Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Best Use of HAProxy, ACME, Let's Encrypt

    Scheduled Pinned Locked Moved ACME
    14 Posts 4 Posters 2.6k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • M
      michmoor LAYER 8 Rebel Alliance @GregoInc
      last edited by michmoor

      @gregoinc The direction you want to take depends solely on effort

      1. Have your firewall be its own CA and issue the cert. You will need to go to every client within your LAN and have them trust the cert
      2. (Preferred): Register a domain. example.com. In my case, my domain is registered within Cloudflare. CF also manages my external DNS. Then within ACME, issue yourself a wildcard certificate *.example.com (or individual cert for each application if you want but wildcard is easier). Once you get your cert which should take a few seconds or a minute then you can use the cert within HA proxy to do the SSL termination.
        Because the certificate is signed by a valid CA, your clients will implicitly trust the cert and your certificate errors will go away.
        Once you have that wildcard cert you can use it for anything within the LAN. I use it, for example, when i log into my pfsense i no longer get the ssl error message.

      There are quite a few resources on Youtube that will show you how to do option 2

      Firewall: NetGate,Palo Alto-VM,Juniper SRX
      Routing: Juniper, Arista, Cisco
      Switching: Juniper, Arista, Cisco
      Wireless: Unifi, Aruba IAP
      JNCIP,CCNP Enterprise

      johnpozJ G 2 Replies Last reply Reply Quote 0
      • johnpozJ
        johnpoz LAYER 8 Global Moderator @michmoor
        last edited by

        @michmoor said in Best Use of HAProxy, ACME, Let's Encrypt:

        have them trust the cert

        Trust the CA - now going forward any cert for any domain or san with a rfc1918 address would be trusted. It is a 1 time thing.

        But yes comes down to how many clients you have that would be accessing these resources. If they are admin gui's to your devices I would think the number of clients that you would have to set your CA is limited.

        An intelligent man is sometimes forced to be drunk to spend time with his fools
        If you get confused: Listen to the Music Play
        Please don't Chat/PM me for help, unless mod related
        SG-4860 24.11 | Lab VMs 2.8, 24.11

        M G 2 Replies Last reply Reply Quote 0
        • M
          michmoor LAYER 8 Rebel Alliance @johnpoz
          last edited by

          @johnpoz said in Best Use of HAProxy, ACME, Let's Encrypt:

          Trust the CA - now going forward any cert for any domain or san with a rfc1918 address would be trusted. It is a 1 time thing.

          Loading certs on multiple clients could be a pain. For my home network at least, Using apps like Jitsi or NextCloud, there are no admin access requirements but being able to log in without a cert issue is nice.

          Multiple ways to solve a somewhat benign problem for sure but I like the idea of a valid CA just issuing my certs. One and done.
          Now if you do want to make services available over the WAN you already have a domain and a cert to use.

          Firewall: NetGate,Palo Alto-VM,Juniper SRX
          Routing: Juniper, Arista, Cisco
          Switching: Juniper, Arista, Cisco
          Wireless: Unifi, Aruba IAP
          JNCIP,CCNP Enterprise

          johnpozJ G 2 Replies Last reply Reply Quote 0
          • johnpozJ
            johnpoz LAYER 8 Global Moderator @michmoor
            last edited by

            @michmoor sure - there are always multiple ways to skin the cat.

            I use an acme cert for service I provide to the public over haproxy. Because this was the simple solution, and the renew of that cert can be automated. And to be honest getting the service to even use a cert not provided for int he software, so the backend is not encrypted, only the frontend to haproxy is doing the ssl offload, when the proxy talks to the service its only http.

            But I see no reason to bounce off my haproxy to access my switch gui for example. Having to install the acme cert on that switch every 90 days would be PITA.

            For me it was 1 and done thing because it was done before browsers set limits to length of the lifetime, so set certs life for 10 years.

            Which solution is easier comes down to the details. Maybe he has like his phone/tablet and his pc that access his internal services that all can locally handle the ssl. If so then trusted CA is easier to implement... Now if he has lots of clients, and lots of different services that may or may not support ssl even - then sure the haproxy is a better solution.

            To know the best way to skin a specific cat, you need to know its breed, its size, its color, etc.. ;) hehehe

            An intelligent man is sometimes forced to be drunk to spend time with his fools
            If you get confused: Listen to the Music Play
            Please don't Chat/PM me for help, unless mod related
            SG-4860 24.11 | Lab VMs 2.8, 24.11

            M G 2 Replies Last reply Reply Quote 0
            • M
              michmoor LAYER 8 Rebel Alliance @johnpoz
              last edited by

              @johnpoz said in Best Use of HAProxy, ACME, Let's Encrypt:

              To know the best way to skin a specific cat, you need to know its breed, its size, its color, etc.. ;) hehehe

              Wonderfully put :)

              Firewall: NetGate,Palo Alto-VM,Juniper SRX
              Routing: Juniper, Arista, Cisco
              Switching: Juniper, Arista, Cisco
              Wireless: Unifi, Aruba IAP
              JNCIP,CCNP Enterprise

              1 Reply Last reply Reply Quote 0
              • G
                GregoInc @johnpoz
                last edited by

                @johnpoz said in Best Use of HAProxy, ACME, Let's Encrypt:

                @gregoinc said in Best Use of HAProxy, ACME, Let's Encrypt:

                I want to 'secure' the access to my various 'internal' only websites.

                To who - your own internal users where you control the browser or machine? If so why not just create your own CA, issue your own certs and have clients trust the CA.

                Hi John, I agree... only issue, I am an idiot... and cannot work out how to issue my own certs to each of the applications I use i.e. Unifi, Node Red, Home Assistant, etc.

                I created my own root CA...
                GregoInc-Root-CA.png

                Example. I access my nas, switches, unifi controller, pfsense gui, printer gui all with certs I issued and my clients trust the ca.

                differentbrowsers.jpg

                Different browsers on the same machine trusting certs issues by my CA.

                This is the holy grail for me... however I have been told on various forums it is 'easier' to use ACME and HAProxy, than individually assigning certificates to each application. But I am no expert, which is why I am here.

                If this is all internal you don't need a public trusted CA to create the certs.. That is only really required when some unknown user/machine is going to access the site and you can not easily have them trust your certs. Ie if the was some public site then yeah using acme would work.

                Agreed. When watching the multitude of YouTube videos it became clear to me that most people use HAProxy and ACME to allow people on the internet to access a website on thier internal network i.e. sharing a plex server. I am not seeking to do this.

                I have my own domain - gregoinc.com so theoretically I could do the ACME / HAProxy approach, but I am not convinced, other than it could be easier than individual certs. But like I said I am no expert.

                Thanks, Mark

                1 Reply Last reply Reply Quote 0
                • G
                  GregoInc @michmoor
                  last edited by GregoInc

                  ===group

                  ===@michmoor said in Best Use of HAProxy, ACME, Let's Encrypt:

                  @gregoinc The direction you want to take depends solely on effort

                  1. Have your firewall be its own CA and issue the cert. You will need to go to every client within your LAN and have them trust the cert

                  As I wrote above in my reply to John, I'd heard this approach requires greater effort than the one you've outlined below. But like I said to John, I am not expert?

                  1. (Preferred): Register a domain. example.com. In my case, my domain is registered within Cloudflare. CF also manages my external DNS. Then within ACME, issue yourself a wildcard certificate *.example.com (or individual cert for each application if you want but wildcard is easier). Once you get your cert which should take a few seconds or a minute then you can use the cert within HA proxy to do the SSL termination.
                    Because the certificate is signed by a valid CA, your clients will implicitly trust the cert and your certificate errors will go away.
                    Once you have that wildcard cert you can use it for anything within the LAN. I use it, for example, when i log into my pfsense i no longer get the ssl error message.

                  There are quite a few resources on Youtube that will show you how to do option 2

                  I have read a number of forums and watched countless videos on YouTube. As I wrote to John, most of the content is geared towards people wanting to open up a website on thier LAN to people on the internet.

                  I installed ACME and created all necessary items i.e. certificate, keys...

                  ACME_Cert.png
                  ACME_Account.png

                  I figure I might be heading in the right direction... created a wild card entry...

                  DomainSAN.png

                  Got to this point... and now I am unsure how to hook it all to HAProxy which I also have installed. Like I said, most of the content I've read is not for internal use, but external connections coming in.

                  Thanks, Mark

                  1 Reply Last reply Reply Quote 0
                  • G
                    GregoInc @johnpoz
                    last edited by GregoInc

                    @johnpoz said in Best Use of HAProxy, ACME, Let's Encrypt:

                    @michmoor said in Best Use of HAProxy, ACME, Let's Encrypt:

                    have them trust the cert

                    Trust the CA - now going forward any cert for any domain or san with a rfc1918 address would be trusted. It is a 1 time thing.

                    I guess it depends on whether or not I use my own CA or Let's Encrypt... I assume this is what you are saying here?

                    But yes comes down to how many clients you have that would be accessing these resources. If they are admin gui's to your devices I would think the number of clients that you would have to set your CA is limited.

                    I am a pretty crazy super nerd.... so I have a few sitesπŸ€“

                    Ideally, I'd like something that is low admin, and I could be wrong but a large degree of folks are saying the HAProxy path is the best? But that assumes I can get it working in the first place😧

                    1 Reply Last reply Reply Quote 0
                    • G
                      GregoInc @michmoor
                      last edited by

                      @michmoor said in Best Use of HAProxy, ACME, Let's Encrypt:

                      Loading certs on multiple clients could be a pain.

                      This is what I have been coming up against, multiple ways to load certs on various clients... which is why I started looking at ACME and HAProxy.

                      Multiple ways to solve a somewhat benign problem for sure but I like the idea of a valid CA just issuing my certs. One and done.

                      This is what I have been reading... and sounds like a lower admin overhead. But it is extremely unlikely I will ever open my network to the outside world. But I guess it would be nice to have the option?

                      1 Reply Last reply Reply Quote 0
                      • G
                        GregoInc @johnpoz
                        last edited by

                        @johnpoz said in Best Use of HAProxy, ACME, Let's Encrypt:

                        @michmoor sure - there are always multiple ways to skin the cat.

                        I use an acme cert for service I provide to the public over haproxy. Because this was the simple solution, and the renew of that cert can be automated. And to be honest getting the service to even use a cert not provided for int he software, so the backend is not encrypted, only the frontend to haproxy is doing the ssl offload, when the proxy talks to the service its only http.

                        I have struggled to understand the logic of using what is essentially an external facing access solution for internal use? But I am willing to stick with it if it will make my life easier... and is less admin overhead.

                        My greatest challenge is individually modifying each application to use a certificate. Most of my apps are on linux hosts, so it can be challenging for me to get individual certs to worm... but like I said, I am an idiot when it comes to this stuff.

                        But I see no reason to bounce off my haproxy to access my switch gui for example. Having to install the acme cert on that switch every 90 days would be PITA.

                        This is what I am seeking to avoid as well. I have a number of switches.

                        For me it was 1 and done thing because it was done before browsers set limits to length of the lifetime, so set certs life for 10 years.

                        Which solution is easier comes down to the details. Maybe he has like his phone/tablet and his pc that access his internal services that all can locally handle the ssl. If so then trusted CA is easier to implement... Now if he has lots of clients, and lots of different services that may or may not support ssl even - then sure the haproxy is a better solution.

                        Like I said, don't underestimate how much of a super nerd you have hereπŸ€“

                        1 Reply Last reply Reply Quote 0
                        • G
                          GregoInc
                          last edited by

                          Any feedback on the best way to configure HAProxy would be very much appreciated.

                          I think all I need is a little guidance relating to the Front and Back end configuration, so even a link to some info would be helpful.

                          Thanks, Mark

                          whoami TMW 1 Reply Last reply Reply Quote 0
                          • whoami TMW
                            whoami TM @GregoInc
                            last edited by whoami TM

                            @gregoinc I just went through this myself. I originally had made all my own certs and added them to clients root cert authority but the self hosted web interface for my home security system doesn't allow for adding of ssl certs. Since I already have a paid for domain name for 10 years and this was so easy I just set it up for all my home private severs on LAN. I know I'm about a month late, but for anyone else maybe it will help. YouTube: How To Create pfsense Let's Encrypt Wildcard Certificates using HAProxy

                            1 Reply Last reply Reply Quote 0
                            • First post
                              Last post
                            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.