?
Cert and validation is all configured in the webui from lets encrypt plugin.

Use the staging environment until all is working then switch over to production.

Looks like you are making life hard for yourself.
2x 23.7 VMs & CARP, 4x 2.1GHz, 8GB
Cisco L3 switch, ESXi, VDS, vmxnet3
DoT, Chrony, HAProxy + NAXSI, Suricata
VPN: IPSec, OpenVPN, Wireguard
MultiWAN: Fiber 500/500Mbit dual stack + 4G failover

--
Available for private support.
Did my answer help you? Feel free to click [applaud] to the left
July 22, 2021, 06:45:34 PM #19
Everything is done thru GUI with no success...

So, here's something funny... After uninstalling letencrypt, HAProxy started to working but now it's stopped with this error...

   [d7908357-7f95-4ada-83be-6e8a3c85c3e7] Script action failed with Command '/usr/local/opnsense/scripts/OPNsense/HAProxy/syncCerts.py actions --output bootgrid --page-rows '10' --page '1' --search '' --sort-col '' --sort-dir ''' returned non-zero exit status 1. at Traceback (most recent call last): File "/usr/local/opnsense/service/modules/processhandler.py", line 479, in execute stdout=output_stream, stderr=error_stream) File "/usr/local/lib/python3.7/subprocess.py", line 363, in check_call raise CalledProcessError(retcode, cmd) subprocess.CalledProcessError: Command '/usr/local/opnsense/scripts/OPNsense/HAProxy/syncCerts.py actions --output bootgrid --page-rows '10' --page '1' --search '' --sort-col '' --sort-dir ''' returned non-zero exit status 1.   
2021-07-22T12:42:19   configd.py[11318]   [2f872d65-6a03-4abb-9780-5a40222eee14] Script action failed with Command '/usr/local/opnsense/scripts/OPNsense/HAProxy/socketCommand.py show-servers --output bootstrap --page-rows '10' --page '1' --search '' --sort-col '' --sort-dir ''' returned non-zero exit status 1. at Traceback (most recent call last): File "/usr/local/opnsense/service/modules/processhandler.py", line 479, in execute stdout=output_stream, stderr=error_stream) File "/usr/local/lib/python3.7/subprocess.py", line 363, in check_call raise CalledProcessError(retcode, cmd) subprocess.CalledProcessError: Command '/usr/local/opnsense/scripts/OPNsense/HAProxy/socketCommand.py show-servers --output bootstrap --page-rows '10' --page '1' --search '' --sort-col '' --sort-dir ''' returned non-zero exit status 1.

It's like hitting a cinder blocks one at a time... LOL
July 23, 2021, 12:33:36 PM #20
OK.
So I cleaned up all the HAProxy, uninstalled it and reinstalled it back and went thru the tut: https://forum.opnsense.org/index.php?topic=23339.0

All was fine until the last portion of the step 9. Public Front end.

I am not using the let's encrypt. And now HAProxy will not start...
July 23, 2021, 04:10:19 PM #21 Last Edit: July 23, 2021, 09:08:03 PM by lilsense
here's the HAP config:


After the patch update today... all is well... It's up and running. :)
Print
Go Up Pages 1 2
User actions