SSL cert for Web gui - Lets Encrypt cert added but cannot access web gui

Started by andyd, April 23, 2024, 05:25:52 AM

Previous topic - Next topic
Print
Go Down Pages1
User actions
April 23, 2024, 05:25:52 AM
So...

1. I've set up the ACME client to get and auto renew the Lets Encrypt cert
2. I changed in Admin settings to use the cert

I am unable to access the website by the name

1. I have Adguard setup which has Unbound DNS as the upstream server - meaning Adguard on port 53 and Unbound on port 65353. This is working without issue

2. I can add DNS rewrites in Adguard to opnsense web gui - that works

3. I can access the router via IP - all devices are on LAN interface as I haven't gotten around to playing with VLANs.

Not sure what could be the issue?

I followed this guide...

https://homenetworkguy.com/how-to/replace-opnsense-web-ui-self-signed-certificate-with-lets-encrypt/

Which makes the process seem easy so not sure what could be going on. Guessing it has something to do with Adguard / Unbound setup but not 100% sure. I do know I have failed to do similarly via Traefik and nginx - always hit a timeout when trying to access by name.
April 23, 2024, 05:53:05 AM #1 Last Edit: April 23, 2024, 05:55:25 AM by andyd
If I disable DNS rebind checks, it doesn't time out. Should this be disabled?

It still isn't able to do name resolution, though.

On adguard, I see it get processed...

Code Select

Status
Processed
DNS server
192.168.1.1:65353
Served from cache
Elapsed
0.04 ms
Response code
NOERROR


but getting ...
"This site can't be reached router.mydomain.com's server IP address could not be found."
in Chrome

So failing at Unbound?
April 23, 2024, 06:44:42 AM #2
Please don't replace the self signed certificate of the WebUI, you can lock yourself out if the certificates date becomes invalid if the ACME client has issues.

It doesn't improve security in any way to change it.
Hardware:
DEC740
April 23, 2024, 01:48:26 PM #3
Hmm. Not the response I was expecting.

I think the point of it is to not see a page showing accessing the gui is not secure but you're saying this is preferred behavior ?
April 23, 2024, 01:50:24 PM #4 Last Edit: April 23, 2024, 01:57:49 PM by Monviech
If you don't want to see that the page is not secure, just import the self-signed certificate of the OPNsense into your browsers trust store. That's the easiest method.

If it's chrome and you are on Windows, just import it into the Windows certificate store under "Trusted Root Certificates". If you save the certificate in your browser as .pem file, you can just double click to install it for example.

EDIT: This is exactly the same thing as the Let's Encrypt certificate does. It's also installed into the trust store of browsers, or windows/linux etc. Just, it comes preinstalled there. Compare to this funny issue: https://bugzilla.mozilla.org/show_bug.cgi?id=647959
Hardware:
DEC740
April 24, 2024, 03:04:15 AM #5
Ah I thought it might make sense to tie it to my domain as well since I will eventually be doing the same for local ssl in my dockers.

So I installed the cert and I'm still getting the same issue. Attachment is showing the cert in trusted root.

Is there something else to it? Do I have to access using "opnsense.localdomain"? That doesn't work either though.
April 24, 2024, 03:59:53 AM #6
Hmm thats weird. What I'm using for that is caddy. It reverse proxies the opnsense webui for me. That way I can access it from my normal domain with certificate, but the other way is still working too, giving me redundancy.

https://docs.opnsense.org/manual/how-tos/caddy.html#reverse-proxy-the-opnsense-webui
Hardware:
DEC740
April 24, 2024, 05:25:01 AM #7
Ah got it. I was using nginx for reverse proxy but then was having similar issues with timeout. Thought going this route for now seemed easier but something with my setup is causing the names to not resolve correctly
Print
Go Up Pages1
User actions