pfSense setup ACME Lets Encrypt

Поділитися
Вставка
  • Опубліковано 17 лис 2024

КОМЕНТАРІ • 35

  • @jaymehs
    @jaymehs Рік тому +2

    I've seen countless amounts of videos banging my head against the wall trying to figure this part out (how do I add valid SSL's for my private services in my homelab). I wish I came across this video weeks ago as this explains everything you need to know in an easy to understand, concise way. Thank you for this, amazing Tutorial series!

  • @saylorsedell2380
    @saylorsedell2380 Рік тому +1

    Perfectly explained, thank you so much! Throughout the video I tried to like at least 3 times, only realizing I already had

  • @brainamess2979
    @brainamess2979 8 місяців тому +1

    Thank you so much for this!

  • @drreality1
    @drreality1 3 роки тому +1

    Hi thanks again for your tutorials, Is it mandatory to have a domain name as I don’t at the moment, if so, I’d be grateful if you do a beginner tutorial on how to setup
    Appreciated

    • @OMGTheCloud
      @OMGTheCloud  3 роки тому +3

      Hi there, good question - no the domain parameter is not mandatory, it will just default to “local” if you leave it. Today it is best practice to not use a .local internal domain, though fully supported to do so. This is because it is no longer possible to get a public SSL certificate issued by a third-party provider with a .local TLD. Most would agree, .local really shouldn’t be used. My recommendation if you wanted to delineate your internal / local namespace from public, would be to use a subdomain, something like “internal.mydomain.com” where ‘mydomain.com’ is a public domain you own. Thanks for watching and I appreciate your feedback!

    • @drreality1
      @drreality1 3 роки тому +2

      @@OMGTheCloud thank you so much for all the educating tutorials you made,
      I really enjoyed them

  • @westraiser8702
    @westraiser8702 3 роки тому

    Thankyou for the video, you made it easy to understand.
    I have a home pfsense setup, do I need a public IP, and my DigitalOcean A record pointing to my home Public IP?

    • @OMGTheCloud
      @OMGTheCloud  3 роки тому +3

      Generally I feel the better way is to use pfSense’s dynamic DNS service to update an A record in your domain, then whatever services you want to point back ‘home’ should reference that A record as a CNAME. I could make a tutorial for this... let me know if that’d be valuable

    • @chucksw1
      @chucksw1 3 роки тому +1

      @@OMGTheCloud I would like to see Video for this thanks!

  • @kyopan23
    @kyopan23 Місяць тому

    What do you do when your Acmecert CA expires under the System/Certificate manager/CAs??

    • @OMGTheCloud
      @OMGTheCloud  Місяць тому

      Root CA should be valid for 10+ years.

  • @jeanclaudeseba
    @jeanclaudeseba Рік тому

    i can't see the client configuration navigate to client export under the openvpn menu item to download it

  • @ryanslab302
    @ryanslab302 3 роки тому +1

    Good video. I unfortunately am using Hover and a .one TLD, which is not commonly supported. Luckily GoDaddy supports it and has an API. Now just have to wait a couple days for the domain to transfer and the API to work.

  • @charleynisperoschannel1359
    @charleynisperoschannel1359 2 роки тому

    Thanks for brilliant info🥰🥰🥰

  • @Tom_Neverwinter
    @Tom_Neverwinter 3 роки тому

    google doesnt support anything it seems...

  • @koenpauwels98
    @koenpauwels98 3 роки тому

    Hi , my CA's in certmanager are empty? how do i fill them up with lets encrypt stuff? its not working as it should :s

    • @OMGTheCloud
      @OMGTheCloud  3 роки тому

      Hi there, it sounds like your pfSense is not successfully getting the certificate issued, as you should see ACME certs in your CAs section and Certificates section. First thing is to check the logs to see what is happening: Status -> System Logs -> System -> General is where ACME logs write to. Take a look there and see where it is failing

    • @koenpauwels98
      @koenpauwels98 3 роки тому

      @@OMGTheCloud ok i deleted my previous config of dns rules etc. Maybe i was blocking something .. and reinstalling acme again. cant see anything speciall when should the ca's be added , after installing the ACME?

    • @koenpauwels98
      @koenpauwels98 3 роки тому

      this is odd :/rc.start_packages: The command '/sbin/ifconfig 'em1' delete '10.10.10.1'' returned exit code '1', the output was 'ifconfig: ioctl (SIOCDIFADDR): Can't assign requested address

    • @OMGTheCloud
      @OMGTheCloud  3 роки тому

      It sounds like something in your vLAN config is missing, separate from your ACME certificate config. Are you using a 10.10.10.0/24 network in your pfSense?

    • @koenpauwels98
      @koenpauwels98 3 роки тому

      @@OMGTheCloud Hmmm i dont have any Vlan's configured? is this mandatory? Everything is working except this..? is a vlan necessary? Everything in one vlan then?

  • @syedshamshami5250
    @syedshamshami5250 3 роки тому

    Hi, I am getting problem while issuing lets encrypt certificate.
    mydomain.network:Verify error:Invalid response from[xxx.xx.xx.xx]: 503
    Note: Above domain name is changed just for example.
    If i go to/tmp/acme/acme_issuecert.log
    “type”: “urn:ietf:params:acme:error:malformed”,
    “detail”: “Unable to update challenge :: authorization must be pending”,
    “status”: 400
    If i hit lets encrypt url from the log
    503 Service Unavailable
    No server is available to handle this request.

    • @OMGTheCloud
      @OMGTheCloud  3 роки тому

      That could be a few different things:
      1. If you are using a subdomain for your wildcard, for example “*.omg.mydomain.com” I found that Lets Encrypt did not like it unless the “omg” part of that was actually resolvable in public DNS; it doesn’t matter what it resolves to, can be any made up IP, but that namespace has to exist
      2. Did you also set up a wildcard DNS for the namespace in your certificate? You can do this ether internally (easy with pfSense) or externally on your public DNS provider, as an A Record: *.mydomain.com -> IP address where your Traefik container is hosted. it’s preferable to set this DNS record inside your network, so you do not leak the CIDR of your internal network, but this is pretty benign so not a big deal.
      3. Those errors definitely smell like a DNS name resolution issue. Is your Lets Encrypt container itself getting good public DNS name resolution? you could get in to the container itself (docker exec -it containerName bash) and see if you can ping yahoo.com for example, and have it resolve to IP. if you cannot, that is likely the issue. I hope this helps, please let me know how you do!

    • @syedshamshami5250
      @syedshamshami5250 3 роки тому

      @@OMGTheCloud thanks for your prompt reply. Actually I wrote wrong above my DNS record is like this name.domainname which created on AWS route 53. Able to perform DNS lookup of my DNS record getting right IP and pinging even to public DNS record like yahoo.com and have resolve IP. Currently i have single production pfsesne which is running, so now I setting up 2 pfsesne with HA sync functionality as master and backup node. May I get your contact so I can show you my setup.