Navigation

    Netgate Discussion Forum
    • Register
    • Login
    • Search
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search

    Squid HTTPS Certificate using ACME

    pfSense Packages
    3
    5
    2820
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • T
      trinitech last edited by

      Hi,

      I am new at pfSense…
      I have installed the acme package in the hope to be able to create valid ssl certificate for squidquard.
      So far I simply cannot figure our how to generate a certificate for squidguard..or the pfsense box it self.
      How do I create certificate for psSnese using the local IP

      Could anyone please advise

      1 Reply Last reply Reply Quote 0
      • Gertjan
        Gertjan last edited by

        @trinitech:

        I am new at pfSense…

        Then, normally, things like 'squid' and 'certificates' are nice gadgets that you don't need right away ….
        Is your bandwidth that bad that you need Squid ??

        Understand that the "acme" package is new ... in testing phase and it is NOT a "click and ok" package. It handles a very complicated subject.
        You have to know what :
        DNS is.
        What certificates are.
        How to install them on devices (services), like, for example, pfSense. Or Squid ...

        "acme" can obtain valid certificate for your pfSense GUI interface - and thus you MUST have a host name  and domaine (see here General => System)
        Chose something like "pfsense" (just an example) as the name of your pfSense box and the domain MUST be a valid, registered domain name (on the net - acme is gonna check it !!).
        Something like athome.local won't do ... because Let's Encrypt won't be able that acces that domaine name ( "athome.local" does not exist on the net, the TLD local does not exist)

        See here https://forum.pfsense.org/index.php?topic=130369.msg719312#msg719312 for how I handle a certificate, the domaine name and some sub domains like "pfsense", "diskstation" (my NAS), oli254 (a printer) and kmaxxxx (another printer) - all these devices have a GUI and https access, so I asked a certificate for main domain and all these sub domaine (which are all devices on my LAN).

        You should be able to obtain the certificate, and then, go manual "squid" how to put it in place. I guess that isn't done automatically (yet).
        May be it is possible to chose the domaine certificate in Squid, ones you obtained one.

        @trinitech:

        How do I create certificate for pfSense using the local IP

        You don't. You can't.
        Certificate == domain name (and sub domaine name) bound.
        At least, Let's Encrypt won't use IPv4's (or IPv6 for that matter) as a DSN entry in a certificate.

        So, as a results, the certificates are free, but domaine names are not (a couple of € or $ a year).

        1 Reply Last reply Reply Quote 0
        • T
          trinitech last edited by

          Is your bandwidth that bad that you need Squid ??

          Yes, our total bandwidth is 8MB.

          If will buying a genuiun certificate will allow me to have transprent proxy with SSL Man In the Middle Filtering?
          Will this stop all the client to get certificate error?

          Thank you

          1 Reply Last reply Reply Quote 0
          • Gertjan
            Gertjan last edited by

            @trinitech:

            If will buying a genuiun certificate will allow me to have transprent proxy with SSL Man In the Middle Filtering?
            Will this stop all the client to get certificate error?

            A "Let's encrypt certificate" is as genuiun as any other $$ certificates you can buy on the net.

            1 Reply Last reply Reply Quote 0
            • virgiliomi
              virgiliomi last edited by

              @trinitech:

              If will buying a genuiun certificate will allow me to have transprent proxy with SSL Man In the Middle Filtering?
              Will this stop all the client to get certificate error?

              SSL MITM requires a Root CA certificate, which no reputable and trusted certificate issuer will provide. The reason is because a trusted Root CA is able to create certificates for ANY domain in existence and present them as valid. This is why you need to create your own Root CA, then install your Root CA certificate on all devices that will be going through the SSL MITM proxy.

              A regular SSL host certificate - whether from LetsEncrypt or any paid certificate issuer - will not allow you to do SSL MITM.

              1 Reply Last reply Reply Quote 0
              • First post
                Last post

              Products

              • Platform Overview
              • TNSR
              • pfSense Plus
              • Appliances

              Services

              • Training
              • Professional Services

              Support

              • Subscription Plans
              • Contact Support
              • Product Lifecycle
              • Documentation

              News

              • Media Coverage
              • Press
              • Events

              Resources

              • Blog
              • FAQ
              • Find a Partner
              • Resource Library
              • Security Information

              Company

              • About Us
              • Careers
              • Partners
              • Contact Us
              • Legal
              Our Mission

              We provide leading-edge network security at a fair price - regardless of organizational size or network sophistication. We believe that an open-source security model offers disruptive pricing along with the agility required to quickly address emerging threats.

              Subscribe to our Newsletter

              Product information, software announcements, and special offers. See our newsletter archive to sign up for future newsletters and to read past announcements.

              © 2021 Rubicon Communications, LLC | Privacy Policy