pfSense - Let's Encrypt guide. Get a proper SSL certificate for your WebUI.
Вставка
- Опубліковано 29 вер 2024
- OPNSense video I mentioned at the beginning:
• Stop Using Self-signed...
PayPal Donation to support the release of new videos:
www.paypal.com...
Toss some BAT at us from the Brave Browser, or use our link to install it :)
brave.com/gat041
View and support us at LBRY:
lbry.tv/@gatew...
You definitely deserve more recognition. Your videos are extremely well put together. Hope you keep making them!
Greets from Portugal!
Thank you very much for your kind words, I am glad you like the content :)
Does the cron job apply to DNS-Manual method?
Not really, because you'll need to manually replace the link on the DNS panel (LE bot generates unique one every time on renewal), unless your DNS provider is a CloudFlare and you know how to deal with their APIs to do it automatically.
you can use 443 if you don't like using port 80 just change to Standalone TLS-ALPN server, hope it helps. thanks for the video.
How can i disable accessing public IP i have already ssl on my domain pfsense but i can still access the public ip with no ssl cert what will be the redirection of the public ip?
You cannot disable the IP access, it's simply a pfSense's limitation. In theory, we could edit the NGINX config file, and at that point it would have been just a matter of redirecting the end user from that specific IP to an HTTPs endpoint, but pfSense will overwrite the config file sooner or later, so it's not a permanent fix.
So I tried to do this but using DNS-Cloudflare instead with my domain name and API key. I'm getting a ERR_CERT_AUTHORITY_INVALID error. What could I be missing here? The certificate generated successfully and everything, this was the only issue. I do have pfblocker enabled and suspect this may be it. What else can I be missing?
how to enable SSL cert for my website (http), hosted on my local server, to make it HTTPS using pfsense and Let's Encrypt ?
Great video. Could you create one using DNS validation? It seems to be pfsense's recommended way.
What happens if you are using port 80 forwarded to a web server behind your pfSense firewall?
How do i get domain name SAN? I dont have a domain. Thanks in advance
You can get one for free at Duck DNS or NO IP
Thank you!! - Although it was just a walk-through, seeing how it all fits together is the perfect starting point for more advanced learning.
I could not get the ACME certificate to issue on my pfsense with HA Proxy. I have a cloudflare sub domain and ACME fails with error 400 - "Unable to update challenge :: authorization must be pending". I also deleted http to https redirect on HA Proxy but that did not help.
It's possible to use this resources in PFSENSe to generate certificates to another machines (for example the machine with webservice in IIS, in intranet)?
Thanks for that... It's not straightforward. But do you have other guides for getting it working with the DNS method instead of Standalone HTTP Server? Getting it working with the DNS method would negate the need for setting a new port for the WebConfigurator, and the fw rule to open port 80, and disabling the webgui redirect rule. Plus, i'd be able to use my hostname.domainname resolution instead of the external DNS name even when im on the LAN. I mean, I get why you did it this way; because it's the easiest way to get up and running without any external configuration, but it's not the optimal method.
I wish you had used a real(ish) set up with both WAN and LAN interfaces. On top, your rules are not default ones; moreover, what you are showing as "WAN" port has FW rules for LAN interface. I am pretty sure, those who are watching this kind of tutorials are beginers with pfSense and your interfaces and rules will confuse a lot of folks - myself included.
It was a VM behind another firewall, and I NATed the traffic onto pfSense, so technically it was the WAN interface, but you are right I should have added LAN into the setup to cause less confusion.
Additional rules are there to help me manage the firewall:
Allow 8000 lets me connect to the WebUI over the WAN connection, that otherwise would be blocked.
So If you always use ip addreses of your devices (like ip cams) you will never get an encripted connection? You need to setup a dns for each device?
What all does "have your domain ready" at @4:03 entail? I have a domain, I've essentially done nothing to it, and I get an error when I try to issue the certificate. From researching it, it seems like LetsEncrypt is looking for a txt file at the domain, but I'm not hosting a site with this domain.
You need to point your domain name to the firewall IP address, if it's static.
If your IP address is dynamic, use the dynamic DNS provider, like NoIP.
@@GatewayITTutorials Makes sense. I'll give that a shot. Thanks 👍🏻
This is a great video for getting firewall UI certs. This leads me to a question to further use let's encrypt within the internal network of the firewall. I have a ddwrt router (which needs a cert) that is receiving its ip from pfsense. What process would be best to get a let's encrypt cert without exposing ddwrt to the outside world? Thanks again for the education on cert setup.
You could use HAProxy on pfSense, so your pfSense will become a reverse proxy for ddwrt, which requires zero configuration on the ddwrt itself.
@@GatewayITTutorials perfect, i will be trying that.
It works! I used cloudflare dns (not standalone HTTP server). At first I got errors, but I made 2 mistakes: Wrong subdomain and a typing error. Fixed those, and now the connection is secure
can you specify ACME as the source, i understand your explanations on hacking port 80 just thought it would be better to have specific ip's as the source instead of leaving it (any). good video. thanks
Thank you for your comment.
It's doable, but it will be hard to keep track of their servers' IPs.
After this video, you earned my sub and likes... Ill checkout the content, thank you so much... Cheers from Costa Rica.
AWSOME - You included everything, unlike other videos. Thank you, from Cape Town, South Africa
Thank you for the video. Is there trick in order for pfsense to accept the certificate even if we use the IP address instead of the domain name?
It's not about pfSense, it's just how HTTPs works, so there is no work around mate :)
thnx a lot for shorting the way for me with my pFsense :X
I keep getting check that a DNS record exists for this domain
using noip what choice do i have to select for the webpage; DNS Host, Web redirect, DNS Alias (CName)?
You can follow the video exactly, NOIP just points an IP address to the DNS name you've chosen in their system
How quick was that! Great video!
Thanks to your great video I was able to setup my certificate. I appreciate the details you provided.
stupid question here: I don't have a domain name or anything, I've got my pfsense connected to my ISP modem, I want to use lets encrypt for traffic coming in and out from the ISP modem, is that feasable? I don't have domain name and im using pihole as my DNS server. thanks
You need to own at least 1 domain for this to work. Get a free one from NOIP or something, if you don't want to pay for it.
@@GatewayITTutorials thank you so much. Will that slow down my connection. I have 1gbps fiber
@@sulmanshah it will not slow down your connection, because it has nothing to do with the connection speed :)
@@GatewayITTutorials thanks so much man. Really helps
Sorry one more noob question, would I use the same tutorial as this to make my use case happen? Or something different. The no ip site is great btw nece knew it existed
Thank you for this, great guide. You've got yourself a sub👍🏾
Hello. Thanks for your Video. Sorry for my bad English. because of port 80. you can usually set wan under advanced schedule so that the port is only active at a certain time. namely when the cron job is running.
Sure thing: just create a scheduled rule in the FW section. The schedule itself could look something like this: Turn on LE 80 -> LE Renew -> Turn off LE -> Turn on 80 for something else.
LoL. I wouldn't do it like this
It doesn't work with my port 8443 not 443.
how do you go about obtaining the domain name?
hi man, i success till get certificate and put in on system>advance but my firewall still can't secure, any suggest ?
Try another browser, because your current one could cache the old certificate
where did the get the domain in the 1st place?
I got lost while adding the domain name. Where did you get this domain name from? Great video btw.
Same here! But Great video otherwise
Thanks for clearing up some gray areas regarding certificates.
A question if the pfsense web gui is running with ssl with a self-signed certificate (443), and the Certbot uses port 80. What is the relevance of changing the port?
It's not imperative, but I got used to it due to the fact that there are a number of webservices running behind my firewall, so I need these ports all the time.
How can I do this behind CGNat?
please shoot a video about pfsense suricata.
show how to block and unblock ip
sorry for my bad English
Thank you for your suggestion. I'll add it to my list :)
I didn't see you creating an A DNS record (ACME challenge). Did I miss it?
I didn't cover the part where you have to create DNS A-type record, because every DNS provider is different. Before you start following the process in this video you need to create a DNS record and point it to your firewall, or use DDNS service in case your public IP is dynamic.
Great tutorial and it worked instantly on my home network. Thank you!
I also added my pfSense as a subdomain to Cloudflare, but I am getting an error for the host. It says that Cloudflare is unable to establish an SSL connection to the origin server. Any hints what causes this?
Did you solve this?
@@blackrockcity No, unfortunately not.
Great Video! Thanks
Amazing video, thank you so much for making this. Worked 100%. Only thing I'll add is ensure you either have a hosted domain name to use or a dynamic DNS host entry which needs to match the name of the router.
Hope you come back and make more videos as yours is outstanding!!!
comprehensive and concise - good job :)
good job
Great video! Just wondering if you have the issue of the SSL certificate not renewing if HAProxy is running? I need to disable it to renew my ticket for some reason if not i will get the following error “Cannot negotiate ALPN protocol”
Hi,
I have done exactly what you did but my pfsense is running on the default certificate, I have change SSL/TLS Certificate option from default to Let's encrypt but it's running on the older one. Please help
Okay great video. I can not get my cert to stay it keeps defaulting under advanced webConfigurator (SSL/TLS Certificate) Not sure what I missed
Excellent demo, thank you. Consult the same certificate I can use for a transparent proxy server, activating the option "HTTS / SSL Interception", "SSL / MITM Mode" "Splice All", and in the option "CA" use that was created by the package "Acme"
Thank you
Thanks :)
To be honest, I've never played with Squid due to a lack of use cases. Give it a go, and post another comment here to let other people know if it's possible please.
P.S. I am not quite sure if it brings any benefit doing it this way, as you'll need to import the cert on all of the machines behind proxy regardless. In any case, definitely let us know how it goes.
Have you use acme certificates in transparent proxy server ?
amazing video. thank you for sharing this. your instruction is crystal clear
Hi, I'm just wondering if these certificates auto-renew?
thx 4 tutorial !
i got an error on certificate, did you publish the solution?
That’s a great video, thanks .My setup didn’t work, I had to add a floating rule similar to the wan rule but it only worked externally by directing it to port 8000 for some reason
Thanks
Thank you - I implemented it according your video - still valid after 2 years.
Thanks man
I like your well-organized style, thanks for the detailed explanation.
Great video, you made it nice and easy to setup and it all worked perfectly :)
you prolly dont give a damn but does any of you know of a way to log back into an instagram account?
I was dumb forgot the password. I love any tricks you can offer me.
Thankyou for this was very easy to follow the first try it faild but then i changed the domain i was using one of my sub domains and that worked fine however even tho it issued fine and all that it still has an ! on the padlock saying connection not secure
is there any option to do this same on OPNsens?
Hi. Check the video description, I made the same guide for OPNSense.
should i disable port 80 after i get the cert working?
Not necessarily, you can watch my video on OPNSense ACME certs to understand why :)
@@GatewayITTutorials i couldnt find where you talked about it in the video, can you give me a timestamp?
@@HamsterHawk Sorry, my bad, it was in this video: ua-cam.com/video/1qVAapgr3hI/v-deo.html
That Was Awsome , You explaind that very clearly and easy , thanks a lot
Спасибо вам!
It works fine
Thanks
I check your video and setup same in my Pfsense but when I check these certificates in browser with valid domain then it's given error ^fake certs and non-secure certs^
Hi there,
Please post your issue on our Subreddit here:
www.reddit.com/r/gatewayittutorials/
Include screenshots, logs and other useful info, so it's easier for me to help you.
my ntopng stopped working
Very thorough. Thank you
did exactly what you did but got a " 400 bad request The plain HTTP request was sent to HTTPS port
nginx " instead and now im locked out of my pfsense...
Looks like you need to switch the protocol in your URL. From HTTP to HTTPS or vise versa.
didnt see that you did this port 8000 in the https section and you didnt mention so i was quickly confused for a few minutes had to reset the LAN IP im back in
Hey dude, Superb easy to follow video! Setup with no worries except one? I can't get Truenas to connect to update servers on port 80. I opened a port and found my NAS connected to the Internet so promptly turned it off!!. Any chance you can give me some pointers with the Rules/NAT configuration, please?.
I am not sure I understand the question. Is this the type of connection you need?
Internet -> pfSense -> NATed port 80 -> TrueNAS
@@GatewayITTutorials Yes mate, managed to get an SSL on Truenas, 2FA & Email. Just won't update or install plugins, assuming its NAT related.
How is your IP configured on the TureNAS side? Sounds like a gateway static config issue.
Mine cert couldn’t register
What's the error you are getting?
Hi there, great tutorial video. However, I am stuck with one problem. I am getting a connection timed out (522) from cloudflare when I try to load my site. I have cloudflare set up to proxy the DNS entry but I have also tried it as a straight A type as well. My WAN rule looks just like what was created here. Not exactly sure where to look for the issue next. Would appreciate a hint!
Did you solve this problem?
hey yes