Can I challenge let's encrypt with opnsense natted?

[mgiammarco]

Hello,
I have an opnsense under a fttc modem. The wan in opnsense has a private ip (10.0.0.42).
It is not a so strange setup.
I would like to generate a letsencrypt certificate.
I cannot use dns challenge because my dns provider does not support api.
I need to use http challenge but my public ip is not locally configured on wan.
So what can I do, can you help me?
Thanks,
Mario

[FingerlessGloves]

Are you actually going to be hosting any services at home?

Could you not create a internal CA on OPNsense, install it to your device and then create a Certificate for OPNsense for this?

[Greelan]

I haven’t used the LE plugin in OPNsense but isn’t it enough if port 80 is forwarded to OPNsense from whatever has the public IP configured (your fttc modem)? I would have thought it would be enough that the OPNsense box can be reached on the relevant domain

[mgiammarco]

Are you actually going to be hosting any services at home?

Could you not create a internal CA on OPNsense, install it to your device and then create a Certificate for OPNsense for this?

Thanks but I want to use opnsense as a Web Application Firewall and I need that people can use services with a real certificate.

[mgiammarco]

I haven’t used the LE plugin in OPNsense but isn’t it enough if port 80 is forwarded to OPNsense from whatever has the public IP configured (your fttc modem)? I would have thought it would be enough that the OPNsense box can be reached on the relevant domain

If you see in the challenge type there is clearly written three times:
NOTE:This will ONLY work if the official IP addresses are LOCALLY configured on your OPNsense firewall.

In addition to this I have also discovered in this forum that port 80 is not enough because in "settings/advanced" there is also "local http port" that is a random port used for challenging

[Greelan]

OK. As I said, I haven’t used the plugin. I know the http challenge works in other contexts (not OPNsense) where only a local IP is configured, so thought I’d raise the question. The LE plugin must be more limited somehow

[mgiammarco]

OK. As I said, I haven’t used the plugin. I know the http challenge works in other contexts (not OPNsense) where only a local IP is configured, so thought I’d raise the question. The LE plugin must be more limited somehow

I agree. Infact it seems to me too complex to setup. I was on it several hours without progress.

[FingerlessGloves]

Simplest solution is just to change DNS provider.

Who's your DNS provider currently?

I recommend you use Cloud Flare, their pretty good, plus you can use them as a CDN/Proxy and protect the origin easier from DDOS, plus other features There is a free tier, works fine and I've used it for years.

Edit: Just tested DNS challenge with Cloudflare, worked a treat, no messing with port forwarding and works behide NAT'd network. Cause my lab opnsense is NAT'd behind my main opnsense.

[mgiammarco]

Sorry but I live in Italy, I have italian dns provider that offers me italian dns domains at a low price and I have also an hosting contract with him. It is easier for me to change OPNSense at this point...

[FingerlessGloves]

You don't change who you've registered the domain with but who your DNS provider is.

You change the name servers from their free provided DNS to Cloudflare. For example, I have my domain with NameCheap and then I use CloudFlare DNS.

Am I right in saying this OPNsense your working on is be hide another OPNsense or firewall?

[lfirewall1243]

It's working

You just have to point your DNS Names to your public IP. And forward Port 80 maybe 443 as well to your OPNsense

[FingerlessGloves]

It's working

You just have to point your DNS Names to your public IP. And forward Port 80 maybe 443 as well to your OPNsense

Have you tested this then?

I thought what they might need to do, is port forward the "Local HTTP Port" found in "Services: Let's Encrypt: Settings", and then once that's forwarded it may kick in to action. So when the HTTP challenge is done, that port its already forwarded to the OPNsense box making the request, so it should then work.

I'm guessing he's done the DNS A record to point to his WAN IP on the first router/firewall.

[lfirewall1243]

It's working

You just have to point your DNS Names to your public IP. And forward Port 80 maybe 443 as well to your OPNsense

Have you tested this then?

I thought what they might need to do, is port forward the "Local HTTP Port" found in "Services: Let's Encrypt: Settings", and then once that's forwarded it may kick in to action. So when the HTTP challenge is done, that port its already forwarded to the OPNsense box making the request, so it should then work.

I'm guessing he's done the DNS A record to point to his WAN IP on the first router/firewall.

Yes have it running on many systems

[iislas18]

@lfirewall1243,

Can you provide screenshots of the changes you made? I am also needing this and yes I am providing services.

Thanks,

[KHE]

Hi,

you do not need to add rules to OPNsenese apart from accepting the port 80 on the WAN. The Let's Encrypt Plugin will do the port forwarding automatically if you set the Challenge to HTTP-01 and select OPNsense Web Service (automatic port forward). You can also choose HAProxy there, but this is only needed, if you need port 80 for something you use HAProxy for.

KH

PS: the rule is no longer active, because I switched to DNS-01 Challenge