Install CA as standard user

[robertkwild]

Will it work even tho I'm using the free no ip and only got one hostname

Edit - just went on no ip and have to pay extra to get a txt record for dns challenge

So I will need to open port 80 to fw

What do you suggest, get a txt record or open port 80?

[atom]

I would prefer the 3rd variant and take my own CA.  8)

[robertkwild]

You mean just export the self signed CA?

[atom]

Yes, but you had some restrictions to install certificates as admin.

[robertkwild]

not admin, as a standard user, they just couldnt import the CA

i really dont want to expose my firewall to WAN on any ports

i do port forwards to other servers on port 80 443

thanks so much atom for your help in this!!!!!!!!!!!

[atom]

You have the choice: Either install the certificate in Windows once as an admin (the best method in my opinion) or regularly renew the certificate with ACME  - then either via DNS (no port to open) or HTTP (port 80 / 443) must be open.

[robertkwild]

yeah i agree its a lot safer to use self signed cert instead of acme especially on firewall

[Patrick M. Hausen]

Why should using ACME on the firewall pose any risk? If you use DNS challenge, it's perfectly safe ...

[robertkwild]

success!!!!!!!!!!

installed/configured the ACME client on my opnsense, it got the certs (using DNS challenge with dynu)

i then changed the cert on my ipsec server to the ACME client one instead of my self signed one

at a different location (at work) i did a test, i spinned up a vm, created a standard user, logged in as standard user

created the ikev2 vpn and i could connect straight away without installing any cert!!!!!

[atom]

I'm glad to hear it.