Tutorial 2023/09: HAProxy + Let's Encrypt Wildcard Certificates + 100% A+ Rating

[xkpx]

Lovely , Thanks for hard work !
Question: is it possbile to cover somehow  multi domain wildcard (for www.firewall.network.com ) -

I got problem with this settings it covers the subdomains but not www.
Common Name: *.network.com
Multidomain name: network.com

Any idea how to issue one cert for all services with subdomains and 1st level domain and www.
Or what is the right way to do this , or maybe to redirect www -> *.network.com without it?

** So far i issued new cert and added in HaProxy and its working so i guess this is the way
www.dev.network.com

[TheHellSite]

Lovely , Thanks for hard work !
Question: is it possbile to cover somehow  multi domain wildcard (for www.firewall.network.com ) -

I got problem with this settings it covers the subdomains but not www.
Common Name: *.network.com
Multidomain name: network.com

Any idea how to issue one cert for all services with subdomains and 1st level domain and www.
Or what is the right way to do this , or maybe to redirect www -> *.network.com without it?

** So far i issued new cert and added in HaProxy and its working so i guess this is the way
www.dev.network.com

If you want to cover also the base domain and not only the subdomains of it, then you will have to change the certificate settings to:

Common Name: yourdomain.com
Alt names: *.yourdomain.com

You will also have to create a rule in HAProxy to respond to requests on your base domain (yourdomain.com). Alternatively just set the desired backend for your basedomain (i.e. WWW_backend) as default backend on the 1_HTTPS_frontend.

In the end you should have a working certificate and HAProxy redirection for all your subdomains (i.e. cloud.yourdomain.com) and your base domain (yourdomain.com).

[phamd4]

Hello,

Thank you so much for writing this guide.

I were able to get this working and got the A+ authentication as well as access my server from outside network. I tested using VPN and everything work including the lock on https.

However, I'm running in to problem with the very last part which is accessing my server using https within my network.

Attatched is the screenshot of my setting in unbound dns. I also made sure that unbound dns service is running as well.

Thank you again.

[TheHellSite]

Check that the client devices in you LAN are actually using unbound dns resolver.

Edit: You have to put the OPNsense LAN IP in the DNS overide. Not the IP of the service. I explicitly say this in the tutorial.

[schnerring]

I upgraded to 22.7. HAProxy spits out some deprecation warnings, but my config seems to be working fine.

edit: a PR with a fix has already been merged, so we just have to wait for a new haproxy plugin release

[phamd4]

Hello,

Sorry for bothering you again. I have to restart my opnsense because my piHole were messing it up so I did a clean install. However, this time I am getting stuck at the last step verifying SSL to get the A+ score.

I received an error "Assessment failed: No secure protocols supported" I've tried to went back and double check my setting and I couldn't find any error. Checked my ACME and registered, my cert is verified okay. The ip of my domain is updated automatically on the server.

My goal is to aim to get this certified so I could use my domain to add to my adguard to implement DNS over HTTPS to block ad that route as well.

I'm also included the attachments you have requested.

THank you so much for your time.

[phamd4]

Hello,

I've tried to fresh re-installed Opnsense and followed your step again and finally i got A rating. not A plus but i think it worked.

Thank you so much.

This time I read your comment and got to accessed the local as well. However, for some reason I'm still getting blocked by my ISP router.

If I connected from external network I received 503 Service Unavailble. I think this make sense since I didn't allow external IP to connect my server yet (which is one of your last step)

When I connected from my lan network, my ISP router log-in page keep popping up. I've tried to put my Opnsense router to the DMZ port and tried to port forward 80 and 443 of my router internal LAN ipaddress but still didn't work. I couldn't get pass my ISP router's log in page.

Thank you again for taking your time and write this.

[phamd4]

Sorry, I forgot to add my config log

[phamd4]

Hello,

I think I figured it out.

My mistake were at the very last step where you now have everything setup and wildcard which is *.zzzz.com. I copied the screenshot without understanding what I'm doing so I remove my host and kept it as zzzz where my domain is .com and I were able to access my TrueNas.

Then I understand about the public and local domain if I put my map at my local domain then i can only access it via local network. if I put it at the public map files then I can  access it at the external network and local network. Do I have it understand correctly?

However I have this one last problem I hope you can help me point out. I have adguard installed on the same IP as my opnsense. I changed my port https of my opnsense according to your guide and the port adguard's web UI listening is also different. However, when I add them in the Real server according to their port which they currently listening to. I cannot get them working. It still happening where my external network connect to it, I have the 503 error which make sense since I am only allow local. But when I access them locally I hit the ISP main router log-in page.

I hope what i wrote make sense. I'm so close, I hope someone can guide me to the right direction.

Thank you all.

[8dgrpsu]

Thanks for this guide saved me after 2 days, the next bit is passing remote desktop through, i saw this Reddit post but I am not sure how i add to your setup or do I need to create new?

https://www.reddit.com/r/OPNsenseFirewall/comments/l2usx5/opnsense_haproxy_remote_desktop_gateway/

[TheHellSite]

Then I understand about the public and local domain if I put my map at my local domain then i can only access it via local network. if I put it at the public map files then I can  access it at the external network and local network. Do I have it understand correctly?

Yes.

However I have this one last problem I hope you can help me point out. I have adguard installed on the same IP as my opnsense. I changed my port https of my opnsense according to your guide and the port adguard's web UI listening is also different. However, when I add them in the Real server according to their port which they currently listening to. I cannot get them working. It still happening where my external network connect to it, I have the 503 error which make sense since I am only allow local. But when I access them locally I hit the ISP main router log-in page.

Well I can't help you there... If your other services are working then you probably have your internal network misconfigured, given that you have another router in front of your opnsense.

[TheHellSite]

Thanks for this guide saved me after 2 days, the next bit is passing remote desktop through, i saw this Reddit post but I am not sure how i add to your setup or do I need to create new?

https://www.reddit.com/r/OPNsenseFirewall/comments/l2usx5/opnsense_haproxy_remote_desktop_gateway/

1. You can easily add this to my/your current setup. Just follow the guide in the reddit thread.

2. Not related to my tutorial so I won't be helping here.

[phamd4]

Hello,

I finally got it.

I think my problem were that my firefox browser keep pusing the connection to http thus my ISP router log-in page keep pop up. However, when I use edge or chrome the https connection pushed through and I were able to access the service.

May I ask how would I fix this problem? I tried to delete the certificate from firefox and tried to re-install the firefox but when I tried to access my service it keep asking me this connection is not secured and forced me to use http.

Thank you again.

[TheHellSite]

Delete all of the firefox history (cache, cookies, website settings ...).
if that doesn't work, it is your network, not your browser.

[Aphid667]

First of all, thank you for taking the time and effort to write this impressive guide. Despite this guide I still run into problems 

I have a few web servers running that each have their own subdomain name. I am now trying to make the switch from pfsense to opnsense and have followed your guide to set up haproxy. Currently there is no service running on the domain name. However, when I now try to access my web server via both lan and wan I kept getting error 503 service not available. These web servers are all visualized on a proxmox server.

A second question I have, single post above you talk about "You have to put the OPNsense LAN IP in the DNS overide. Not the IP of the service." I am confused about this piece, is it possible to explain a little more about this.

Thanks in advance for feedback