A questions about certs from a small-shop / home user (Maybe wrong category?)
-
I am using "Let's Encrypt" for two of my servers [mail & apache2/web]. Both use the same public (static) IP with port forwarding. I do not have a network cert server.
The cert for the Netgate pfSense+ is invalid, at least as I access the unit.
"Let's Encrypt" requires the ability to interact with the unit directly.
I do NOT allow an traffic from the outside talk with the netgate unit, pass-through for wen, mail, dns, all that) but no servics on the unit itself.
So how do I get a valid cert on the unit so my LAN based browser name the unit in a way so the my browser doesn't complain?
Note: the name is supported by my internal nameservers. There is no record for that name on the public nameservers.
-
If you own (rent
) this domain :
then you can use the acme.sh pfSense package to obtain a
"pfsense.netwr*t.net" certificate.
Use this certificate for your pfSense GUI : no more browser 'invalid' messsages : the signer is know == trusted.Check with your registrar what 'dnsapi' model they support, and set up acme.sh accordingly.
@Ellis-Michael-Lieberman said in A questions about certs from a small-shop / home user (Maybe wrong category?):
The cert for the Netgate pfSense+ is invalid
The pfSense self generate certificate is very valid. It's just auto signed.
The thing is, your browsers have a build in list with CA (Certificate signing authorities) that it trusts.
If you trust your pfSense, you can export the CA it uses to make the pfSense GUI certificate, imported it into the trusted CA list of your system / browsers, and now the pfSEnse GUI cert will be shown as 'ok'. It's that easy. -
@Gertjan
Do I understand that you want me to list "pfsense.netwrightt.net" in my public record? -
This post is deleted! -
@Ellis-Michael-Lieberman said in A questions about certs from a small-shop / home user (Maybe wrong category?):
Do I understand that you want me to list "pfsense.netwrightt.net" in my public record?
if you want Letsencrypt to sign you a certificate that contains "pfsense.netwrightt.net" you must proof the Letsencrypt that you are "pfsense.netwrightt.net" == that you handle (admin, own, etc) that domain name.
There are multiple ways to do this, hence the big list here : https://github.com/acmesh-official/acme.sh/wiki/dnsapiExample : there is a domain name server that handles "netwrightt.net". With a acme.sh script, and access credentials your registrar gave you, acme.sh access your registrar's domain server, and places in the sub domain /.well-known/ a text (TXT) file. The filename and content of the file name are give to acme.sh by Letsencrypt.
When done, Letencrypt test the existence of that file name, and the content, so it knows that you 'admin' that domain name.
This method is called "rfc2136".
Since then, registrars have created their own methods and that's what the dnsapi list is so big.
