Letsencrypt certificate export or HA proxy config? Need opinion

[bobbythomas]

Hi OPNSensers,

I am a bit confused here, trying to think of a method to implement a solution. Here are some details about the issue I am currently facing. I have an Openhab server for automation in the inside and I have access to it over http/https only from inside. There are some android apps which require https and public ca signed certificate for api access (as from Android 10 they have those restrictions). I have Letsencrypt service running for CA cert which signs my ddns domain. I previously had pi-hole where I have created a static DNS A record for my ddns domain pointing to Openhab and then I imported the Letsencrypt certificate to openhab from OPNSense, after this android app worked well. Now I have moved away from pi-hole as I am now using Unbound and Bind for dns filtering. Also it's very hectic to manually import the certificate to the openhab every three months, so I want to know if I can use HA proxy for this purpose. I only need to access this server from inside and vpn networks and not from outside but I need it to use the Letsencrypt cert for ssl.

It maybe a little confusing to you to follow, but let me know if you require any additional details.

Thanks in advance
Regards,
Bobby Thomas

[lebernd]

Hi Bobby,

I want to know if I can use HA proxy for this purpose.

Yes, you can.

The howto is clear? Just out of my head:
- move opnsense-GUI away now from 443 if you didn't do that already
- install LE-plugin -> test and get certs
- create a virt-ip for the HAproxy-frontend (aka 'public service' now) on a network that can be accessed from inside and vpn
- setup HAproxy offloading with 'real server', backend, conditions, rules etc. for openhab.

I'm running a similar setup with homeassistant.

Best,
Bernd

[bobbythomas]

Thank you for the suggestion Bernd, I will give it a try with HA Proxy, the only concern I am having is with name resolution from inside and how to configure rules in HA Proxy according to that.

Regards,
Bobby Thomas

[lebernd]

I don't use unbound for homeassistant but for other haproxy services that depend also on LE and I don't have problems. Inside and vpn are redirected to the local address (the new virt-ip of the haproxy-frontend) but LE is working and looking for the official dns-servers.

Edit:
the condition and rule is simple:
cond: host starts (match or end will most likely be also possible) with: fqdn / or something like it
rule: it cond -> execute function use backend ...
rule selected/applied on the frontend then.

Best regards,
Bernd

[Gauss23]

Why don’t you just use split-dns for this? OPNsense is handling letsencrypt on public ip. Then you define an override in unbound for the same hostname as you used for the letsencrypt cert with the internal IP of the OPNsense.

[bobbythomas]

I don't use unbound for homeassistant but for other haproxy services that depend also on LE and I don't have problems. Inside and vpn are redirected to the local address (the new virt-ip of the haproxy-frontend) but LE is working and looking for the official dns-servers.

Edit:
the condition and rule is simple:
cond: host starts (match or end will most likely be also possible) with: fqdn / or something like it
rule: it cond -> execute function use backend ...
rule selected/applied on the frontend then.

Best regards,
Bernd

I got it working for LAN, I will go through the VPN part in sometime, Thank you for your valuable suggestion.

Regards,
Bobby Thomas

[bobbythomas]

Why don’t you just use split-dns for this? OPNsense is handling letsencrypt on public ip. Then you define an override in unbound for the same hostname as you used for the letsencrypt cert with the internal IP of the OPNsense.

I thought of doing this but I will have to import the cert from firewall and update than on the server every 3  months. So I thought I will go with HA Proxy.

Regards,
Bobby Thomas