Set up a DMZ, now outlook complains about SSL

Started by amd.64, December 19, 2024, 10:12:37 PM

Previous topic - Next topic
I set up a DMZ with OPNSense (outer firewall) and OpenWRT (inner fireall). Now when I open Outlook it complains about OPNSense's SSL cert.

Is it possible to secure OPNSense with a cert that is no self sign? If so will that make Outlook happy?

If it is not possible to secure OPNSense with a cert that isn't self signed or it will not make Outlook happy, how can I resolve this issue


December 19, 2024, 11:26:40 PM #1 Last Edit: December 20, 2024, 01:21:34 PM by meyergru
I can imagine only two ways this could happen:

1. You have a DNS error that resolves that (or potentially any) name to the OpnSense IP. You should try by looking up that name and see what IP it resolves to on your client.

2. You have set up some sort of transparent proxy or other type of traffic inspection that breaks TLS by diverting all SSL traffic over a proxy, which shows OpnSense's certificate because you failed to import the CA into your client(s). Matter-of-fact, I think that it does not even help for Microsoft's update and other sites, so like with banking sites with pinned certificates, you have to setup so-called "no bump sites".

People always think they can do those things and do not understand why this just cannot work (tm). See this, #12.
Intel N100, 4 x I226-V, 16 GByte, 256 GByte NVME, ZTE F6005

1100 down / 440 up, Bufferbloat A+