Help with SSL Certificates

kenw · Feb 6, 2023, 1:44 PM

Hi All:

I am running pfsense+ 22.05-release on an SG-1100. I want to get SSL certs for pfsense and about 4 other servers in my homelab. Neither pfsense nor any host on my LANs should be accessible from the internet. I own my own domain registered through Hover.

From my own research I think I need wildcard cert(s) from Letsencrypt using DNS verification. I’d like to get, manager and renew the cert(s) from pfsense. I’m confused about the use/need for subdomains and reverse proxies and whether I need them for my use case given I don’t need access from the internet.

Any suggestions on how to set this up or pointers to existing tutorials would be greatly appreciated.

johnpoz · Feb 6, 2023, 2:08 PM

@kenw said in Help with SSL Certificates:

for pfsense and about 4 other servers in my homelab.

Is there some specific reason you want to do this with acme.. You could just create a CA in pfsense, which can be any domain, even rfc1918 addresses.. And good for like 398 days without your browser complaining about it.

While sure you can setup acme in pfsense to create a wildcard cert, and then move this to whatever you want inside your network, switches, printers, applications, etc. That might pita to automate and would need to be done every 90 days. And with cert from acme you would not be able to add rfc1918 address as SAN, etc.

if you just create your own ca in pfsense, have your browsers trust this ca you can create any certs you want for and domain you want and say 192.168.1.1 as a SAN, etc..

And now you only have to update this once a year vs every 90 days.

You can use your public domain if you want in the cert.. Here is old link where went over doing this in pfsense..

https://forum.netgate.com/post/831783

I use these certs for pfsense gui, my switches web gui, my printer, my unifi controller software, my nas gui, etc.

kenw · Feb 6, 2023, 2:46 PM

@johnpoz Since I use multiple browsers from multiple PCs the letsencrypt wildcard approach eliminates the need to load the cert into each browser on each PC I use. Is that not correct?
Your suggestion is definitely worth consideration though. Thanks

johnpoz · Feb 6, 2023, 2:56 PM

@kenw you don't have to load the "cert" you trust the CA that creates the certs. It should be 1 time thing on each pc/device - depending on the browser it should use the system trusted. But if the browser uses its own trust store then you might have to trust the CA in via that browsers trust store.

Once this is done - any certs going forward that you create via this ca would be trusted. And would not have to be done again on that device/browser..

Yes acme is great when you can not alter the devices trust - but for stuff like access to admin gui or stuff for administration that would only come from you and your devices.. Trusting the CA is one time thing and now any new certs you add to any of your stuff would auto be trusted..

kenw · Feb 8, 2023, 7:12 PM

@johnpoz Implemented your suggestion and everything is working just like you described. Thank you for your help

kenw · Feb 8, 2023, 7:12 PM

@kenw
I thought I was done here but I’m seeing some thing I did not expect.

On pfsense (FQDN: pfsense.home.arpa)

Created internal CA, intermediate CA and GUI certs
Changed pfsense to use https and GUI cert (System/Advanced/Admin Access page)

On PC1 on internal LAN

Imported CA and intermediate CA into Windows 10 Trusted and Intermediate CA stores respectively
Browsing to https://pfsense.home.arpa succeeds with status of secure connection and valid certificate as expected

On PC2 on same LAN (without import of any certificates)

Browsing to https://pfsense.home.arpa still succeeds but with status connection NOT secure and certificate NOT valid

I get same results with brave and MS Edge browsers. My question why can I still get to pfsense GUI from PC2? Shouldn’t access be denied? Is there something I need to change to prevent pfsense access w/o use of a valid certificate?

johnpoz · Feb 8, 2023, 11:00 PM

@kenw said in Help with SSL Certificates:

My question why can I still get to pfsense GUI from PC2?

because you told it too.. Just because the browser doesn't trust the CA that signed the cert doesn't mean you can not use it.. This is default for pfsense, it creates a selfsigned cert, this is the default for most https guis on stuff like printers, switches, etc. etc.. That is why your browser complains - but doesn't mean you can not tell it to use it anyway.

something I need to change to prevent pfsense access w/o use of a valid certificate?

That would be on your browser.. Honestly I have never looked into doing something like that - why would you? I can see the warning, I will make the decision then if I should go ahead anyway.. Sometimes sites forget to renew their cert, now it has expired - if you locked down your browser to not be able to use anyway - you would have to wait for them to fix it.

kenw · Feb 9, 2023, 2:12 AM

@johnpoz Ok. Guess I didn't understand that's how things are supposed to work. Thanks again

johnpoz · Feb 9, 2023, 2:12 AM

@kenw if your goal is to prevent access to the gui - you would do that in a firewall rule, only allow the IP or vlan you want to be able to access the pfsense web gui.

This is quite often locked down from the default antilock out rule on the lan, by create a management vlan.. And only this vlan has access to the gui via firewall rule. You only put machines on this management vlan that you want to be able to access pfsense web gui.