ACME client not recieving certificates due to firewall?

Started by aida, March 27, 2023, 05:56:04 PM

Previous topic - Next topic
Print
Go Down Pages1
User actions
March 27, 2023, 05:56:04 PM
For my homelab I've set up a custom ACME CA using this guide Build a Tiny Certificate Authority For Your Homelab. I was able to verify the configuration worked with Traefik on my server.

I started by adding an ACME account:

  • I created the ACME Client account. Registration seems successful.


  • I clicked "Issue or renew certificate". I see a validation failure and no such successful certificate.


  • In you can see the challenge type. I used HTTP-01.


  • In the firewall we see a state violation.


  • and a more detailed look:


I tried making some rules but it didn't seem to help anything.

What is interesting is curl does appear to work, so it's only the response to requesting a certificate.
March 28, 2023, 07:13:01 AM #1
So I have thought about this again, maybe it does make more sense to use the DNS-01 challenge type. The goal is not to add too many moving parts to this so I wanted to keep the authoritative part on the opnsense device.

It seems it is possible to use BIND and Unbound together without conflict as this post on reddit points out. Unfortunately no documentation was provided. Currently I am using unbound, and I have a few overrides there set up. I like unbound because it lets me set an outgoing interface, which is currently set to my preferred WAN link.

Currently some things about my network:
These are currently configured on Unbound's with "override" option.

  • Unbound is currently configured, and forwarding DNS requests from my LAN, side VLANs.
  • Unbound is currently configured with a few overrides for various devices on my LAN.

  • I'm a bit stuck as to how to fill in the Challenge type for my OPNSense router:



  • The settings for the BIND Configuration



    I noticed in the documentation it says to leave that as port 53530 so that it doesn't interfer with Unbound.

  • How might I go about configuring the master zone?

March 28, 2023, 09:06:12 AM #2
OPNSense BIND Plugin



There seems to be no way to set the user apikey/token in the BIND plugin.

I noticed some other options:

ACME DNS:



Not sure about this one. Perhaps something I could set up on my server in a container or something.


nsupdate:



Perhaps this is an option.

The main goal i am trying to achieve is to get signed certificates from my step-ca server without having to depend on services on the internet (ie using WAN).
May 17, 2023, 07:59:30 PM #3
I am using step-ca as well for all my home configs, and it is working... partially... with OPNSense.

In fact, trying to troubleshoot I stumbled across your post. My issue is different, I can get step-ca to work with HTTP validation, but I cannot get it to renew quickly as OPNSense seems to think that a renewal is not required.

My issue/thread is here:

https://forum.opnsense.org/index.php?topic=34054.0

Did you get yours working? If not, I can share my configs that got me to start the renewal - I am just trying to figure out how to get it to actually renew when the cron job tells it to do so.
Print
Go Up Pages1
User actions