Problems with webroorFTP method
-
Where is you webroot situation ? On what device ?
-
I am trying to issue ACME certificate on my pfsense router box
-
Then hat are you doing with NAT etc ?
the local webroot is ... local.See here : https://www.netgate.com/docs/pfsense/certificates/acme-validation.html
This method works similar to FTP Webroot but with the files hosted on the firewall itself. This method cannot be utilized by the WebGUI web server as that would mean exposing the GUI to the Internet, which is a major security issue.
This method can, however, be used in conjunction with the HAProxy package to host the files on the firewall itself in some circumstances. See https://forum.netgate.com/post/677786 for details.IMHO : Not a good solution.
-
@chudak said in Problems with webroorFTP method:
Name does not end in a public suffix
Is pretty self-explanatory, you can't create LE certs for private TLDs.
-
@grimson said in Problems with webroorFTP method:
@chudak said in Problems with webroorFTP method:
Name does not end in a public suffix
Is pretty self-explanatory, you can't create LE certs for private TLDs.
So what @gertjan pointed to See here : https://www.netgate.com/docs/pfsense/certificates/acme-validation.html can NOT be used for local domains ?
Just to confirm ....
-
I guess https://community.letsencrypt.org/t/can-i-create-a-cert-for-a-private-domain/27264
-
https://letsencrypt.org/how-it-works/ to get a cert your domain needs to be properly registered in the public DNS system and reachable over the internet. Private TLDs will not work.
-
@grimson said in Problems with webroorFTP method:
TLD
Well, that's good news !
Painful but useful
Thank you !
-
To be frank, I think that the fact that Acme can’t be used for local TLD must be underlined in the docs more clearly !
-
Of course you can't ask for a certificate for a domain like network.local. or something like that.
The TLD should exist, or, said otherwise, should be able to resolved on the Internet (not only your LAN). The domain name should exists, or registered against one of the exiting registrars.
You have to buy (actually : rent) a real domain name, or at least control directly or underlying its nae servers (DNS), a service that most registrars offer these days.
Btw : If you use something like a DDNS read this : https://community.letsencrypt.org/t/letsencrypt-https-ssl-for-ddns-net/40263
Some famous laws do apply : because it's free things are extra complicated.
The "webroot method " can be used here.
This webroot, some Internet server, could be local - on your LAN, or elsewhere, as long as the A record of
yourdomaine.ddns.net
points to it.Btw : This
@gertjan said in Problems with webroorFTP method:
Then hat are you doing with NAT etc ?
was me not understanding you.
You where right, you have to NAT if your web server (webroot) is local for you. Which means that your domain that point to your WAN IP will pass through ports like "443" so the LE server can gain access to the web server to do it's work.
This could be, in a worst case, be the GUI of pfSense. You can see above what has been said about that "solution".
You should NAT to an existing internal web server (the web root method).
This means that acme running on pfSense should place a directory structure and file on that web server. It will be using ssh or sftp so it can do it's magic. -
I really want to make sure to get to the bottom of it!
See detail steps: https://pastebin.com/7imkJw6p
-
Using the webroot method, you'd need to expose your firewall GUI to the web directly, which is dangerous, and it would need to use HTTP not HTTPS, which is insecure for the firewall GUI. Don't do that. There are ways to hook it into haproxy like that, but it is still not ideal.
If you must use a web-based method on the firewall itself, try the "standalone" method instead. You'll probably want to run it on another port (e.g. 8080) and then port forward wan:80 to 127.0.0.1:8080, to avoid a conflict with other services on the firewall itself. There are docs around that describe how to do that in more detail.
tl;dr: You're going about it the wrong way, use a more appropriate method.
-
Thx
Looks like this link is accurate and worked fine
https://blog.artooro.com/2017/02/16/quick-easy-lets-encrypt-setup-on-pfsense-using-acme/
I need to address error:
Potential DNS Rebind attack detected, see http://en.wikipedia.org/wiki/DNS_rebinding Try accessing the router by IP address instead of by hostname.
Can you confirm that these steps correct to fix this issue, please?
Go to System > Advanced, Firewall/NAT tab. then you need to enable three options:
- Pure NAT for NAT Reflection mode for port forwards
- Enable NAT Reflection for 1:1 NAT
- Enable automatic outbound NAT for Reflection
-
I checked Disable DNS Rebinding Checks and added the host name to Alternate Hostnames and it ... worked !
As @jimp suggested here https://forum.netgate.com/topic/38870/how-to-get-rid-of-potential-dns-rebind-attack-detected/3