ACME Client HTTP Challenge Own CA

Started by moe, July 06, 2025, 09:58:28 PM

Previous topic - Next topic
Print
Go Down Pages1
User actions
July 06, 2025, 09:58:28 PM
Hi,
I currently try to use the ACME-Client from OpnSense what depents on acme.sh to issue certificates from my own pki.
On my other Linux-Systems this works great, but i have some issue with opnsense.

The Challenge seems to be the issue.
Normaly i use as challenge type http-01.

If I choose this setting -> it won't work.

Can anybody explain what "automatic port forward" is generated when i use this setting?

The Webinterface from my opnsense is running on a different port (not 443).

Thanks for your help!
Kinds regards
July 06, 2025, 10:23:57 PM #1
If you really have an ACME-capable PKI running on your on, you should know that it must verify the domains via HTTP-01 or DNS-01.

HTTP-01 runs via access to port 80 only - as the name implies. If OpnSense is to act as an HTTP server for these verifications, it needs to present the verification tokens via HTTP. The challenge settings in the ACME.SH plugin allow a choice of the HTTP service that it will divert to show the verification token,

For me, there is either HAproxy or the OpnSense GUI frontend, there may be others (like NGinx), if installed. But for this to work, your own PKI must be able to reach port 80 on your OpnSense in the first place, which includes having the selected web server listen on port 80 (even when there normally is inly a HTTPS redirect) and opening the port. For the OpnSense web UI service, you must have "System: Settings: Administration - HTTP Redirect" enabled (i.e. checkbox disabled).

The latter also implies that port 80 must be accessible from your own PKI, which could reside on the internet (then you must open the WAN for that) or on your intranet (then, you may have to get port reflection to work).

However, because the opening of port 80 poses a security risk, you should consider using DNS-01, if at all possible. That of course does not apply if your PKI is on your intranet.

Out of interest, I have a two questions, though:

1. If you use your own CA, you probably use a domain that you cannot get official CA certificates for (i.e. a TLD). Since this has other problems, like not being able to generate wildcard certificates, I would expect anyone either using an official ACME-capable CA with official domains or having their own CA with long-lasting certificates (like I do). What is your rationale to use ACME with your own CA in the first place?
2. Which PKI software do you use on what platform?
Intel N100, 4* I226-V, 2* 82559, 16 GByte, 500 GByte NVME, ZTE F6005

1100 down / 800 up, Bufferbloat A+
Print
Go Up Pages1
User actions