[CLOSED]Possible NAT issue with letsencrypt certificate / SSL

flotho · July 27, 2023, 11:07:36 PM

Hi everyone,

I'm posting here after having upgrade to 23.7 and close https://forum.opnsense.org/index.php?topic=35061.msg169913#msg169913

I'm working with up to date OpnSense as a VM in Proxmox.
Single Wan and multiple LAN with virtual IP + NAT 1:1 for our DMZ.

A few days ago I was no more able to get a letsencrypt certificate from a VM.
I digged a litlle and I found that cerbot was not really the issue but letsencrypt certificates.

I've tested the certificate with the following command .

Code Select

openssl s_client -debug -connect acme-v02.api.letsencrypt.org:443

it failed to answer.
I've tested the command from different OS/Openssl version, same failure for the letsencrypt domain .
I've tested the command locally and it succeeed.
I've also tested the command from the opnsense shell with success

I've tested the command from the same VM to another domain

Code Select

openssl s_client -debug -connect google.com:443
with success.

From here, looks like it's a FW issue concerning letsencrypt domain.
I've searched a lot and tested many things :

added alias for letsencrypt => no more success
added openbar rules for this alias => no more success

Finally I found some related issues but not all relevant.
The one that helps me a lot was this one https://forum.opnsense.org/index.php?topic=17002.msg77356#msg77356
The solution to reapply the outbound setup for NAT solved my issue.

Also, another thread referencing strange issues https://forum.opnsense.org/index.php?topic=33409.msg161652#msg161652

At this point I think there is an Outbound NAT issue with certificates from cloudflare.

Do you think that's a bug? Can anyone leads me to a better diagnostic? Do I need to open a bug on https://github.com/opnsense/core/issues/?
Thanks in advance for the time spent

flotho · July 27, 2023, 11:13:34 PM

Oh oh....

Seems I found something relevant https://github.com/opnsense/core/issues/6650#issuecomment-1630492567

flotho · July 27, 2023, 11:16:41 PM

And also there https://forum.opnsense.org/index.php?topic=34925.0

flotho · July 31, 2023, 11:06:02 PM

Closed in favir of https://forum.opnsense.org/index.php?topic=35126.0

[CLOSED]Possible NAT issue with letsencrypt certificate / SSL

flotho

July 27, 2023, 11:07:36 PM Last Edit: July 31, 2023, 11:06:31 PM by flotho

flotho

July 27, 2023, 11:13:34 PM #1

flotho

July 27, 2023, 11:16:41 PM #2 Last Edit: July 27, 2023, 11:21:42 PM by flotho

flotho

July 31, 2023, 11:06:02 PM #3 Last Edit: July 31, 2023, 11:11:10 PM by flotho