OPNsense
  • Home
  • Help
  • Search
  • Login
  • Register

  • OPNsense Forum »
  • Archive »
  • 21.1 Legacy Series »
  • Can I challenge let's encrypt with opnsense natted?
« previous next »
  • Print
Pages: [1] 2

Author Topic: Can I challenge let's encrypt with opnsense natted?  (Read 3627 times)

mgiammarco

  • Jr. Member
  • **
  • Posts: 50
  • Karma: 3
    • View Profile
Can I challenge let's encrypt with opnsense natted?
« on: March 07, 2021, 01:23:27 am »
Hello,
I have an opnsense under a fttc modem. The wan in opnsense has a private ip (10.0.0.42).
It is not a so strange setup.
I would like to generate a letsencrypt certificate.
I cannot use dns challenge because my dns provider does not support api.
I need to use http challenge but my public ip is not locally configured on wan.
So what can I do, can you help me?
Thanks,
Mario
Logged

FingerlessGloves

  • Full Member
  • ***
  • Posts: 111
  • Karma: 10
    • View Profile
    • FingerlessGloves
Re: Can I challenge let's encrypt with opnsense natted?
« Reply #1 on: March 07, 2021, 01:44:37 am »
Are you actually going to be hosting any services at home?

Could you not create a internal CA on OPNsense, install it to your device and then create a Certificate for OPNsense for this?
Logged
Adventuring through internet pipes
My Blog

Greelan

  • Hero Member
  • *****
  • Posts: 997
  • Karma: 69
    • View Profile
Re: Can I challenge let's encrypt with opnsense natted?
« Reply #2 on: March 07, 2021, 03:49:48 am »
I haven’t used the LE plugin in OPNsense but isn’t it enough if port 80 is forwarded to OPNsense from whatever has the public IP configured (your fttc modem)? I would have thought it would be enough that the OPNsense box can be reached on the relevant domain
Logged

mgiammarco

  • Jr. Member
  • **
  • Posts: 50
  • Karma: 3
    • View Profile
Re: Can I challenge let's encrypt with opnsense natted?
« Reply #3 on: March 07, 2021, 11:19:08 am »
Quote from: FingerlessGloves on March 07, 2021, 01:44:37 am
Are you actually going to be hosting any services at home?

Could you not create a internal CA on OPNsense, install it to your device and then create a Certificate for OPNsense for this?
Thanks but I want to use opnsense as a Web Application Firewall and I need that people can use services with a real certificate.
Logged

mgiammarco

  • Jr. Member
  • **
  • Posts: 50
  • Karma: 3
    • View Profile
Re: Can I challenge let's encrypt with opnsense natted?
« Reply #4 on: March 07, 2021, 11:22:51 am »
Quote from: Greelan on March 07, 2021, 03:49:48 am
I haven’t used the LE plugin in OPNsense but isn’t it enough if port 80 is forwarded to OPNsense from whatever has the public IP configured (your fttc modem)? I would have thought it would be enough that the OPNsense box can be reached on the relevant domain
If you see in the challenge type there is clearly written three times:
NOTE:This will ONLY work if the official IP addresses are LOCALLY configured on your OPNsense firewall.

In addition to this I have also discovered in this forum that port 80 is not enough because in "settings/advanced" there is also "local http port" that is a random port used for challenging

Logged

Greelan

  • Hero Member
  • *****
  • Posts: 997
  • Karma: 69
    • View Profile
Re: Can I challenge let's encrypt with opnsense natted?
« Reply #5 on: March 07, 2021, 11:26:04 am »
OK. As I said, I haven’t used the plugin. I know the http challenge works in other contexts (not OPNsense) where only a local IP is configured, so thought I’d raise the question. The LE plugin must be more limited somehow
Logged

mgiammarco

  • Jr. Member
  • **
  • Posts: 50
  • Karma: 3
    • View Profile
Re: Can I challenge let's encrypt with opnsense natted?
« Reply #6 on: March 07, 2021, 02:40:54 pm »
Quote from: Greelan on March 07, 2021, 11:26:04 am
OK. As I said, I haven’t used the plugin. I know the http challenge works in other contexts (not OPNsense) where only a local IP is configured, so thought I’d raise the question. The LE plugin must be more limited somehow
I agree. Infact it seems to me too complex to setup. I was on it several hours without progress.
Logged

FingerlessGloves

  • Full Member
  • ***
  • Posts: 111
  • Karma: 10
    • View Profile
    • FingerlessGloves
Re: Can I challenge let's encrypt with opnsense natted?
« Reply #7 on: March 07, 2021, 02:46:31 pm »
Simplest solution is just to change DNS provider.

Who's your DNS provider currently?

I recommend you use Cloud Flare, their pretty good, plus you can use them as a CDN/Proxy and protect the origin easier from DDOS, plus other features :) There is a free tier, works fine and I've used it for years.

Edit: Just tested DNS challenge with Cloudflare, worked a treat, no messing with port forwarding and works behide NAT'd network. Cause my lab opnsense is NAT'd behind my main opnsense.
« Last Edit: March 07, 2021, 02:51:31 pm by FingerlessGloves »
Logged
Adventuring through internet pipes
My Blog

mgiammarco

  • Jr. Member
  • **
  • Posts: 50
  • Karma: 3
    • View Profile
Re: Can I challenge let's encrypt with opnsense natted?
« Reply #8 on: March 07, 2021, 06:23:48 pm »
Sorry but I live in Italy, I have italian dns provider that offers me italian dns domains at a low price and I have also an hosting contract with him. It is easier for me to change OPNSense at this point...
Logged

FingerlessGloves

  • Full Member
  • ***
  • Posts: 111
  • Karma: 10
    • View Profile
    • FingerlessGloves
Re: Can I challenge let's encrypt with opnsense natted?
« Reply #9 on: March 07, 2021, 06:32:03 pm »
You don't change who you've registered the domain with but who your DNS provider is.

You change the name servers from their free provided DNS to Cloudflare. For example, I have my domain with NameCheap and then I use CloudFlare DNS.

Am I right in saying this OPNsense your working on is be hide another OPNsense or firewall?
Logged
Adventuring through internet pipes
My Blog

lfirewall1243

  • Hero Member
  • *****
  • Posts: 1358
  • Karma: 45
    • View Profile
Re: Can I challenge let's encrypt with opnsense natted?
« Reply #10 on: March 07, 2021, 07:16:51 pm »
It's working

You just have to point your DNS Names to your public IP. And forward Port 80 maybe 443 as well to your OPNsense
Logged
OPNsense Telegram Group: https://t.me/joinchat/0o9JuLUXRFpiNmJk

PM for paid support

FingerlessGloves

  • Full Member
  • ***
  • Posts: 111
  • Karma: 10
    • View Profile
    • FingerlessGloves
Re: Can I challenge let's encrypt with opnsense natted?
« Reply #11 on: March 07, 2021, 07:21:44 pm »
Quote from: lfirewall1243 on March 07, 2021, 07:16:51 pm
It's working

You just have to point your DNS Names to your public IP. And forward Port 80 maybe 443 as well to your OPNsense

Have you tested this then?

I thought what they might need to do, is port forward the "Local HTTP Port" found in "Services: Let's Encrypt: Settings", and then once that's forwarded it may kick in to action. So when the HTTP challenge is done, that port its already forwarded to the OPNsense box making the request, so it should then work.

I'm guessing he's done the DNS A record to point to his WAN IP on the first router/firewall.
Logged
Adventuring through internet pipes
My Blog

lfirewall1243

  • Hero Member
  • *****
  • Posts: 1358
  • Karma: 45
    • View Profile
Re: Can I challenge let's encrypt with opnsense natted?
« Reply #12 on: March 09, 2021, 10:17:37 pm »
Quote from: FingerlessGloves on March 07, 2021, 07:21:44 pm
Quote from: lfirewall1243 on March 07, 2021, 07:16:51 pm
It's working

You just have to point your DNS Names to your public IP. And forward Port 80 maybe 443 as well to your OPNsense

Have you tested this then?

I thought what they might need to do, is port forward the "Local HTTP Port" found in "Services: Let's Encrypt: Settings", and then once that's forwarded it may kick in to action. So when the HTTP challenge is done, that port its already forwarded to the OPNsense box making the request, so it should then work.

I'm guessing he's done the DNS A record to point to his WAN IP on the first router/firewall.
Yes have it running on many systems
Logged
OPNsense Telegram Group: https://t.me/joinchat/0o9JuLUXRFpiNmJk

PM for paid support

iislas18

  • Newbie
  • *
  • Posts: 18
  • Karma: 0
    • View Profile
Re: Can I challenge let's encrypt with opnsense natted?
« Reply #13 on: May 05, 2021, 04:46:55 pm »
@lfirewall1243,

Can you provide screenshots of the changes you made? I am also needing this and yes I am providing services.

Thanks,
Logged

KHE

  • Full Member
  • ***
  • Posts: 211
  • Karma: 18
    • View Profile
Re: Can I challenge let's encrypt with opnsense natted?
« Reply #14 on: May 05, 2021, 06:36:16 pm »
Hi,

you do not need to add rules to OPNsenese apart from accepting the port 80 on the WAN. The Let's Encrypt Plugin will do the port forwarding automatically if you set the Challenge to HTTP-01 and select OPNsense Web Service (automatic port forward). You can also choose HAProxy there, but this is only needed, if you need port 80 for something you use HAProxy for.

KH

PS: the rule is no longer active, because I switched to DNS-01 Challenge
Logged

  • Print
Pages: [1] 2
« previous next »
  • OPNsense Forum »
  • Archive »
  • 21.1 Legacy Series »
  • Can I challenge let's encrypt with opnsense natted?
 

OPNsense is an OSS project © Deciso B.V. 2015 - 2023 All rights reserved
  • SMF 2.0.19 | SMF © 2021, Simple Machines
    Privacy Policy
    | XHTML | RSS | WAP2