Letsencrypt working in 2.3
-
I haven't seen any arguments that convince me that LE is any worse than any other non-EV certificate, ie regular DV.
What are your credentials that say others should relay on your judgment?
Perhaps you just have a different risk tolerance than others. Or maybe you just haven't looked very diligently or objectively or have different assessment of the importance of certain things found.You certainly do not speak for me.
-
I haven't seen any arguments that convince me that LE is any worse than any other non-EV certificate, ie regular DV.
What are your credentials that say others should relay on your judgment?
Perhaps you just have a different risk tolerance than others. Or maybe you just haven't looked very diligently or objectively or have different assessment of the importance of certain things found.You certainly do not speak for me.
DV relies on the assumption that if you have control over the email delivery chain and control over DNS for domain.tld that you own domain.tld. The former can be subverted via the latter so the only real trust is control over DNS.
LetsEncrypt removes the assumption of control over email delivery chain, and relies on the actual thing being trusted by DV: control of DNS.
LE is no better or worse than DV certs. If you're not comfortable with DV certs then there's a huge percentage of sites you shouldn't trust, including this one.
-
As explained above, your arguments against LetsEncrypt are essentially arguments against DV certificates in general. Ok, I'll concede that - the world is an imperfect place. A site with only a DV (or LetsEncrypt) cert should probably not be trusted with the nuclear launch codes.
However, I find the crux of your argument to be completely ridiculous in the terms of the pfSense WebGUI. First, I disagree that there are ever good reasons to expose a firewall GUI to the internet. If you're really concerned about security, that should be the first thing to go. If you broke VPN, you would just need to get physical hands on the device (or have a second VPN). Second, there should only be (in a large organization) a handful of people that even have access to said WebGUI and only another handful of people that even know it exists. Are you really that concerned about an attacker spoofing your firewall WebGUI login that maybe 10 people have credentials to? If so you need to re-evaluate the group of people that have access to the WebGUI. They shouldn't be trusted anyhow.
Should we all get EV certificates? In a perfect world - sure, let's assume there's nothing better to do with $2k+ a year than going through the arduous process of EV for a WebGUI that isn't internet facing anyhow. But in reality, you're eliminating a valid and reasonable method for users to get encrypted access to their firewall GUI. I think we can all agree that LetsEncrypt is a better option than say using Chrome's –ignore-certificate-errors option. But that is exactly what you're implying that small businesses and home users should be doing. Because you wouldn't use a LetsEncrypt certificate on your installation. No one is saying you have to.
I also want to point out the double standard of making a huge huff about LetsEncrypt while leaving plain HTTP as a single radio button away. Clearly that's the better option. ::)
I love that last line in the reddit comment "This is exactly why there isn't support for Let's Encrypt in pfSense 2.3. (I'd looked at it and decided that it wasn't yet time.)"
Cool story, bro - I didn't realize pfSense was a maintained by a dictatorship. Not everyone's use case matches yours. Lighten up old man. -
Just thought I'd point out that there appears to be a feature request being worked on to have LetsEncrypt support in version 2.4…
https://redmine.pfsense.org/issues/5434
-
p.s. its not only usefull for the webgui itself, but also for other packages running on pfSense like for example haproxy or maybe vhosts package or even the captive portal might use a trusted cert to let people enter their voucher codes.
I would really like to have it available through 'official' channels instead of people needing to take lots of different scripts from sources the search-engine of choice presents..
-
Dear All,
As StartCom is likely to go down based in this issue: https://docs.google.com/document/d/1C6BlmbeQfn4a9zydVi2UvjBGv6szuSB4sMYUcVrR8vQ/preview, I would expect that many more people will feel the need to switch to Letsencrypt soon. Having certbot or another update client in the HAProxy package in a sufficiently secure manner would superb then.
Regards,
Michael
-
This might be slightly off-topic for this thread, but it's at least related. I have a public-facing web server that obtains Let's Encrypt certificates for a number of internal hosts using the dehydrated script (https://github.com/lukas2511/dehydrated), and I'm able to automate deploying certs to most of those hosts using some fairly simple scripting. Typically this involves using scp to copy the relevant cert files to the appropriate locations, and then reloading the web server or other software using the cert. Is there any reasonably-straightforward way to automatically deploy a cert to a pfSense machine?
-
Dear All,
As StartCom is likely to go down based in this issue: https://docs.google.com/document/d/1C6BlmbeQfn4a9zydVi2UvjBGv6szuSB4sMYUcVrR8vQ/preview, I would expect that many more people will feel the need to switch to Letsencrypt soon. Having certbot or another update client in the HAProxy package in a sufficiently secure manner would superb then.
Regards,
Michael
Yes, second that. I'm using StartCom at home now, using pfSense as a reverse proxy(add-on) that adds https for the websites running behind it. As StartCom is going down, I started looking into Letsencrypt and found this thread.
Letsencrypt seems ideal for this kind of stuff where you just want a little bit more(convenient) then self signed certificates. -
As StartCom is going down
They don't think they're going down. Their page mentions them generating new root certs for Mozilla to get off the shit list. IE and Chrome still trust them. It might be premature to dump your existing cert. I also use StartCom for my dinky site and I haven't seen any problems in Firefox with it yet.
-
@KOM:
IE and Chrome still trust them.
The(they have multiple, it's unclear to me which is which) root CA is also on the Chrome "shitlist" as of a few days ago.
Anyway, it seemend a good idea to switch to something else, as I do have to replace my certificates soon because of StartCom's problems. -
I've been doing some testing and the script here is working well;
https://raw.githubusercontent.com/Neilpang/acme.sh/master/acme.sh
put this script in your ~/.achme.sh/ folder and you're good to go with commands like;
~/.achme.sh/acme.sh –issue --dns -d yourdomain.tld -d sub.yourdomain.tld
after DNS is updated you're then able to update the certs and keys with
~/.achme.sh/acme.sh --renew -d yourdomain.tld (no need to specify all the subs here)this will create and update certs under ~/.achme.sh/yourdomain.tld/
I imported the key and cert manually in the web gui, but I'd like to do this automatically. Where are these keys/certs stored when using the web gui? and is it possible to load(move/copy) them with cli somehow?
After some digging I found the file /var/etc/haproxy/blabla.pem - however if i just cat my cert and key into this file and reloads haproxy, the old certificate is still in use.so.. how to import and reload certificates with cli?
-
I've been doing some testing and the script here is working well;
https://raw.githubusercontent.com/Neilpang/acme.sh/master/acme.shso.. how to import and reload certificates with cli?
Something similar to:
https://forum.pfsense.org/index.php?topic=107161.msg651063#msg651063 -
I've been doing some testing and the script here is working well;
https://raw.githubusercontent.com/Neilpang/acme.sh/master/acme.shso.. how to import and reload certificates with cli?
Something similar to:
https://forum.pfsense.org/index.php?topic=107161.msg651063#msg651063Thanks a lot for the "script.sh"! that helped me alot!
My certs that i use for haproxy is now being updated automatically!I see that in the script you are restarting the webgui (reloading the config file) with "/etc/rc.restart_webgui". I've checked "/etc/rc.*" but there's no haproxy restart script there (I can only find a "/etc/rc.haproxy_ocsp.sh" which updates haproxy OCSP responses).
How do I restart haproxy from cli?
EDIT: /usr/local/etc/rc.d/haproxy.sh -
FYI
https://github.com/pfsense/FreeBSD-ports/pull/89
that is all
-
Great to see this is getting some traction. I don't get all the hate towards LE. It seems even cPanel have implemented Letsencrypt into their AutoSSL feature.
I too am using a StartCom free DV cert to secure my pfsense webGUI, and a captive portal authentication page.
I intend to start using HAProxy soon to serve content from local webservers to the outside world directly from pfsense, rather than from a transparent Apache proxy inside the LAN. I'm already using Letsencrypt on this but I would much prefer to have this moved to the firewall.
I'll be watching this with great interest. Thanks for the great work guys.
-
Hi All
Initially thanks for the howto. I did use a different one, as it worked better for me.
I also managed to have it automated.Im using acme.sh by Neilpang (i did install bash):
https://github.com/Neilpang/acme.shIm running the web if on different port, therefore i need the validation on that different port (666):
for issue:
/root/.acme.sh/acme.sh –issue -d domain.tld --standalone --tlsport 666 -w /usr/local/www/
for renew:
/root/.acme.sh/acme.sh --renew-all --standalone --tlsport 666 -w /usr/local/www/after that i modified script from here, especially the parts with write rights, and hardlinks:
https://gist.github.com/mamedov/f3c63322dde1a73537b11c621a4fd02eNow it should work automagically. (of course you still need to change webconfigurator to https)
its not really a comprehensive guide, but it has some inspiration, i hope.
-
Hi All
Initially thanks for the howto. I did use a different one, as it worked better for me.
I also managed to have it automated.Im using acme.sh by Neilpang (i did install bash):
https://github.com/Neilpang/acme.shIm running the web if on different port, therefore i need the validation on that different port (666):
for issue:
/root/.acme.sh/acme.sh –issue -d domain.tld --standalone --tlsport 666 -w /usr/local/www/
for renew:
/root/.acme.sh/acme.sh --renew-all --standalone --tlsport 666 -w /usr/local/www/after that i modified script from here, especially the parts with write rights, and hardlinks:
https://gist.github.com/mamedov/f3c63322dde1a73537b11c621a4fd02eNow it should work automagically. (of course you still need to change webconfigurator to https)
its not really a comprehensive guide, but it has some inspiration, i hope.
The PR above has been pulled in. 2.4 should have a working package
-
Hi All
Initially thanks for the howto. I did use a different one, as it worked better for me.
I also managed to have it automated.Im using acme.sh by Neilpang (i did install bash):
https://github.com/Neilpang/acme.shIm running the web if on different port, therefore i need the validation on that different port (666):
for issue:
/root/.acme.sh/acme.sh –issue -d domain.tld --standalone --tlsport 666 -w /usr/local/www/
for renew:
/root/.acme.sh/acme.sh --renew-all --standalone --tlsport 666 -w /usr/local/www/after that i modified script from here, especially the parts with write rights, and hardlinks:
https://gist.github.com/mamedov/f3c63322dde1a73537b11c621a4fd02eNow it should work automagically. (of course you still need to change webconfigurator to https)
its not really a comprehensive guide, but it has some inspiration, i hope.
The PR above has been pulled it. 2.4 should have a working package
Great news!
https://redmine.pfsense.org/projects/pfsense/roadmap -
Any plans for Lets Encrypt support in a 2.3 release?
Took a look at the 2.3 snapshot but couldn't find it -
Already available in 2.3.3