PfSense HAProxy certificate export import

viragomann

@VMlabman
When you enter the FQDN into the browser with "https://" in front of it, the browser expects to get a certificate from the server, in which the common name matches the entered / requested host name (FQDN) in the address line.
If they don't match the browser will not load the website.

VMlabman

@viragomann

Thank you so much for everything. I actually got it working thanks to a lot of your help. It is now successfully working on my printer. Also, in the Certificates I realized everything was case sensitive.

Once again, thank you for the education and all your time and effort definitely appreciated

viragomann

@VMlabman
Glad that you got it working as desired finally.

VMlabman

@viragomann

Another question re this same project. Does HAProxy support self signed Certificates? If so anything special I need to keep in mind when creating it? The NAS can’t do a CSR. I am having issues adding the my QNAP NAS to HAProxy. Yet, I know HAProxy is working on my printer so I am just adding a new backend and adding it the the same frontend. Other then the NAS is on port 5553 os easy change on that part in the Backend.

Thanks you,

Qnap Backend-00001.png

viragomann

@VMlabman said in PfSense HAProxy certificate export import:

Does HAProxy support self signed Certificates?

Yes, if you have "SSL checks" unchecked.

The NAS can’t do a CSR.

Does it also not support the import of a certificate?

If you generate the certificate from a CA on pfSense, HAproxy should trust it anyway.

VMlabman

@viragomann

However, if I uncheck the SSL box and AJ proxy, does that make the connection between AA proxy and the Cell science certificate unencrypted

viragomann

@VMlabman
If you enable the encryption in the backend, HAproxy requires an SSL certificate from the backend server to connect and the traffic is then encrypted based on this cert, whether it's validated or not.

VMlabman

@viragomann

So for my nails since I’m having problems importing the certificate I’ll just create a self science certificate on the NA itself not checked encrypted SSL certificate in H a proxy back end and proxy will still encrypt the traffic. Am I understanding you correctly because I’m still using AJ proxy

viragomann

@VMlabman
Yes, of course it does, as "encryption" is checked.

VMlabman

@viragomann

Hello,

Add my NAS in I have it all set up using an alternate DNS entry from my standard of it's own in DNS so I can point it to the firewall / HAProxy as I did with my printer.

Qnap-1.myvmlab.net = 10.50.50.200 to the devices IP
mgmtqnap-01.myvmlab.net = 10.50.50.254 to the firewall / HAProxy

When I ping them both I get the correct DNS resolution to the correct IP for the Host Name. When I go to https://mgmtqnap-01.myvmlab.net:5553 the browser both Firefox and Chrome timeout with no resolution or additional error. In HAProxy the backend is up. Note the NAS is using a self signed certificate at the moment. Any ideas?

viragomann

@VMlabman said in PfSense HAProxy certificate export import:

When I go to https://mgmtqnap-01.myvmlab.net:5553 the browser both Firefox and Chrome timeout with no resolution or additional error.

You need the frontend port here!
I guess, it's listening on 443. If so, you can omit the port.

VMlabman

@viragomann said in PfSense HAProxy certificate export import:

https://mgmtqnap-01.myvmlab.net:5553 the browser both Firefox and Chrome timeout with no resolution or additiona

WOW you made it work LOL I forgot about that part. All part of being new. It's working and passing through HAProxy. I can see the traffic pass via the stats page.

Thank you for saving me

viragomann

@VMlabman said in PfSense HAProxy certificate export import:

WOW you made it work LOL I forgot about that part. All part of being new.

I know, HAproxy is a bit hard for beginners.

VMlabman

@viragomann

It was working until I removed the Root CA from my Browser. Once I removed it I get the Warning: Potential Security Risk Ahead when going to https://mgmtqnap-01.myvmlab.net/ Do I have to have the Root CA in my browser for it to work? I did see the traffic pass through HAProxy in Stats w/ the Root CA in my Browser.. Any ideas?

Could this be a case of not having a firewall rule right? I am not sure I ever got that right.

Thank you,

viragomann

@VMlabman said in PfSense HAProxy certificate export import:

mgmtqnap-01.myvmlab.net
Do I have to have the Root CA in my browser for it to work?

If it's a private CA, you need the certificate in the browser to trust the server certificate issued from it.

For public CAs the browser or the OS has all certificates included.

VMlabman

@viragomann

Got ya, I understand better now. On my printer the HAProxy is working but when I go into some of the pages on the device they do not load vs if I go directly to the IP address it's self. Any Ideas on that one?

Now to add another device. If I have a device that will only take a Certificate from say GoDaddy or Digital Ocean. Will HAProxy work with a default out of the box Certificate or would I have to use an ACME Certificate via my public domain name and somehow stop traffic / access from outside my LAN from using it with in HAProxy with an ACL?

Thank you,

viragomann

@VMlabman said in PfSense HAProxy certificate export import:

On my printer the HAProxy is working but when I go into some of the pages on the device they do not load vs if I go directly to the IP address it's self. Any Ideas on that one?

But the pages load if you use the backends host name?

If I have a device that will only take a Certificate from say GoDaddy or Digital Ocean. Will HAProxy work with a default out of the box Certificate

You mean, the backend device pull its certificate directly from a public CA?
And you want to access the device from outside through the revere proxy?

VMlabman

@viragomann

*On my printer the HAProxy is working but when I go into some of the pages on the device they do not load vs if I go directly to the IP address it's self. Any Ideas on that one?

But the pages load if you use the backends host name?* Yes, sure does.

The other question is using HAProxy for a SSL on a Manages Switch it has few options and I think it's much more complicated for a beginner like myself. This is what I am looking at doing link text More fun

viragomann

@VMlabman said in PfSense HAProxy certificate export import:

On my printer the HAProxy is working but when I go into some of the pages on the device they do not load vs if I go directly to the IP address it's self. Any Ideas on that one?

But the pages load if you use the backends host name?* Yes, sure does.

Possibly the backend is expecting the host name, it is configured for.
You can HAproxy set to send any host name to the backend.
To do so edit the concerned backend and add host-header set action and enter its host name.

But this could also have other reasons. If the host header doesn't solve, you will have to investigate the issue with the debugging tools of the browser.
Find out, which pages are concerned. Maybe these are virtual directories?
Compare the paths, which the browser is requesting in both cases, working and not-working.

VMlabman

@viragomann said in PfSense HAProxy certificate export import:

Possibly the backend is expecting the host name, it is configured for.
You can HAproxy set to send any host name to the backend.
To do so edit the concerned backend and add host-header set action and enter its host name.

 Where in the backend do I se the host-header. I don't see it and I even looked in the frontend.  I know I am missing it as I am 100% sure it's right there in front of me.

Thank you,