Can I use Let's Encrypt without making my GUI available publicly?

[SE_marc]

Hey all,

I've been looking into setting up a signed cert for my OPNsense webGUI and I see that i'll require an FQDN. I have subdomain created with google domains but I don't want to open up the webGUI to the public internet permanently.

here is the info in the lets encrypt > validation section for IP address

Code Select Expand

The FQDN's used in your certificate must currently point to one or more official IP addresses. Enter the all of these IP addresses here. OPNsense will automatically create a temporary port forward to allow the Let's Encrypt validation to succeed. This will lead to a short downtime of the service that is normally used with these IP addresses.
NOTE:This will ONLY work if the official IP addresses are LOCALLY configured on your OPNsense firewall.

does this mean that when i configure my subdomain to point to my router public IP, that a firewall rule will be created temporarily and then be removed?

im confused about the NOTE as well - where do the official IP addresses need to be configured locally?

[Patrick M. Hausen]

You can use a DNS challenge with Letsencrypt instead of HTTP:

https://letsencrypt.org/docs/challenge-types/

HTH,
Patrick

[fabian]

You can use nginx or HAProxy on port 80 while moving the web interface to something else. Then you can reuse the certificate for the OPNsense internal Webserver or you can tunnel though the load balancer anyway.

[marjohn56]

You can use a DNS challenge with Letsencrypt instead of HTTP:

https://letsencrypt.org/docs/challenge-types/

HTH,
Patrick

Yup, works really well on my EFA mail gateway. I selected the LetsEncrypt option then remembered port 80/443 were closed, I was surprised when it came back with challenge OK and it worked flawlessly. Now I can just forget about it.

[lfirewall1243]

or set the WebUI to Listen on LAN only