letsencrypt on OPNsense

[Julien]

Hi Guys,
Can we use let encrypt on OPNsense to generate a SSL for web servers we have the LAN or it mean just to do so. for the OPNSESNE ?
I just been reading about this lately and thought it great feature.

[fabian]

Theoretically you could export the certificate and import it on the Server. However it makes more sense to terminate TLS on OPNsense and forward the connection unencrypted or protected with a self signed / internal CA signed certificate. Internal CAs can last longer and OPNsense can refresh the Let's Encrypt certificate automatically so the client will not see any warnings for TLS issues.

[ChrisH]

Is there some REST API to get a specific certificate from OPNsense?

I have an Exchange server behind OPNsense and I need the Let's encrypt certificate on the Exchange box (for explicit encryption via STARTTLS) AND on the OPNsense box (for HAProxy -> OWA).

Right now I export the certificate manually every three months, but it would be nice to automate that process.

[fabian]

System -> Trust has afaik not yet been migrated to MVC and therefore offers no API.

EDIT: There should be a download button for the certificate. You can use this request fo download it automatically.

[ChrisH]

The button points to system_certmanager.php?act=p12&id=12. I'm guessing this ID will change as soon as the LE plugin renews the certificate.
I don't particularly want to download the old one again ;)

[Julien]

Hi Chris,
you can try the lets encrypt win.
it works fine on the Windows server 2012/2016.
I am using this for over 6 months now and the renew works out of the box.
if you need help implanting this, I can help you so you won't need to do export and import the certificate.
Fabian

Code Select Expand

Theoretically you could export the certificate and import it on the Server. However it makes more sense to terminate TLS on OPNsense and forward the connection unencrypted or protected with a self signed / internal CA signed certificate. Internal CAs can last longer and OPNsense can refresh the Let's Encrypt certificate automatically so the client will not see any warnings for TLS issues.
Can you explain more how to get this fixed ?

[ChrisH]

Thank you, that's what I had before. But I need the cert on both the OPNsense boxes (for OWA via HAProxy) and on the Exchange boxes (for SMTP + STARTTLS).
It's just a couple of clicks and a Powershell script, but I have to remember to do it - so automation would be nice.

(I could of course move OWA to another subdomain and have seperate certificates, but the customers are used to mail.domain.com, so I'd rather not.)

[Julien]

Thank you, that's what I had before. But I need the cert on both the OPNsense boxes (for OWA via HAProxy) and on the Exchange boxes (for SMTP + STARTTLS).
It's just a couple of clicks and a Powershell script, but I have to remember to do it - so automation would be nice.

(I could of course move OWA to another subdomain and have seperate certificates, but the customers are used to mail.domain.com, so I'd rather not.)

Today I have tried tried the latest release and its does create a renewal task with in the windows server.
the ha proxy is still complicated to get stuff fixed. already spoke to Frankei and he mentioned that would be a new release which will simple things up.
so I use it now until the new release of the ha proxy .