I've seen countless amounts of videos banging my head against the wall trying to figure this part out (how do I add valid SSL's for my private services in my homelab). I wish I came across this video weeks ago as this explains everything you need to know in an easy to understand, concise way. Thank you for this, amazing Tutorial series!
Hi thanks again for your tutorials, Is it mandatory to have a domain name as I don’t at the moment, if so, I’d be grateful if you do a beginner tutorial on how to setup Appreciated
Hi there, good question - no the domain parameter is not mandatory, it will just default to “local” if you leave it. Today it is best practice to not use a .local internal domain, though fully supported to do so. This is because it is no longer possible to get a public SSL certificate issued by a third-party provider with a .local TLD. Most would agree, .local really shouldn’t be used. My recommendation if you wanted to delineate your internal / local namespace from public, would be to use a subdomain, something like “internal.mydomain.com” where ‘mydomain.com’ is a public domain you own. Thanks for watching and I appreciate your feedback!
Thankyou for the video, you made it easy to understand. I have a home pfsense setup, do I need a public IP, and my DigitalOcean A record pointing to my home Public IP?
Generally I feel the better way is to use pfSense’s dynamic DNS service to update an A record in your domain, then whatever services you want to point back ‘home’ should reference that A record as a CNAME. I could make a tutorial for this... let me know if that’d be valuable
Good video. I unfortunately am using Hover and a .one TLD, which is not commonly supported. Luckily GoDaddy supports it and has an API. Now just have to wait a couple days for the domain to transfer and the API to work.
Hi there, it sounds like your pfSense is not successfully getting the certificate issued, as you should see ACME certs in your CAs section and Certificates section. First thing is to check the logs to see what is happening: Status -> System Logs -> System -> General is where ACME logs write to. Take a look there and see where it is failing
@@OMGTheCloud ok i deleted my previous config of dns rules etc. Maybe i was blocking something .. and reinstalling acme again. cant see anything speciall when should the ca's be added , after installing the ACME?
this is odd :/rc.start_packages: The command '/sbin/ifconfig 'em1' delete '10.10.10.1'' returned exit code '1', the output was 'ifconfig: ioctl (SIOCDIFADDR): Can't assign requested address
It sounds like something in your vLAN config is missing, separate from your ACME certificate config. Are you using a 10.10.10.0/24 network in your pfSense?
@@OMGTheCloud Hmmm i dont have any Vlan's configured? is this mandatory? Everything is working except this..? is a vlan necessary? Everything in one vlan then?
Hi, I am getting problem while issuing lets encrypt certificate. mydomain.network:Verify error:Invalid response from[xxx.xx.xx.xx]: 503 Note: Above domain name is changed just for example. If i go to/tmp/acme/acme_issuecert.log “type”: “urn:ietf:params:acme:error:malformed”, “detail”: “Unable to update challenge :: authorization must be pending”, “status”: 400 If i hit lets encrypt url from the log 503 Service Unavailable No server is available to handle this request.
That could be a few different things: 1. If you are using a subdomain for your wildcard, for example “*.omg.mydomain.com” I found that Lets Encrypt did not like it unless the “omg” part of that was actually resolvable in public DNS; it doesn’t matter what it resolves to, can be any made up IP, but that namespace has to exist 2. Did you also set up a wildcard DNS for the namespace in your certificate? You can do this ether internally (easy with pfSense) or externally on your public DNS provider, as an A Record: *.mydomain.com -> IP address where your Traefik container is hosted. it’s preferable to set this DNS record inside your network, so you do not leak the CIDR of your internal network, but this is pretty benign so not a big deal. 3. Those errors definitely smell like a DNS name resolution issue. Is your Lets Encrypt container itself getting good public DNS name resolution? you could get in to the container itself (docker exec -it containerName bash) and see if you can ping yahoo.com for example, and have it resolve to IP. if you cannot, that is likely the issue. I hope this helps, please let me know how you do!
@@OMGTheCloud thanks for your prompt reply. Actually I wrote wrong above my DNS record is like this name.domainname which created on AWS route 53. Able to perform DNS lookup of my DNS record getting right IP and pinging even to public DNS record like yahoo.com and have resolve IP. Currently i have single production pfsesne which is running, so now I setting up 2 pfsesne with HA sync functionality as master and backup node. May I get your contact so I can show you my setup.
I've seen countless amounts of videos banging my head against the wall trying to figure this part out (how do I add valid SSL's for my private services in my homelab). I wish I came across this video weeks ago as this explains everything you need to know in an easy to understand, concise way. Thank you for this, amazing Tutorial series!
Perfectly explained, thank you so much! Throughout the video I tried to like at least 3 times, only realizing I already had
Thank you so much for this!
Hi thanks again for your tutorials, Is it mandatory to have a domain name as I don’t at the moment, if so, I’d be grateful if you do a beginner tutorial on how to setup
Appreciated
Hi there, good question - no the domain parameter is not mandatory, it will just default to “local” if you leave it. Today it is best practice to not use a .local internal domain, though fully supported to do so. This is because it is no longer possible to get a public SSL certificate issued by a third-party provider with a .local TLD. Most would agree, .local really shouldn’t be used. My recommendation if you wanted to delineate your internal / local namespace from public, would be to use a subdomain, something like “internal.mydomain.com” where ‘mydomain.com’ is a public domain you own. Thanks for watching and I appreciate your feedback!
@@OMGTheCloud thank you so much for all the educating tutorials you made,
I really enjoyed them
Thankyou for the video, you made it easy to understand.
I have a home pfsense setup, do I need a public IP, and my DigitalOcean A record pointing to my home Public IP?
Generally I feel the better way is to use pfSense’s dynamic DNS service to update an A record in your domain, then whatever services you want to point back ‘home’ should reference that A record as a CNAME. I could make a tutorial for this... let me know if that’d be valuable
@@OMGTheCloud I would like to see Video for this thanks!
What do you do when your Acmecert CA expires under the System/Certificate manager/CAs??
Root CA should be valid for 10+ years.
i can't see the client configuration navigate to client export under the openvpn menu item to download it
Good video. I unfortunately am using Hover and a .one TLD, which is not commonly supported. Luckily GoDaddy supports it and has an API. Now just have to wait a couple days for the domain to transfer and the API to work.
Thanks for brilliant info🥰🥰🥰
My pleasure 😊
google doesnt support anything it seems...
Hi , my CA's in certmanager are empty? how do i fill them up with lets encrypt stuff? its not working as it should :s
Hi there, it sounds like your pfSense is not successfully getting the certificate issued, as you should see ACME certs in your CAs section and Certificates section. First thing is to check the logs to see what is happening: Status -> System Logs -> System -> General is where ACME logs write to. Take a look there and see where it is failing
@@OMGTheCloud ok i deleted my previous config of dns rules etc. Maybe i was blocking something .. and reinstalling acme again. cant see anything speciall when should the ca's be added , after installing the ACME?
this is odd :/rc.start_packages: The command '/sbin/ifconfig 'em1' delete '10.10.10.1'' returned exit code '1', the output was 'ifconfig: ioctl (SIOCDIFADDR): Can't assign requested address
It sounds like something in your vLAN config is missing, separate from your ACME certificate config. Are you using a 10.10.10.0/24 network in your pfSense?
@@OMGTheCloud Hmmm i dont have any Vlan's configured? is this mandatory? Everything is working except this..? is a vlan necessary? Everything in one vlan then?
Hi, I am getting problem while issuing lets encrypt certificate.
mydomain.network:Verify error:Invalid response from[xxx.xx.xx.xx]: 503
Note: Above domain name is changed just for example.
If i go to/tmp/acme/acme_issuecert.log
“type”: “urn:ietf:params:acme:error:malformed”,
“detail”: “Unable to update challenge :: authorization must be pending”,
“status”: 400
If i hit lets encrypt url from the log
503 Service Unavailable
No server is available to handle this request.
That could be a few different things:
1. If you are using a subdomain for your wildcard, for example “*.omg.mydomain.com” I found that Lets Encrypt did not like it unless the “omg” part of that was actually resolvable in public DNS; it doesn’t matter what it resolves to, can be any made up IP, but that namespace has to exist
2. Did you also set up a wildcard DNS for the namespace in your certificate? You can do this ether internally (easy with pfSense) or externally on your public DNS provider, as an A Record: *.mydomain.com -> IP address where your Traefik container is hosted. it’s preferable to set this DNS record inside your network, so you do not leak the CIDR of your internal network, but this is pretty benign so not a big deal.
3. Those errors definitely smell like a DNS name resolution issue. Is your Lets Encrypt container itself getting good public DNS name resolution? you could get in to the container itself (docker exec -it containerName bash) and see if you can ping yahoo.com for example, and have it resolve to IP. if you cannot, that is likely the issue. I hope this helps, please let me know how you do!
@@OMGTheCloud thanks for your prompt reply. Actually I wrote wrong above my DNS record is like this name.domainname which created on AWS route 53. Able to perform DNS lookup of my DNS record getting right IP and pinging even to public DNS record like yahoo.com and have resolve IP. Currently i have single production pfsesne which is running, so now I setting up 2 pfsesne with HA sync functionality as master and backup node. May I get your contact so I can show you my setup.