Home
Help
Search
Login
Register
OPNsense Forum
»
English Forums
»
General Discussion
»
ACME client not recieving certificates due to firewall?
« previous
next »
Print
Pages: [
1
]
Author
Topic: ACME client not recieving certificates due to firewall? (Read 2238 times)
aida
Newbie
Posts: 31
Karma: 0
ACME client not recieving certificates due to firewall?
«
on:
March 27, 2023, 05:56:04 pm »
For my homelab I've set up a custom ACME CA using this guide
Build a Tiny Certificate Authority For Your Homelab
. I was able to verify the configuration worked with
Traefik
on my server.
I started by adding an ACME account:
I created the ACME Client account. Registration seems successful.
I clicked "Issue or renew certificate". I see a validation failure and no such successful certificate.
In you can see the challenge type. I used HTTP-01.
In the firewall we see a state violation.
and a more detailed look:
I tried making some rules but it didn't seem to help anything.
What is interesting is curl does appear to work, so it's only the response to requesting a certificate.
Logged
aida
Newbie
Posts: 31
Karma: 0
Re: ACME client not recieving certificates due to firewall?
«
Reply #1 on:
March 28, 2023, 07:13:01 am »
So I have thought about this again, maybe it does make more sense to use the
DNS-01
challenge type. The goal is not to add too many moving parts to this so I wanted to keep the authoritative part on the opnsense device.
It seems it is possible to use BIND and Unbound together without conflict as
this post on reddit
points out. Unfortunately no documentation was provided. Currently I am using unbound, and I have a few overrides there set up. I like unbound because it lets me set an outgoing interface, which is currently set to my preferred WAN link.
Currently some things about my network:
The Raspberry PI which is running Step-CA is
tinyca.bsmt-rpi1.home.arpa
The OPSense Router is
opnsense.bsmt-rt1.home.arpa
These are currently configured on Unbound's with "override" option.
Unbound is currently configured, and forwarding DNS requests from my LAN, side VLANs.
Unbound is currently configured with a few overrides for various devices on my LAN.
I'm a bit stuck as to how to fill in the Challenge type for my OPNSense router:
The settings for the BIND Configuration
I noticed in the
documentation
it says to leave that as port 53530 so that it doesn't interfer with Unbound.
How might I go about configuring the master zone?
Logged
aida
Newbie
Posts: 31
Karma: 0
Re: ACME client not recieving certificates due to firewall?
«
Reply #2 on:
March 28, 2023, 09:06:12 am »
OPNSense BIND Plugin
There seems to be no way to set the user apikey/token in the
BIND plugin
.
I noticed some other options:
ACME DNS:
Not sure about this one. Perhaps something I could set up on my server in a container or something.
nsupdate:
Perhaps this is an option.
The main goal i am trying to achieve is to get signed certificates from my step-ca server without having to depend on services on the internet (ie using WAN).
Logged
Mr_Flibble
Newbie
Posts: 4
Karma: 0
Re: ACME client not recieving certificates due to firewall?
«
Reply #3 on:
May 17, 2023, 07:59:30 pm »
I am using step-ca as well for all my home configs, and it is working... partially... with OPNSense.
In fact, trying to troubleshoot I stumbled across your post. My issue is different, I can get step-ca to work with HTTP validation, but I cannot get it to renew quickly as OPNSense seems to think that a renewal is not required.
My issue/thread is here:
https://forum.opnsense.org/index.php?topic=34054.0
Did you get yours working? If not, I can share my configs that got me to start the renewal - I am just trying to figure out how to get it to actually renew when the cron job tells it to do so.
Logged
Print
Pages: [
1
]
« previous
next »
OPNsense Forum
»
English Forums
»
General Discussion
»
ACME client not recieving certificates due to firewall?