Tutorial 2024/06: HAProxy + Let's Encrypt Wildcard Certificates + 100% A+ Rating

[user78425653]

Hello @TheHellSite

I was using opnsense with HAProxy > 1 year.
Thanks for opffering this free tutorial, it definitely made the world better (at least for me).

The problem with opnsene 24.1 and HAProxy 4.2 hit me as well.

I will be happy when the "strict-sni" update of your guide is released.

Thank you in advance.

[TheHellSite]

Hello @TheHellSite

I was using opnsense with HAProxy > 1 year.
Thanks for opffering this free tutorial, it definitely made the world better (at least for me).

The problem with opnsene 24.1 and HAProxy 4.2 hit me as well.

I will be happy when the "strict-sni" update of your guide is released.

Thank you in advance.

It just dropped.

[user78425653]

Hello @TheHellSite

I was using opnsense with HAProxy > 1 year.
Thanks for opffering this free tutorial, it definitely made the world better (at least for me).

The problem with opnsene 24.1 and HAProxy 4.2 hit me as well.

I will be happy when the "strict-sni" update of your guide is released.

Thank you in advance.

It just dropped.

Thanks so much. My day would be horrible today if that didn't work.

@others I can confirm it works but I patched as TheHellSite described. Can't confirm it working without patching opnsense first.

[TheHellSite]

Important changes for OPNsense v24.1 and above

• 20240201
  
  • Simplified and improved Part 8. The "INVALID_SNI" certificate is no longer needed, instead we use the "strict-sni" parameter to achieve an even better result.
    Thanks @mnaiman for the suggestion.

To comprehend the changes introduced in OPNsense v24.1 and above (HAProxy version >4.2) please do the following.
This is only necessary if you followed "Part 8 - Advanced Configuration: Hide your certificate on access by IP" of the tutorial!

Modify your configs as shown in the updated part 8 of the tutorial and remove the "INVALID_SNI" certificate as default certificate from your "HTTPS_frontend".

The "INVALID_SNI" certificate can then be deleted at "System: Trust: Certificates".
The "INVALID_SNI" certificate-authority can then be deleted at "System: Trust: Authorities".

Kind Regards
TheHellSite

[furax]

@TheHellSite,

Thank you so much for the things you're doing here!

Regards,

Julien.

[loop0]

@TheHellSite, many thanks and kudos for your tremendous effort, contribution and help!

I try to avoid seeking for help and solve my problems on my own. But after upgrading to 24.1 I stuck in the CRON configuration when it comes to the update HAProxy OCSP Data you mentioned in Part5.4, this feature has disappeared and can no longer be selected. I assume this is needed to get the OCSP must staple extension running.

Is there an alternative way of configuring or what I'm doing wrong or missing.
 
Thanks loop0

[securid]

I have 2 domains, public and internal seperated and its been working fine. Needed the patches of course after the updates which bugged out SNI on haproxy, but fortunately that was an easy fix (thanks!  ).

I actually have more internal domains in different subnets. Is it possible to add new certificates for each one and then add these to the list the same way as the first internal domain? I would need to setup a map for each one too and I am thinking that as long as they are before the public map this should work?

I don't wanna bork things up so I figured I'd ask first  .

Has anyone done this and is it as straightforward as I think it is?

Thanks!

[vladnik]

Attention!

Hey everyone,

after the upgrade to 24.1, please check your cron job for updating OCSP data.
Since that function is no longer available from the list, mine was set to "Automatic firmware update", which could potentially be *really* bad



@TheHellSite: Thank you for the guide and the ongoing maintenance, much appreciated! (beer is on the way)

[techsolo12]

@TheHellSite, many thanks and kudos for your tremendous effort, contribution and help!

I try to avoid seeking for help and solve my problems on my own. But after upgrading to 24.1 I stuck in the CRON configuration when it comes to the update HAProxy OCSP Data you mentioned in Part5.4, this feature has disappeared and can no longer be selected. I assume this is needed to get the OCSP must staple extension running.

Is there an alternative way of configuring or what I'm doing wrong or missing.
 
Thanks loop0

As i know the OCSP update cronjob isn't needed anymore since the OCSP feature was completely revamped with the actual version of haproxy 4.2 which is bundled in opnsense 24.1

I had some errors with the OCSP updates so i opened a issue in the opnsense/plugins github repo.
https://github.com/opnsense/plugins/issues/3755

[TheHellSite]

Attention!

Hey everyone,

after the upgrade to 24.1, please check your cron job for updating OCSP data.
Since that function is no longer available from the list, mine was set to "Automatic firmware update", which could potentially be *really* bad

@TheHellSite: Thank you for the guide and the ongoing maintenance, much appreciated! (beer is on the way)

Thank you for pointing this out, I opened a bug report.
https://github.com/opnsense/core/issues/7197

@TheHellSite, many thanks and kudos for your tremendous effort, contribution and help!

I try to avoid seeking for help and solve my problems on my own. But after upgrading to 24.1 I stuck in the CRON configuration when it comes to the update HAProxy OCSP Data you mentioned in Part5.4, this feature has disappeared and can no longer be selected. I assume this is needed to get the OCSP must staple extension running.

Is there an alternative way of configuring or what I'm doing wrong or missing.
 
Thanks loop0

As i know the OCSP update cronjob isn't needed anymore since the OCSP feature was completely revamped with the actual version of haproxy 4.2 which is bundled in opnsense 24.1

I had some errors with the OCSP updates so i opened a issue in the opnsense/plugins github repo.
https://github.com/opnsense/plugins/issues/3755

I will update the tutorial once again to comprehend the changes, please bear with me.

EDIT: Fixed, see Part 5.

As the automatic OCSP updates are now fully built into HAProxy, there is no need for the previously used Cron job, which has been removed from the OPNsense system as of update 24.1.

[DarkCorner]

In Public Services 1_HTTPS_Frontend
the "SSL option pass-through" field in the tutorial ther is "curves secp384r1".
Having generated the certificate with the simple 4096, what value should be indicated in this field?

How and where should logging be enabled to pinpoint where errors occur?

Thanks in advance.

=== Update ===
I generated the certificate again with ec384, as suggested in the tutorial. I reset the "SSL option pass-through" field with the value "curves secp384r1".

Now:
1) From Internet, using the certificate for web GUI access works and the certificate was recognized.
2) From Internet, a NAS and Debian Server in DMZ are not recognized. In Firefox the error is "Connection timed out".
3) In Statistic Status the Backends are No Check.
4) The SSL Labs test on the two subdomains returns the value "A" and not "A+" in both tests. DNS CAA = No is reported. The documentation reports that for both servers https://URL (HTTP/1.1 503 Service Unavailable)
5) In Firewall /Log / Live view the WAN rule is executed.

Evidently there is something blocking the call of the two servers in DMZ. Maybe there's a rule missing?
How can I enable HAProxy logging?

=== New Update ===
I checked twice, all the parameters.
Servers continue to be unreachable with error 503.

I don't understand why I only have to listen to ports 80 and 443.
It is true that the service port is indicated in the Real Server (for example, 32400 is used in the tutorial), but in the browser I have to type MY-DOMAIN.TLD:NumberPort.
Already in the WAN rule NumberPort is not filtered because it is not in the alias.

Thanks in advance, again.

[Squiggley]

@TheHellSite, Just wanted to say thank you soooooo much for this tutorial. It has made a very complicated task much easier for me. I converted over from pfsense because this tutorial was exactly what I wanted to setup and I have not been disappointed. It turns out I like opnsense much better too!

[DarkCorner]

I'm sorry, but I stillo get errors instead.

After moving the two servers to the LAN and creating a new VirtualIP, now all the configurations correspond to the tutorial (obviously if there hadn't been some oversight on my part).

The only difference I find is in the Public Services / Type option "http-keep-alive [default]" in the snapshot of point 9 and that in this version of HAProxy is not present.

• The SSL Labs test on my-domain.tld returns "Certificate name mismatch" because it searches for *.my-domain.tld
  Instead, if I search for server.my-domain.tld the test is A and not A+
• When calling server.my-domain.tld:NumPort from the internet with Firefox I get the "connection timed out" error and in Firewall Log Live View, the public IP address of the laptop being tested reports the error "Default
  deny / state violation rule"
• When calling server.my-domain.tld from the internet with Firefox I get the "503 Service Unavailable" error without errors in Firewall Log Live View.

I'm sorry, because the architecture proposed in this Tutorial is interesting.

[mgrunwald]

I am not sure this was mentioned before but https://desec.io no longer new registrations for DynDNS.
For the German speaking audience I can highly recommend https://ipv64.net/
Many texts on the website are English, but someone not speaking German might have problems understanding everything

[keyboardDabbler]

EDIT

Nevermind, my first issue was related to https://forum.opnsense.org/index.php?topic=38435.0 which has since been patched.

As always, i appreciate the upkeep of this guide.