Squid HTTPS Certificate using ACME

trinitech

Hi,

I am new at pfSense…
I have installed the acme package in the hope to be able to create valid ssl certificate for squidquard.
So far I simply cannot figure our how to generate a certificate for squidguard..or the pfsense box it self.
How do I create certificate for psSnese using the local IP

Could anyone please advise

Gertjan

@trinitech:

I am new at pfSense…

Then, normally, things like 'squid' and 'certificates' are nice gadgets that you don't need right away ….
Is your bandwidth that bad that you need Squid ??

Understand that the "acme" package is new ... in testing phase and it is NOT a "click and ok" package. It handles a very complicated subject.
You have to know what :
DNS is.
What certificates are.
How to install them on devices (services), like, for example, pfSense. Or Squid ...

"acme" can obtain valid certificate for your pfSense GUI interface - and thus you MUST have a host name  and domaine (see here General => System)
Chose something like "pfsense" (just an example) as the name of your pfSense box and the domain MUST be a valid, registered domain name (on the net - acme is gonna check it !!).
Something like athome.local won't do ... because Let's Encrypt won't be able that acces that domaine name ( "athome.local" does not exist on the net, the TLD local does not exist)

See here https://forum.pfsense.org/index.php?topic=130369.msg719312#msg719312 for how I handle a certificate, the domaine name and some sub domains like "pfsense", "diskstation" (my NAS), oli254 (a printer) and kmaxxxx (another printer) - all these devices have a GUI and https access, so I asked a certificate for main domain and all these sub domaine (which are all devices on my LAN).

You should be able to obtain the certificate, and then, go manual "squid" how to put it in place. I guess that isn't done automatically (yet).
May be it is possible to chose the domaine certificate in Squid, ones you obtained one.

@trinitech:

How do I create certificate for pfSense using the local IP

You don't. You can't.
Certificate == domain name (and sub domaine name) bound.
At least, Let's Encrypt won't use IPv4's (or IPv6 for that matter) as a DSN entry in a certificate.

So, as a results, the certificates are free, but domaine names are not (a couple of € or $ a year).

trinitech

Is your bandwidth that bad that you need Squid ??

Yes, our total bandwidth is 8MB.

If will buying a genuiun certificate will allow me to have transprent proxy with SSL Man In the Middle Filtering?
Will this stop all the client to get certificate error?

Thank you

Gertjan

@trinitech:

If will buying a genuiun certificate will allow me to have transprent proxy with SSL Man In the Middle Filtering?
Will this stop all the client to get certificate error?

A "Let's encrypt certificate" is as genuiun as any other $$ certificates you can buy on the net.

virgiliomi

@trinitech:

If will buying a genuiun certificate will allow me to have transprent proxy with SSL Man In the Middle Filtering?
Will this stop all the client to get certificate error?

SSL MITM requires a Root CA certificate, which no reputable and trusted certificate issuer will provide. The reason is because a trusted Root CA is able to create certificates for ANY domain in existence and present them as valid. This is why you need to create your own Root CA, then install your Root CA certificate on all devices that will be going through the SSL MITM proxy.

A regular SSL host certificate - whether from LetsEncrypt or any paid certificate issuer - will not allow you to do SSL MITM.