Secure Connection fails when trying to access the Web UI; ACME plugin

[cribbageSTARSHIP]

Good day everyone.

 
I followed this [write up](https://homenetworkguy.com/how-to/replace-opnsense-web-ui-self-signed-certificate-with-lets-encrypt/) (also in [video format](https://www.youtube.com/watch?v=bY5mLytgDek)) in the hopes that I could start using Lets Encrypt and the ACME plugin. When I issued the cert and refreshed the page while logged into the IP of the Web UI, I had to accept the risk again, however I checked the cert and I had to accept the risk because the cert was for router.mydomain.ca.

When I try to use [router.mydomain.ca](http://router.mydomain.ca) it throughs Error code: SSL\_ERROR\_INTERNAL\_ERROR\_ALERT. I own my .ca and have it set up via cloudflare, although [router.mydomain.ca](http://router.mydomain.ca) is not listed in the DNS because I dont want my FW accessible via the WAN.

I've been trying to figure this out but I must have frustration goggles on. Any ideas on where to start diagnosing this?

[Patrick M. Hausen]

If you want to use Letsencrypt, your WAN IP address must be in the public DNS. That does not imply that the UI has to be reachable from WAN, there's still firewall rules to prevent access from the Internet.

[cribbageSTARSHIP]

Thank you for taking the time.  I'm new to this.

Are you saying that I should be using the LAN IP for the firewall itself as the DNS server?

"System > Settings > General" -> Change DNS servers to FW LAN IP vice 1.1.1.1 and 1.0.0.1? or considering the below, should I leave it blank?

I have Unbound enabled, thanks to you nudge I found this info:

"Unbound DNS service: If the "Allow DNS server list to be overridden by DHCP/PPP on WAN" option is disabled and the DNS server list is populated, the Unbound DNS service will only use the servers in the DNS servers list as the upstream DNS servers. If the DNS server list is empty, the Unbound DNS service will recursively resolve DNS queries (originally I tested this in a virtual machine behind my primary OPNsense router and the lookups failed– most likely that was due to having a recursive resolver behind another recursive resolver).

and

OPNsense system: If the "Allow DNS server list to be overridden by DHCP/PPP on WAN" option is disabled and the DNS server list is populated, the OPNsense system will use localhost (which uses the Unbound DNS service), and the servers in DNS list. If the DNS server list is empty, the OPNsense system will recursively resolve DNS queries (as stated earlier, I was testing in a VM behind my primary OPNsense router so I had a recursive resolver behind another recursive resolver which likely caused problems)."

[Patrick M. Hausen]

I am referring to this statement of yours - which I might have misunderstood. I think it's a little bit confusing:

although [router.mydomain.ca](http://router.mydomain.ca) is not listed in the DNS because I dont want my FW accessible via the WAN.

To use ACME client and Letsencrypt your router.mydomain.ca must be listed in the world wide public DNS.

[cribbageSTARSHIP]

So I would have to go to my cloudflare account and create an A record for router.mydomain.ca ? Would that not make my web ui accessible from the WWW? Should I be limiting the listening devices to just one of my vlans?

[Patrick M. Hausen]

So I would have to go to my cloudflare account and create an A record for router.mydomain.ca ?

Yes, you want a globally valid (Letsencrypt) certificate - Letsencrypt needs to contact your ACME client via HTTP for verification. Or in case of DNS instead of HTTP based verification, you still need a public FQDN.

Would that not make my web ui accessible from the WWW?

Why would it? Did you create a firewall rule on WAN explicitly allowing access to the UI? The default policy on WAN when OPNsense is newly installed is "block everything". Of course it is. The firewall is responsible of enforcing who is allowed to access what. Not DNS.

HTH,
Patrick