[SOLVED]Anti DDOS option prevent to get letsencrypt certificate behind FW

Started by flotho, July 31, 2023, 11:10:48 PM

Previous topic - Next topic
Print
Go Down Pages1
User actions
July 31, 2023, 11:10:48 PM Last Edit: August 02, 2023, 05:23:48 PM by flotho
Hi everyone,

New in favor of https://forum.opnsense.org/index.php?topic=35061.0

I'm posting here after having upgrade to 23.7 and close https://forum.opnsense.org/index.php?topic=35061.msg169913#msg169913

I'm working with up to date OpnSense as a VM in Proxmox.
Single Wan and multiple LAN with virtual IP + NAT 1:1 for our DMZ.

A few days ago I was no more able to get a letsencrypt certificate from a VM.
I digged a litlle and I found that cerbot  was not really the issue but  letsencrypt certificates.

I've tested the certificate with the following command .
Code Select
openssl s_client -debug -connect acme-v02.api.letsencrypt.org:443

  • it failed to answer.
  • I've tested the command from different OS/Openssl version, same failure for the letsencrypt domain .
  • I've tested the command locally and it succeeed.
  • I've also tested the command from the opnsense shell with success
I've tested the command from the same VM to another domain 
Code Select
openssl s_client -debug -connect google.com:443
with success.

From here, looks like it's a FW issue concerning letsencrypt domain.
I've searched a lot and tested many things :

  • added alias for letsencrypt => no more success
  • added openbar rules for this alias => no more success
Finally I found some related issues but not all relevant.
The one that helps me a lot was this one https://forum.opnsense.org/index.php?topic=17002.msg77356#msg77356
The solution to reapply the outbound setup for NAT solved my issue.

Also, another thread referencing strange issues https://forum.opnsense.org/index.php?topic=33409.msg161652#msg161652

At this point I think there is an Outbound NAT issue with certificates from cloudflare.

Do you think that's a bug? Can anyone leads me to  a better diagnostic? Do I need to open a bug on https://github.com/opnsense/core/issues/?
Thanks in advance for the time spent
August 02, 2023, 05:22:46 PM #1
Finally,

It was not at all due to NAT .
It was due to the Anti DDOS option and sync cookies .
With this option set, impossible to get a certificate form letsencript behind the FW.
Without this option everything works fine.
Any chance to add this to the documentation ?

Regards
Print
Go Up Pages1
User actions