PfSense HAProxy certificate export import
-
I will include screenshots as well
On pfSense in HAProxy When I have SSL Offloading Checked on External address in the Frontend. i get: ( Warning: Potential Security Risk Ahead )
When I have SSL Offloading unchecked on External address in the Frontend. i get:
400 Bad Request The plain HTTP request was sent to HTTPS port
-
@VMlabman
I guess, your browser is not accepting the SSL certiificate, if SSL is enabled.
Hit the Advanced button to show error details. Also you can show the certificate.You need to assign a certificate from a trusted CA to the frontend to load the page in the browser without issues.
If you disable SSL, it would be a wrong configuration, so forget this error 400. If the browser tries to connect to https site (port 443) it's expecting to get an SSL certificate.
-
I am using a .wildcard certificate from my pfSense trusted CA to the frontend. I also imported the same Cert into the Printer and NAS. I can create a Cert individually for each of them. I see where in the Edit HAProxy Backend server pool Under Backend I can set a CA: and/or a Client certificate: Shouuld I create the Certs and import them into the devices and list them under the Backend for each host?
Here are some screenshots of the Browser Errors I get in FireFox and Google Chrome. Maybe shis will point at somthing.
-
@VMlabman
So this is a self-signed certificate and the browsers will not trust it.
You can install the CA certificate in the browser to trust all certs issued by it. However, you have to do this on each unique browser, which you want to access HAproxy.In your initial post you wrote that you enable ACME. So my assumption was, that you got a Lets Encrypt certificate to use in HAproxy.
However, you will need a real public domain name to do this.My suggestion with the local CA was to secure the traffic inside your network. As I wrote above, you can issue (long validity period) certificates from it and install it on your backend devices. So HAproxy can access the backend servers via HTTPS, and will trust the certs, since they issued from a CA on pfSense itself.
-
I am going to go with your suggestion and use HAProxy and pfSence CA's for the few devices. So that is my goal here a Printer and a NAS. I takeing it alittle bit at a time this go at it.
-
Create CA Root in pfSense
-
Create CA Intermediate in PfSense
-
Create / Sign / Export Devise Certs
-
Get Certs onto Devices
-
HAProxy Basic Setup
Thank you,
-
-
Question when I am creation a Certificate Request from the device and filling in the Common Name Field. Is is case sensitive and is it the FQDN or just the HIOSTNAME?
Thank you,
-
@VMlabman
The common name has to be the FQDN. -
thanks
-
@VMlabman
When you enter the FQDN into the browser with "https://" in front of it, the browser expects to get a certificate from the server, in which the common name matches the entered / requested host name (FQDN) in the address line.
If they don't match the browser will not load the website. -
Thank you so much for everything. I actually got it working thanks to a lot of your help. It is now successfully working on my printer. Also, in the Certificates I realized everything was case sensitive.
Once again, thank you for the education and all your time and effort definitely appreciated
-
@VMlabman
Glad that you got it working as desired finally. -
Another question re this same project. Does HAProxy support self signed Certificates? If so anything special I need to keep in mind when creating it? The NAS can’t do a CSR. I am having issues adding the my QNAP NAS to HAProxy. Yet, I know HAProxy is working on my printer so I am just adding a new backend and adding it the the same frontend. Other then the NAS is on port 5553 os easy change on that part in the Backend.
Thanks you,
-
@VMlabman said in PfSense HAProxy certificate export import:
Does HAProxy support self signed Certificates?
Yes, if you have "SSL checks" unchecked.
The NAS can’t do a CSR.
Does it also not support the import of a certificate?
If you generate the certificate from a CA on pfSense, HAproxy should trust it anyway.
-
However, if I uncheck the SSL box and AJ proxy, does that make the connection between AA proxy and the Cell science certificate unencrypted
-
@VMlabman
If you enable the encryption in the backend, HAproxy requires an SSL certificate from the backend server to connect and the traffic is then encrypted based on this cert, whether it's validated or not. -
So for my nails since I’m having problems importing the certificate I’ll just create a self science certificate on the NA itself not checked encrypted SSL certificate in H a proxy back end and proxy will still encrypt the traffic. Am I understanding you correctly because I’m still using AJ proxy
-
@VMlabman
Yes, of course it does, as "encryption" is checked. -
Hello,
Add my NAS in I have it all set up using an alternate DNS entry from my standard of it's own in DNS so I can point it to the firewall / HAProxy as I did with my printer.
Qnap-1.myvmlab.net = 10.50.50.200 to the devices IP
mgmtqnap-01.myvmlab.net = 10.50.50.254 to the firewall / HAProxyWhen I ping them both I get the correct DNS resolution to the correct IP for the Host Name. When I go to https://mgmtqnap-01.myvmlab.net:5553 the browser both Firefox and Chrome timeout with no resolution or additional error. In HAProxy the backend is up. Note the NAS is using a self signed certificate at the moment. Any ideas?
-
@VMlabman said in PfSense HAProxy certificate export import:
When I go to https://mgmtqnap-01.myvmlab.net:5553 the browser both Firefox and Chrome timeout with no resolution or additional error.
You need the frontend port here!
I guess, it's listening on 443. If so, you can omit the port. -
@viragomann said in PfSense HAProxy certificate export import:
https://mgmtqnap-01.myvmlab.net:5553 the browser both Firefox and Chrome timeout with no resolution or additiona
WOW you made it work LOL I forgot about that part. All part of being new. It's working and passing through HAProxy. I can see the traffic pass via the stats page.
Thank you for saving me