Question regarding Acme and DDNS
-
@gregeeh Did you read the blog post that option links too.. That is for virtual dns, not having cloudflare proxy the connection.
You should note this part of the blog post
Virtual DNS Rollout
We are currently rolling out Virtual DNS support. Organizations interested in enabling Virtual DNS should contact our sales team.That option completely different than selecting proxied in clouldflare dns..
-
@johnpoz said in Question regarding Acme and DDNS:
Did you read the blog post that option links too..
Thanks for your reply.
No I did not, and I don't know what blog you are referring to nor what option you are referring to. Sorry.
TIA
-
@gregeeh its right there where you enable proxy in ddns
That setting is completely different than proxied setting where users actually talk to clouldflare servers and the connection is proxied by cloudlfare to your connection.
https://developers.cloudflare.com/dns/manage-dns-records/reference/proxied-dns-records/
-
@johnpoz said in Question regarding Acme and DDNS:
its right there where you enable proxy in ddns
Thank you, never saw that.
So, it seems I cannot enable "Proxied" when using Cloudflare as my DDNS in this way. Makes sense, as the "proxied" IP would be returned instead of my pfSense WAN IP.
Thank you again.
-
@gregeeh they are 2 different things.. See my edit.. You can for sure proxy connection to your service, http or https through cloudflare.. But that is not what that seeing is for in the ddns record.
I would suggest you read the blog post and the other article I linked to about setting proxied in your dns record on cloudflare.
What do you want to happen - do you want clients wanting to talk to your http/https service you host via pfsense wan IP to go through cloudflare servers to get there, or do you want them to directly come to your wan IP to access whatever service your exposing?
-
Again, thank you for the information and I have read both articles.
@johnpoz said in Question regarding Acme and DDNS:
What do you want to happen
pfSense is only being accessed via the LAN, no WAN access at all and never will be. I setup Acme and Cloudflare DDNS just so I could get rid of the annoying browser not secure message. I know, I should not let it get to me but it does.
So I've accomplished my goal, but it leaves the DDNS resolving to my WAN IP. So, I thought I would just enable "proxied" in both Cloudflare and pfSense DDNS. But then I cannot connect pfsense.mydomain.com:8080 via the LAN.
Disable both of the "proxied" options and I get a secure https connection to pfsense.mydomain.com:8080 via the LAN.
-
@gregeeh all you want is to access the webgui without your browser complaining?
Just run your own CA on pfsense and set your browser to trust it..
https://forum.netgate.com/post/831783
You can use whatever fqdn you want, even the home.arpa and you can add san for just your rfc1918 IP as well.. I think its a much better solution for web gui of something that only you will be accessing, etc.
And you can use the ca to create certs for any other webgui things like printers, switches, unifi controller, nas, etc.
-
@johnpoz said in Question regarding Acme and DDNS:
Just run your own CA on pfsense and set your browser to trust it..
Thank you, I will give that a try. Looks much easier.
Greg
-
@gregeeh if you have any questions just ask been doing it for years.. My gui cert is still good til 27, I have created it 2017.. This was before the browsers started complaining about long life certs..
I do need to get around to changing it, as want to completely move away from the local.lan domain have been using and use home.arpa - I have moved over some of my certs. But just haven't pulled the trigger on the webgui as of yet. Its working - not a lot of hurry to change it ;)
I have changed it on my unifi and nas because those certs were expiring..
Here is the cert on the webgui of pfsense, you can see it has multiple names I can use and also the IP, so even when accessed via IP, say my local dns was down.. Cert is still trusted.
An intelligent man is sometimes forced to be drunk to spend time with his fools
If you get confused: Listen to the Music Play
Please don't Chat/PM me for help, unless mod related
SG-4860 24.11 | Lab VMs 2.7.2, 24.11 -
@johnpoz - Followed all your steps. Imported into Firefox and all good :)
As for Chrome, imported into Trusted Root Certification Authorities as Personal did not work. Hope this was correct?
So, to create certificates for say my NAS and Unifi Controller, I would just repeat those steps making a CA and CERT for each. Correct?
Thanks again, for all your help. Much easier then using Acme Certificates.
Greg
PfSense running on Qotom mini PC
CPU N3150, 2 GB memory, 32 GB SSD & 2 Realtek Gb Ethernet ports.
UniFi AC-Lite access point -
@johnpoz said in Question regarding Acme and DDNS:
I do need to get around to changing it, as want to completely move away from the local.lan domain have been using and use home.arpa - I have moved over some of my certs. But just haven't pulled the trigger on the webgui as of yet. Its working - not a lot of hurry to change it ;)
Hello johnpoz
I have a question following your sentence. Why do you want to change this?
I copied your explanations (old but still valid) where you had used "local.lan" ... and now I see your message and I would very much like to understand the meaning of your remark.
I'm learning a lot here, THANK YOU!!!
I started with two "no-name" pfsense, one for use at home and the other as a backup in case of problems (which can happen when you're new to pfsense).
... And now I'm living with a Netgate 8200
... And sorry for my bad English... -
@gregeeh said in Question regarding Acme and DDNS:
@johnpoz - Followed all your steps. Imported into Firefox and all good :)
As for Chrome, imported into Trusted Root Certification Authorities as Personal did not work. Hope this was correct?
So, to create certificates for say my NAS and Unifi Controller, I would just repeat those steps making a CA and CERT for each. Correct?
Thanks again, for all your help. Much easier then using Acme Certificates.
Greg
I have the same question because I just can't get it. For access to my Pfsense it's all OK, but not for my "UCK_Gen2-Plus"!? Does it take time for the certificate to propagate?
I started with two "no-name" pfsense, one for use at home and the other as a backup in case of problems (which can happen when you're new to pfsense).
... And now I'm living with a Netgate 8200
... And sorry for my bad English... -
@gregeeh said in Question regarding Acme and DDNS:
making a CA and CERT for each. Correct?
No you only need the 1 CA, you can now create certs with that ca for any of your devices. And your browser will use them because it trusts the CA.
-
@SwissSteph said in Question regarding Acme and DDNS:
understand the meaning of your remark
Oh I don't actually "need" too - but home.arpa is the new recommended domain to use locally..
https://datatracker.ietf.org/doc/html/rfc8375.html
Special-Use Domain 'home.arpa.'I do believe pfsense now defaults to that.. There is no "need" to move away from my local.lan domain I could continue to use it - but there is no reason I shouldn't use the home.arpa so at some point I will make sure everything locally is using it..
-
@SwissSteph said in Question regarding Acme and DDNS:
but not for my "UCK_Gen2-Plus"
The controller is a pita to get to use new certs.. I have no idea why they don't make it simple to change out via the gui, like my nas was, or even my printer. There are instructions out there to do it..
Here are my notes for changing it on the unifi controller.
From the CA, have these files available:ca.cert.pem (CA cert)server.domain.net.cert.pem (server cert)server.domain.net.key.pem (server key) copy them to the unifi controller. delete the old keystore and restart unifi to create an empty keystore:sudo rm /var/lib/unifi/keystore sudo service unifi restart Create a central file to upload to the keystore:openssl pkcs12 -export -in server.domain.net.cert.pem -inkey server.domain.net.key.pem -certfile ca.cert.pem -out unifi.p12 -name unifi -password pass:aircontrolenterprise This gives you the file unifi.p12. Now import this into the unifi keystore:keytool -importkeystore -srckeystore unifi.p12 -srcstoretype PKCS12 -srcstorepass aircontrolenterprise -destkeystore /usr/lib/unifi/data/keystore -storepass aircontrolenterprise Restart unifi sudo service unifi restart And we're good to go. more info keytool -list -keystore data/keystore -v keytool error: java.io.IOException: keystore password was incorrect when using Openssl to export, add -legacy so openssl v3 will revert back to legacy mode, and then keytool was able to import. openssl pkcs12 -export -legacy -
@johnpoz said in Question regarding Acme and DDNS:
@SwissSteph said in Question regarding Acme and DDNS:
understand the meaning of your remark
Oh I don't actually "need" too - but home.arpa is the new recommended domain to use locally..
https://datatracker.ietf.org/doc/html/rfc8375.html
Special-Use Domain 'home.arpa.'I do believe pfsense now defaults to that.. There is no "need" to move away from my local.lan domain I could continue to use it - but there is no reason I shouldn't use the home.arpa so at some point I will make sure everything locally is using it..
Thank you for your reply with the link
-
@johnpoz said in Question regarding Acme and DDNS:
@SwissSteph said in Question regarding Acme and DDNS:
but not for my "UCK_Gen2-Plus"
The controller is a pita to get to use new certs.. I have no idea why they don't make it simple to change out via the gui, like my nas was, or even my printer. There are instructions out there to do it..
Here are my notes for changing it on the unifi controller.
From the CA, have these files available:ca.cert.pem (CA cert)server.domain.net.cert.pem (server cert)server.domain.net.key.pem (server key) copy them to the unifi controller. delete the old keystore and restart unifi to create an empty keystore:sudo rm /var/lib/unifi/keystore sudo service unifi restart Create a central file to upload to the keystore:openssl pkcs12 -export -in server.domain.net.cert.pem -inkey server.domain.net.key.pem -certfile ca.cert.pem -out unifi.p12 -name unifi -password pass:aircontrolenterprise This gives you the file unifi.p12. Now import this into the unifi keystore:keytool -importkeystore -srckeystore unifi.p12 -srcstoretype PKCS12 -srcstorepass aircontrolenterprise -destkeystore /usr/lib/unifi/data/keystore -storepass aircontrolenterprise Restart unifi sudo service unifi restart And we're good to go. more info keytool -list -keystore data/keystore -v keytool error: java.io.IOException: keystore password was incorrect when using Openssl to export, add -legacy so openssl v3 will revert back to legacy mode, and then keytool was able to import. openssl pkcs12 -export -legacyThanks for your explanation, it's going to go beyond my skills and I don't want to break anything on this unify controller ... it's complicated enough (for me) with Unify when there's a new camera, for example, and it's not seen ....
-
@gregeeh said in Question regarding Acme and DDNS:
Hope this was correct?
Sure as long as your browser trusts the CA is all that matters.
