PfSense HAProxy certificate export import
-
@viragomann said in PfSense HAProxy certificate export import:
Possibly the backend is expecting the host name, it is configured for.
You can HAproxy set to send any host name to the backend.
To do so edit the concerned backend and add host-header set action and enter its host name.Where in the backend do I se the host-header. I don't see it and I even looked in the frontend. I know I am missing it as I am 100% sure it's right there in front of me.Thank you,
-
@VMlabman
As I wrote, this is an action which you can configure.
Possibly you need to configure an ACL for it, which is ever true.
I don't use this function for my purposes, however, so I cannot give more details.
-
@VMlabman You are missing the most crucial thing here. DNS! What is your goal ? What services are you trying to get SSL Certificates for? Web Services ? Mail Services ?
What is your DNS configuration? Without valid DNS and Domain you will not get a SSL Certificate with Let’s Encrypt.
In my High availability Cluster + hosting services my configuration consists of,
Acme / Pfsense on both node 01 & node 02 for SSL offloading.
Backend uses SSL Certificates too but both firewall and Servers have there own Certificates.
DNS - Split DNS with Digital Ocean API Configuration with DNS resolver.
This gives you more of an idea how it works. Never copy SSL certificates from a Server to use on another. This is a floored configuration. Both needs to have SSL certificates generated.
Regards.
-
Viragomann, I set the host header as shown
. The page is still not loading properly. screenshots attachedI am in a homelab having deployed HAProxy serving two devices a printers web management interface and a NAS web management interface. The NAS works great smooth and with out page load delays or errors. The printer on the other hand does not load several of it’s management pages. It does not give any errors at all. Just a partially load page when I use the https:// url vs. just the IPv4 address.
My DNS is setup using pfSense 2.7.2 resolver. I do have a Registered Domain as well. Yet for right now I am just working with devices that are are not going to be public facing. I am using pfSense for my certificates for the local devices.
After that I will move on the public facing sites with ACME and my Domain.
Thank you,
-
@VMlabman
Host name = FQDN!AND you need to enter the host name, which the printer wants to see.
You wrote, it works if you access the printer directly with its host name. Pick this and enter it in the host header. -
@VMlabman I would have not done it like this. No FQDN I.e prn.domain.com.
-
Hello,
Changes I made to http-request header set
I set name: mgmthpofficejetpro9015e
i set fmt: mgmthpofficejetpro9015e.myvmlab.netAre the name: and fmt: set correctly?
What I was trying to say was when I go to 10.50.50.100 i get to all works great. It gives me a Security warning I click OK and I get a page load different than I do with the https page request.
When i go to https://mgmthpofficejetpro9015e.myvmlab.net I get no errors but it does not load pages fully and thinks I am already logged into the page / site as it shows Sign-out in upper right corner.
-
@VMlabman
Okay, forget the host header. Since the page load correctly with the IP, the host header might not be necessary.You will have to debug the web site as mentioned above, to find out, why it's not loading all parts properly.
-
You know whats coming next by now don't you? How do I even start to debug a webpage? YouTube? What are your suggestions?
Thank you,
-
@VMlabman
You can entering the debug mode (developer mode) by hitting F12.Select Network in the top line. Enable the Scheme column by right clicking on the headline of a column and selecting "Scheme" from the drop-down. Then reload the page.
Look for files with status 400 and above.
Do this over HAproxy and direct access, so that we can compare it.
I guess, there are differences in the file path or in the scheme. -
I’ll work on that and some spare time
Another quick question from another Bundoo machine and two other windows machines I’m not able to get a SSL connection to the Qnap machine even though I imported the CA certificate into the browsers this goes for chrome and Firefox getting a machine reboot cleared cookies and data from browsers. Any suggestions on this one?
Thank you,
