Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Local management of LE haproxy certificates

    Scheduled Pinned Locked Moved Cache/Proxy
    22 Posts 2 Posters 1.7k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • V
      viragomann @frankz
      last edited by

      @frankz said in Local management of LE haproxy certificates:

      The problem arises from the fact that the servers are in lan, the certificates on pfsense and therefore if the internet connection goes away I can not manage the servers, unless with the dns override I declare the ip lan.

      Set it to the WAN IP and ensure, that LAN firewall rules allow access to it.
      This way, the local connection goes through HAproxy as well.

      frankzF 1 Reply Last reply Reply Quote 0
      • frankzF
        frankz @viragomann
        last edited by

        @viragomannYes, thank you. But it already works now , what I was writing and that if the WAN connection of the provider no ip can be solved . In short, if they are in lan and the nat in pure mode the servers are reached. If the router is down, nothing works anymore unless the configuration of the dns resolver intervenes, which as mentioned before allows me to connect to the server but the certificate is that of the pfsense on hpaproxy that to be used requires the round of the tcp packages. This does not happen on servers where the certificate is in its webtoot so with the dns override it works without problems . Yes of some users who have exported the certificates from the pfsense on the various servers, but the problem of renewal remains!

        V 1 Reply Last reply Reply Quote 0
        • V
          viragomann @frankz
          last edited by

          @frankz
          In simple words, you have to care, that the connections to your server from inside your LAN go over Haproxy.

          If your WAN address is gone, when the internet is down, then add the LAN IP to the HAproxy frontend and configure a DNS host override for your domains and point it the the LAN address.

          Where are the difficulties?

          frankzF 1 Reply Last reply Reply Quote 0
          • frankzF
            frankz @viragomann
            last edited by

            @viragomannIt's dynamic ..... so every time it changes I should go around forgiveness ... unless you know how this can be done differently or automatically.

            V 1 Reply Last reply Reply Quote 0
            • V
              viragomann @frankz
              last edited by

              @frankz said in Local management of LE haproxy certificates:

              It's dynamic ..... so every time it changes I should go around forgiveness

              The LAN address of pfSense???

              frankzF 1 Reply Last reply Reply Quote 0
              • frankzF
                frankz @viragomann
                last edited by

                @viragomann Ip 192.168.3.2/24

                V 1 Reply Last reply Reply Quote 0
                • V
                  viragomann @frankz
                  last edited by viragomann

                  @frankz
                  I don't need to know which.
                  But you said, the LAN IP is dynamic?

                  frankzF 1 Reply Last reply Reply Quote 0
                  • frankzF
                    frankz @viragomann
                    last edited by

                    @viragomann Ma no . IP of the lan firewall is 192.168.3.2 . Wan 192.168.1.2 . From the router a dmz is configured or all the traffic from the internet and I say everything , it is forwarded to 192.168.1.2 .

                    V 1 Reply Last reply Reply Quote 0
                    • V
                      viragomann @frankz
                      last edited by

                      @frankz
                      So you can add host overrides for all your hosts to your DNS and point them to the LAN IP.

                      Then in the respective HAproxy frontend listening table click "add another entry"
                      d7471b37-f6a3-4bb8-b235-2c6c17822eb9-grafik.png
                      and select the LAN from the drop-down and state port 443 and check "SSL offloadind".

                      Then requests to your host names go to HAproxy, which manages the SSL certificates.

                      frankzF 1 Reply Last reply Reply Quote 0
                      • frankzF
                        frankz @viragomann
                        last edited by

                        This post is deleted!
                        V 1 Reply Last reply Reply Quote 0
                        • V
                          viragomann @frankz
                          last edited by

                          @frankz
                          You frontends are already listening on any IPs. So you only have to configure the DNS host overrides to point to the LAN address.

                          Before trying to access the server from you local device, remember that you flush the DNS cache on the client.

                          frankzF 1 Reply Last reply Reply Quote 0
                          • frankzF
                            frankz @viragomann
                            last edited by

                            @viragomannYes, but the certificate error occurs if the internet goes down. As I had already written, if I leave overirde as I had done, the certificates are on the pfsense and not on the servers. These servers that you have actually seen as you may have already noticed are virtualhosts , so the pfsense will fix them as 192.168.3.76 which are aliases of the 192.168.3.76 cluster. To make sure that this does not happen I had to delete the overrides so the name fdq goes to haproxy which must solve externally to the indirippo ip wan in production eg. 151.99.44.33 . If you think about it, that's how it is. As I had also written before, this does not only happen on another server, where I declared overirde but the certificate is there he has in the webroot, so the verification remains internal to the server.

                            A user had a similar configuration like mine and had even managed to upload pfsense certificates to the servers. The only problem remains that every 60 days you have to do the round of forgiveness to remove and update them. I apologize if the translation from Italian>English is poor, so you may have difficulty getting an exact overview.

                            V 1 Reply Last reply Reply Quote 0
                            • V
                              viragomann @frankz
                              last edited by

                              @frankz said in Local management of LE haproxy certificates:

                              As I had already written, if I leave overirde as I had done, the certificates are on the pfsense and not on the servers.

                              Yeah, and its provided to clients by the HAproxy frontend in the strict sense.

                              Then you said, your WAN IP cannot be used, when the internet goes down. Maybe.

                              That's why I suggested to point the DNS host overrides to the LAN address.
                              Since the HAproxy frontend is listening on any IP of pfSense, you can also access it though the LAN address.

                              Now the host name is resolved to the LAN IP inside your local network. Hence the client goes to pfSense LAN > HAproxy, get the SSL certificate, is happy, because it matches to the requested name, and HAproxy connects to the backend as it does if the request is coming from outside.
                              This should work as long as HAproxy is not in transparent mode.

                              So what are your concerns?

                              frankzF 1 Reply Last reply Reply Quote 0
                              • frankzF
                                frankz @viragomann
                                last edited by

                                @viragomann Ok, then I'll try again by putting back the overides that point to 3.76. As a primary dns I use pihole which has as upstream the pfsense . Anyway, I'll try again tomorrow and let you know. Al

                                Moment I thank you for your patience and for helping me.

                                V 1 Reply Last reply Reply Quote 0
                                • V
                                  viragomann @frankz
                                  last edited by

                                  @frankz said in Local management of LE haproxy certificates:

                                  then I'll try again by putting back the overides that point to 3.76.

                                  Dude, to pfSense LAN IP, not to the backend server / cluster.

                                  frankzF 1 Reply Last reply Reply Quote 0
                                  • frankzF
                                    frankz @viragomann
                                    last edited by

                                    @viragomann Screenshot 2024-04-10 alle 08.15.55.png Screenshot 2024-04-10 alle 08.15.19.png

                                    V 1 Reply Last reply Reply Quote 0
                                    • V
                                      viragomann @frankz
                                      last edited by

                                      @frankz
                                      I'm feeling, I was speaking to dead walls here.
                                      Give it up.

                                      frankzF 2 Replies Last reply Reply Quote 0
                                      • frankzF
                                        frankz @viragomann
                                        last edited by

                                        @viragomann I'm sorry . Thank you anyway .

                                        1 Reply Last reply Reply Quote 0
                                        • frankzF
                                          frankz @viragomann
                                          last edited by frankz

                                          @viragomann Screenshot 2024-04-10 alle 12.21.08.png
                                          That's how it works and that's what I wanted to make myself understood.

                                          V 1 Reply Last reply Reply Quote 0
                                          • V
                                            viragomann @frankz
                                            last edited by

                                            @frankz
                                            So read the thread again and find out, how often I wrote, that you have to state the LAN IP of pfSense in the host override.

                                            frankzF 1 Reply Last reply Reply Quote 0
                                            • First post
                                              Last post
                                            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.