• Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login
Netgate Discussion Forum
  • Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login

Lets Encrypt and SSL Man in the Middle Filtering

Scheduled Pinned Locked Moved General pfSense Questions
6 Posts 5 Posters 3.7k Views
Loading More Posts
  • Oldest to Newest
  • Newest to Oldest
  • Most Votes
Reply
  • Reply as topic
Log in to reply
This topic has been deleted. Only users with topic management privileges can see it.
  • P
    Perun
    last edited by May 3, 2017, 7:10 AM

    Hi

    it is possible to use Lets Encrypt Certificates to make a transparent proxy with ssl filtering?

    The CA of lets encrypt is integrated into browser, so I would be not necessery to import the CA/Certificate on a client

    Greetz

    1 Reply Last reply Reply Quote 0
    • D
      doktornotor Banned
      last edited by May 3, 2017, 6:05 PM

      No, that's absolutely NOT how it works. LE will never ever provide you with a * certificate. Squid creates a new certificate on-the-fly for each site, using the internal CA you need to install and trust on any client.

      1 Reply Last reply Reply Quote 0
      • J
        jimp Rebel Alliance Developer Netgate
        last edited by May 3, 2017, 6:54 PM

        The Let's Encrypt CA on your system does NOT include the key, it is only the certificate. You can't make your own certificates without the key.

        Let's Encrypt automatically signs requests only if your request can pass validation. Since you don't control the domains or sites in question, you could never pass the validation and thus could never obtain a certificate from Let's Encrypt for those sites.

        The only way you can do MITM is with your own self-signed CA installed on every device/browser. Period.

        Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

        Need help fast? Netgate Global Support!

        Do not Chat/PM for help!

        1 Reply Last reply Reply Quote 0
        • M
          maymaster
          last edited by Jun 20, 2017, 2:30 PM

          @jimp:

          The Let's Encrypt CA on your system does NOT include the key, it is only the certificate. You can't make your own certificates without the key.

          Let's Encrypt automatically signs requests only if your request can pass validation. Since you don't control the domains or sites in question, you could never pass the validation and thus could never obtain a certificate from Let's Encrypt for those sites.

          The only way you can do MITM is with your own self-signed CA installed on every device/browser. Period.

          What kind of certificate should I buy to make Man in the Middle to filter https? And some place that you recommend me to compare?

          1 Reply Last reply Reply Quote 0
          • J
            jimp Rebel Alliance Developer Netgate
            last edited by Jun 20, 2017, 2:40 PM

            You cannot buy one. Nobody is going to make you a globally trusted CA so you can do MITM, you could impersonate any server on the Internet and break the entire purpose of SSL.

            There are places that will sell you a local/untrusted CA but it offers zero advantage over self-signing, you pay for nothing, because you still have to load the CA on clients.

            Make your own CA, install the CA  on client devices/browsers. There is no way around that for MITM.

            Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

            Need help fast? Netgate Global Support!

            Do not Chat/PM for help!

            1 Reply Last reply Reply Quote 0
            • H
              Harvy66
              last edited by Jun 21, 2017, 12:20 PM

              @maymaster:

              @jimp:

              The Let's Encrypt CA on your system does NOT include the key, it is only the certificate. You can't make your own certificates without the key.

              Let's Encrypt automatically signs requests only if your request can pass validation. Since you don't control the domains or sites in question, you could never pass the validation and thus could never obtain a certificate from Let's Encrypt for those sites.

              The only way you can do MITM is with your own self-signed CA installed on every device/browser. Period.

              What kind of certificate should I buy to make Man in the Middle to filter https? And some place that you recommend me to compare?

              The USA government cannot even do this. You make your own and manually install them on your local machines.

              1 Reply Last reply Reply Quote 0
              • First post
                Last post
              Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.
                [[user:consent.lead]]
                [[user:consent.not_received]]