Renew Certificate Downstream
-
Is it possible for ACME to automatically renew certificate to devices attached to pfSense if the IP is specified in the SAN; for example, the pbx and the phone on pfSense's DMZ?
-
Typically, your certificate contains one or more host names, not IPs. Or a wild card certificate.
A wild card certificate can do "pfense.your-local-domain.tld" and also "nas.your-local-domain.tld" "printer.your-local-domain.tld" etc
Or you add them all one by one :
"pfense.your-local-domain.tld"
"nas.your-local-domain.tld"
"printer.your-local-domain.tld
etc.The acme.sh pfSense package uses Letsencrypt, who doesn't allow IPs as SAN.
Scripted, automatic between pfSense and the printer, nas etc could be done .... if "printer" and "nas" can be scripted, which is often not the case. So it becomes a manual export import job.
-
@gertjan said in Renew Certificate Downstream:
Typically, your certificate contains one or more host names, not IPs. Or a wild card certificate.
A wild card certificate can do "pfense.your-local-domain.tld" and also "nas.your-local-domain.tld" "printer.your-local-domain.tld" etc
Or you add them all one by one :
"pfense.your-local-domain.tld"
"nas.your-local-domain.tld"
"printer.your-local-domain.tld
etc.The acme.sh pfSense package uses Letsencrypt, who doesn't allow IPs as SAN.
Scripted, automatic between pfSense and the printer, nas etc could be done .... if "printer" and "nas" can be scripted, which is often not the case. So it becomes a manual export import job.
Thank you Gertjan for responding. It seems that this certificate thing isn't what it's turning out to be and maybe better off buying a certificate. But then gone is the days where one could buy one for $2/year or $2 for the first year then the price is jacked up to the real price now that one depends on it.
So, if I create an ACME certificate for my PBX box to use on HAproxy reverse proxy then I should not need to import the certificate into PBX since HAproxy knows the IP for PBX...correct?
-
@nollipfsense said in Renew Certificate Downstream:
I should not need to import the certificate into PBX since HAproxy knows the IP for PBX...correct?
I never used something like HAproxy ; but, from what I make of it, if HAproxy is doing the TLS (https) front end, unpacking the TLS an sending plain http (NON TLS) to the back end, your PBX, then yes, no certs needed on the PBX.
The certificate used by HAProxy, from the pfSense cert store, will always be up to date (acme.sh) without actions from your side (well : renting a domain name). -
@gertjan said in Renew Certificate Downstream:
if HAproxy is doing the TLS (https) front end, unpacking the TLS an sending plain http (NON TLS) to the back end, your PBX, then yes, no certs needed on the PBX.
This is correct, if you do the ssl offload on haproxy - you don't need any sort of ssl on the backend your sending the traffic too if your sending it has just normal http traffic.
-
@gertjan said in Renew Certificate Downstream:
I never used something like HAproxy ; but, from what I make of it, if HAproxy is doing the TLS (https) front end, unpacking the TLS an sending plain http (NON TLS) to the back end, your PBX, then yes, no certs needed on the PBX.
@johnpoz said in Renew Certificate Downstream:
This is correct, if you do the ssl offload on haproxy - you don't need any sort of ssl on the backend your sending the traffic too if your sending it has just normal http traffic.
Thank you all for the good sound of music...that's what I thought and is much better than leaving port 80 opens for Lets Encrypt on FreePBX to renew the certificate. This is just a cleaner method and basically creates a secure tunnel to the PBX.