Installing SSL cert on pfsense
-
hi all,
i use lets encrypt which is an awesome program if you want your apache server ftp server encrypted using ssl certs
https://letsencrypt.org/
i was just wondering instead of installing it on my apache server can i install it on the pfsense firewall?
many thanks,
rob
-
You could, but why? What does it gain you over just using the built-in pfSense self-signed cert?
-
Why comes to my mind as well.. I really see no use for such a cert on firewall.. Do you allow the public to access your web gui? Guess it could have some use in a captive portal scenario that hits a https site from guest users and you want them to trust it and not get an error. Is that why you want it?
-
There is a Let's Encrypt package in the works (check the open/pending PRs)
It is useful to have verifiable certs for the GUI and elsewhere so browsers will not complain about the trust chain, and for other uses of the GUI like captive portal as you mention.
-
Basically I have a test VM email server postfix dovecot and webmail php ie SMTP IMAP and a webmail portal and I have made it public via nat on my pfsense
I have also made all 3 services use SSL certs ie I have encrypted them and to do that I have used let's encrypt so now if people from outside want to access the webmail server they type in https and because its using a public SSL cert they don't get the self signed cert warning
So instead of installing let's encrypt on every public VM that needs public access I thought about doing it on the pfsense router
-
"It is useful to have verifiable certs for the GUI and elsewhere so browsers will not complain about the trust chain"
Completely agree.. I see ZERO reason for this to be a public CA signed cert.. My browser trusts the cert on pfsense, shows it as a pretty green icon as well ;) Can access it either via its fqdn or its IP and still pretty green icon.
The web gui of pfsense should only be accessed by a very limited number of admins, etc.. Its trivial for deploy the CA in pfsense to these users/browsers so they trust pfsense cert. This has multiple advantage over something like lets encrypt. For starters you can use local domain names with local tlds and not public verifiable domain like lets encrypt requires. For example I use local.lan, you can then also use rfc1918 as a SAN and access your pfsense webgui via these addresses without warning.
Another big plus is the certs can be good for a lot longer than the 90 day max lets encrypt has, etc.
Now that my browser, or my other admins browsers, or even user of my network trust my CA. I can leverage this CA to install trusted certs on my other network devices that have web guis, etc. All of which can use whatever domain names I want they don't have to be public facing, nor do they expire ever freaking 90 days..
Don't get me wrong.. I applaud the whole lets encrypt effort and think its great way to allow people that don't know much about https to start to use https on their personal stuff, etc. But other than a captive portal in pfsense where you would have guest accessing who would not trust your CA out of the box I see very little use for it at all on pfsense to be honest. Unless you think its a good idea to have shitton of people with access to your pfsense webgui ;) and want them to trust the cert at the same time.. I just really don't see that is a real use case ;)
"So instead of installing let's encrypt on every public VM that needs public access I thought about doing it on the pfsense router"
You would do that via reverse proxy, not actually pfsense. Your also doing mitm with ssl/tls then - sure ok you can do that.. Normally such a thing is only done when you need the mitm for some sniffing of traffic, or you want to offload the ssl processing to say a loadbalancer, etc.
Are you going to have this reverse proxy just talk to your backend servers via http and not https? If not then your still going to have to install the certs on these devices, etc. And in the big picture you have broken the trust model.. Since https is really suppose to be end to end encryption.. But once you put this reverse proxy in front - that could in fact forward the traffic to the server via http, you no longer have end to end encryption..
-
Yeah I see what your saying really it should be end to end ie apache https server with trusted SSL cert to an end user trying to access my apache server from his home rather than the end user gets the trusted SSL cert from the pfsense router, so between the pfsense router and apache server its not encrypted?
No, I don't want people to have https access to my pfsense router so really what your saying is that I shouldn't really install a trusted SSL cert on my router like let's encrypt?
And reverse proxy, so what your saying I can install the trusted SSL cert on the reverse proxy to dish out the SSL cert but from then on to the internal servers it won't be encrypted?
-
so between the pfsense router and apache server its not encrypted?
pfSense is just the conduit for whatever traffic the two sides are sending. If the remote client and your web server have negotiated an HTTPS session then the traffic between them will be encrypted, else not for HTTP. pfSense has nothing to d with it.
No, I don't want people to have https access to my pfsense router so really what your saying is that I shouldn't really install a trusted SSL cert on my router like let's encrypt?
This is two different concepts. Don't open WebGUI to WAN regardless of whether or not you install an SSL cert on pfSense. We're saying don't install an SSL cert on pfSense unless you have a specific reason to do so, like the very few reasons mentioned by John and JimP.
And reverse proxy, so what your saying I can install the trusted SSL cert on the reverse proxy to dish out the SSL cert but from then on to the internal servers it won't be encrypted?
If you just have the one web server then I don't see the advantage of adding another middle layer. Just install your cert(s) (if you have multiple vhosts) and let Apache/nginx do the rest. If each of your services replies to a different FQDN then you're going to need unique certs anyway. Or maybe I'm behind the loop? Does LE issue wildcard certs?
-
According to their faq they do not issue wildcard..
https://letsencrypt.org/docs/faq/
Will Let’s Encrypt issue wildcard certificates?We currently have no plans to do so, but it is a possibility in the future. Hopefully wildcards aren’t necessary for the vast majority of our potential subscribers because it should be easy to get and manage certificates for all subdomains.
"but from then on to the internal servers it won't be encrypted?"
That depends on how you set it up.. If you have your reverse proxy be the ssl endpoint, you COULD connect to your server via http or https. My point is if you are doing it via https - your going to still have to install the ssl cert on the server. So how did you save anything? You added work ;) Now your installing the cert not only on all your websites behind pfsense, your also having to install it in your reverse proxy.
So I don't see how your idea saves you anything - to be honest it would be more work. Or less secure if only send the traffic on via http, and now your pfsense is going the work of the https vs the actual https server..
There are reasons to offload the https to something in front of server.. We quite often to it to mitigate a security issue with the https of the customers server.. So some customer server is not doing something all that bright with ssl, bad ciphers, whatever.. Customer is too stupid it fix it themselves, so will offload the https to the F5 in front of their server and correct the ssl security issue via the F5 since it is doing the ssl portion..
-
so instead of me installing trusted ssl certs on every single one of my public servers ie apache, email, ftp, virtual desktop i thought about installing one trueted ssl cert on my pfsense and that will be it from there the end user will have encryption from point a (any of the 4 servers) as they are inside the LAN network so it private to point b there computer?
-
And in the big picture you break the trust model with that method. There are reasons you might want to do that, like in my example to mitigate a security concern with the server running the https.
How exactly are you going to use the same cert for each server? Their names do not match? Are you going to create san for each name, like ftp, www email.yourdomain.tld ?
Installing a ssl cert is pretty freaking simple, the couple of mins it takes to install it on the server actually serving up the content. If using LE, its even more a no brainer. You can not install a LE cert on pfsense and have it use that to create your endpoint connections for you.
You will have to install a Reverse Proxy package. You will then need to get through that learning curve - does that reverse proxy support LE? You will then have to configure all of that to send to your servers behind pfsense, etc.
To be honest seems like more work then the 2 minutes of work to install your LE on your servers and be done with it ;) And now your pfsense box doesn't have to do the extra work of proxy and ssl offload ;) Are you currently using a reverse proxy? If so then you question of LE support should be packages section for the reverse proxy package your using.
-
thanks johnpoz, your right it doesnt take long to do it for all the servers so…