Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    haproxy and wildcard lets encrypt only for internal servers

    Scheduled Pinned Locked Moved Cache/Proxy
    13 Posts 3 Posters 2.6k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • P
      PiBa @noplan
      last edited by PiBa

      @noplan
      Can you elaborate on the bammmmm part? Is the browser actually receiving the LE cert? Does it indeed show as valid for the domain used? No proxy is taking the browser traffic that checks differently?

      Or perhaps its the 'chain' thats missing.? Have you uploaded the intermediate certs into pfSense cert manager?

      Can you check in /var/etc/haproxy/ that the expected cert contents is there, including intermediates.?

      noplanN 1 Reply Last reply Reply Quote 0
      • noplanN
        noplan
        last edited by

        @PiBa
        when i call the website the browser still shows the "old" self signed cert
        ---> no i guess the LE cert is not received by the browser
        Q1 how can i check if browser will get LE cert ?

        what i find in /var/etc/haproxy/
        name.crt_lst
        name.pem
        server_clientcert_1234.pem
        haproxy.cfg

        i think something is missing

        Have you uploaded the intermediate certs into pfSense cert manager
        no
        i thought its a wildcard no use for that

        hmmm
        checking again

        1 Reply Last reply Reply Quote 0
        • noplanN
          noplan @PiBa
          last edited by

          @PiBa

          do i have to copy these to somewhere else ?
          maybe to /var/etc/haproxy/ ???

          -----END CERTIFICATE-----
          [Tue Apr 14 20:47:33 CEST 2020] Your cert is in /tmp/acme/certName.xyz//.certName.xyz/.certName.xyz.cer
          [Tue Apr 14 20:47:33 CEST 2020] Your cert key is in /tmp/acme/certName.xyz//.certName.xyz/.certName.xyz.key
          [Tue Apr 14 20:47:33 CEST 2020] The intermediate CA cert is in /tmp/acme/certName.xyz//.certName.xyz/ca.cer
          [Tue Apr 14 20:47:33 CEST 2020] And the full chain certs is there: /tmp/acme/certName.xyz//
          .certName.xyz/fullchain.cer
          [Tue Apr 14 20:47:33 CEST 2020] Run reload cmd: /tmp/acme/certName.xyz/reloadcmd.sh

          IMPORT CERT certName.xyz, /tmp/acme/certName.xyz/.certName.xyz/.certName.xyz.key, /tmp/acme/certName.xyz/.certName.xyz/.certName.xyz.cer
          update cert![Tue Apr 14 20:47:34 CEST 2020] Reload success

          P 1 Reply Last reply Reply Quote 0
          • P
            PiBa @noplan
            last edited by PiBa

            @noplan
            If you open the 'name.pem' file, does it contain 'BEGIN CERTIFICATE' twice?
            If you look in the pfSense certificate manager, on the certificates tab, is the 'Issuer' column filled? If not try adding the intermediate cert from LE at the CAs tab, it should then automatically fill the Issuer on the certs tab as well when iirc..

            That would only be separate 'parts' of the fullchain.cer ..

            (afaik the LE cert that signs public certs itself is not trusted root.., seems not with my one anyhow.. but i set it up a few years ago.. maybe things changed..)

            1 Reply Last reply Reply Quote 0
            • noplanN
              noplan
              last edited by

              name.pem (goes like this)

              -----BEGIN CERTIFICATE-----
              -----END CERTIFICATE-----

              -----BEGIN RSA PRIVATE KEY-----
              -----END RSA PRIVATE KEY-----

              -----BEGIN CERTIFICATE-----
              -----END CERTIFICATE-----

              certificate manager, on the certificates tab
              yes filled with
              be85d3ca-6ba2-431c-ba77-c5c559b72618-grafik.png

              P 1 Reply Last reply Reply Quote 0
              • P
                PiBa @noplan
                last edited by

                @noplan hmm.. seems it all sounds good..
                sure the browser doesn't use a proxy.? or a local dns direct record?

                1 Reply Last reply Reply Quote 0
                • noplanN
                  noplan
                  last edited by

                  firefox / not usin a proxy

                  pfsense is the DNS

                  hmm /me a little in the woods now :) *ffffff

                  P 1 Reply Last reply Reply Quote 0
                  • P
                    PiBa @noplan
                    last edited by

                    @noplan
                    Send you a PM/chat, perhaps i can take a look at your setup.?.

                    1 Reply Last reply Reply Quote 0
                    • C
                      capone
                      last edited by capone

                      So Happy I found this thread.

                      I am having the EXACT same issue.

                      @noplan my setup is identical to your OP. Did you ever find a solution to this??

                      @PiBa were you able to fix @noplan's setup?

                      noplanN 1 Reply Last reply Reply Quote 0
                      • C
                        capone
                        last edited by

                        The only progress I was able to make with this is to remove the "Register DHCP static mappings in the DNS Resolver" .... save ... apply.

                        Close the browser, run ipconfig /flushdns, reopen the browser and it works.

                        As a consequence, I loose access to anything that I had as a static DHCP lease and didn't set an override for...but also if I want to ssh into one of the machines that I have an override for...I will get my PFsense box.

                        For more details, I posted my findings here: Override Hosts not working with DNS Resolver

                        If you leave the tick in, "Register DHCP static mappings in the DNS Resolver" ... then the resolver servers two IPs... the 1st is the actual IP of your server, the 2nd is the override.

                        Looks like the browser uses the 1st IP and goes directly to your machine, bypassing haproxy, and getting the self signed cert... NOT the wildcard cert from LE.

                        I don't know what the solution to this is... maybe someone with more experience can chime in?

                        1 Reply Last reply Reply Quote 0
                        • noplanN
                          noplan @capone
                          last edited by

                          @capone

                          yes i fixed it

                          plain and simple the only thing i had to change in
                          967b2dd6-56fd-47bd-bbba-9b499daf8e8c-grafik.png

                          bded3045-f4b4-43b9-9bca-f2d7f5c28740-grafik.png

                          domain = your domain
                          IP = ip your HaProxy is runnin on in this case the LAN IP of the firewall

                          and it is workin

                          let me know if u succeeded
                          brNP

                          1 Reply Last reply Reply Quote 0
                          • C
                            capone
                            last edited by

                            @noplan Thanks for the reply.

                            Naw... I've tried that. It doesn't work for my setup. Pfsense returns two IPs for that hostname...but the 1st IP is the real server IP...the 2nd IP is the 'override' ... besides I can't ssh into the server if the override IP is the only one that resolves for that hostname...

                            Just starting to accept the fact that this solution won't work for my setup.

                            1 Reply Last reply Reply Quote 0
                            • First post
                              Last post
                            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.