How to expand hostname to FQDN so it doesn't break my new LetsEncrypt cert?

mikeisfly

Hello everyone. I just got around to looking at the Aril 2017 pfsense hangout on LetsEncrypt. I have  my acme package setup and I am getting a valid letsencrypt certificate that I can log into my gui with a valid lock icon in the address bar next to the url when I type if the FQDN of my firewall. I have a split zone setup so when I type in pfsense.exampledomain.com when I'm out side of my network I get my public IP address. When I'm home and I type in the FQDN I get the private IP address of my firewall. regardless everything comes up as it should with a nice lock in the address bar. Again no problem so far.

Here is my problem, when I just type in the hostname (example: https://pfsense) I get a invalid certificate error. I can't enter just the hostname in the SAN section of the certificate generation because I will get a error 400. I guest it needs the tld. I have tried using squidproxy using the transparent proxy option with reverseproxy and squidguard to rewrite the domain name, or expand it out to the FQDN. I have tried to create a cname record in my windows server 2012 r2 setup to create a alias to the FQDN but nothing seems to work.

My goal is to put just the hostname or IP address of my firewall in the address bar and have the firewall do a redirect (Like it does when you try to access it from http instead of https) to the FQDN? Is this possible? Can a system tunable be added? Has anyone had this problem and figured it out? Any help is very appreciated.

Thanks,

johnpoz

Your not going to get a cert to sign off on a host name.. That is not a valid SAN.. It would would always need to be a FQDN..  Does ACME allow for sans of different domains?

"Here is my problem, when I just type in the hostname (example: https://pfsense) "

Why would you ever do that?  You stated you have a fully working cert with fqdn… The problem is your own making.. Why would you not just go to pfsense.domain.tld?  what is the point of just wanting to go to pfsense ?

But sure if you have a page listen on just IP or the host name, it could be set to redirect..  But for that you would need to setup httpd that supports virtual pages.. Ie it serves up different page for host.domain.tld than otherhost.someother.tld..  Which is different than the default page it serves up on just the IP when you hit port 80 direct.  Or when you hit it with just some host name and not a fqdn site, etc..

Pfsense is not meant to be a full httpd for your network.. Its meant to serve up its web gui when hit on port 80 or 443 or whatever other ports you change it too, etc..  What your asking for just seems pointless because you want a green lock when you put in the rfc1918 IP or just a non fqdn?

BTW - I hit my pfsense gui via IP and get a green https - because I just use pfsense CA that my browser trusts and I can put in whatever san I want for any domain I want, etc.. not limited to the acme restrictions..  Never thought of putting a non fqdn san.. Since that is just pointless..

mikeisfly

@johnpoz:

Your not going to get a cert to sign off on a host name.. That is not a valid SAN.. It would would always need to be a FQDN..  Does ACME allow for sans of different domains?

Yes, I think up to a 100 don't quote me on that.

@johnpoz:

Why would you ever do that?  You stated you have a fully working cert with fqdn… The problem is your own making.. Why would you not just go to pfsense.domain.tld?  what is the point of just wanting to go to pfsense ?

Speed. Sure when I'm outside of my network I would just use the fqdn to access the gui but if I'm already on the network, under the same dns domain I typically will use the host name when addressing devices instead of using the full fqdn. When I'm addressing something across a different DNS zone then I would add the domain.tld .

@johnpoz:

But sure if you have a page listen on just IP or the host name, it could be set to redirect..  But for that you would need to setup httpd that supports virtual pages.. Ie it serves up different page for host.domain.tld than otherhost.someother.tld..  Which is different than the default page it serves up on just the IP when you hit port 80 direct.  Or when you hit it with just some host name and not a fqdn site, etc..

I was thinking the same thing, seems like a waist of resources just for a redirect. I just figured surely someone else has tried to do this before and came up with the answer.

@johnpoz:

Pfsense is not meant to be a full httpd for your network.. Its meant to serve up its web gui when hit on port 80 or 443 or whatever other ports you change it too, etc..  What your asking for just seems pointless because you want a green lock when you put in the rfc1918 IP or just a non fqdn?

Sort of, yes I could import the cert in all of my machines but that seems like a really big pain in the butt since I have a few and having a public trusted cert would let me know if my page has been high-jacked or not even when I'm not using a machine with a imported cert like my cell phone. This is also a good learning experience.

@johnpoz:

BTW - I hit my pfsense gui via IP and get a green https - because I just use pfsense CA that my browser trusts and I can put in whatever san I want for any domain I want, etc.. not limited to the acme restrictions..  Never thought of putting a non fqdn san.. Since that is just pointless..

That's cool, do you use the same machine all the time for configuration? I kind of feel like the browser trusts too many CA's these days as it is. Ultimately I will probably generate my own private CA on my Windows Server 2012 R2 box and import it into PfSense but this letsencrypt is pretty cool. I guess it does allow the bad guys to generate valid certs for hacking the Internet but we can discuss that on a different thread. I do appreciate your input. I may go the webserver route with a redirect. I may even ask for a feature request but not sure how likely it is to get approved. Maybe there would be a security risk with that but can't think of anything at the moment. Seems like something simple to do, admittedly I don't know how to do it.

johnpoz

" typically will use the host name when addressing devices "

That is a super bad habit!  And you should break yourself of it as fast as possible - cold turkey would be my suggestion ;)  As to the speed.. Clicking a bookmark is fast as your going to get - don't have to type a thing ;)

If your suffix search is not correct you could end up on the wrong box for starters ;)  Second if not dns resolve then your machine will broadcast for the name, why because you thought it faster to just type in a host vs a fqdn or just use a bookmark.

Yes you can add san to ACME, but find it highly unlikely you could just put in a host name.. Since there is zero way to validate that, nor do I believe it would allow for a rfc1918 san..

jimp

ACME does allow up to 100 names per certificate (all of them are SANs) and they can all be different domains if need be, but they all must be FQDN entries which each get validated individually.

mikeisfly

That is a super bad habit!  And you should break yourself of it as fast as possible - cold turkey would be my suggestion ;)  As to the speed.. Clicking a bookmark is fast as your going to get - don't have to type a thing ;)

If your suffix search is not correct you could end up on the wrong box for starters ;)  Second if not dns resolve then your machine will broadcast for the name, why because you thought it faster to just type in a host vs a fqdn or just use a bookmark.

I will have to aqueous, as dns is not my area of expertise. I would think that hostname resolution would be a unicast packet sent to the dns server and if a hostname couldn't be resolved it would result in a "no host found error" unicast packet back to the requestor. I do see your point about logging into the wrong device, which is why I name my host accordingly so I don't have any issues. At work we use a CLLI (Common Language Location Identifier) for the hostname and I do something similar at home. Not really worried about broadcast as I keep my subnets relatively small (64 hosts). But I guess your right bad habits can be hard to break. I'm kind of old school with the keyboard using hotkeys and typing everything instead of bookmarks. What a first world problem! I guess I will start using bookmarks or typing the FQDN.

ACME does allow up to 100 names per certificate (all of them are SANs) and they can all be different domains if need be, but they all must be FQDN entries which each get validated individually.

Thanks, I thought I remembered you saying that on the hangout.

johnpoz

" if a hostname couldn't be resolved it would result in a "no host found error" unicast packet back to the requestor"

Yes it does in a sense.. It would send back no error, it wouldn't send back NX..  Since its not FQDN..

dig testhost

; <<>> DiG 9.11.2 <<>> testhost
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 20634
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;testhost.                      IN      A

;; Query time: 2 msec
;; SERVER: 192.168.3.10#53(192.168.3.10)
;; WHEN: Tue Nov 14 06:19:23 Central Standard Time 2017
;; MSG SIZE  rcvd: 26

My point is if you just put in a hostname and your client is setup with a suffix it would ask for host name in that suffix added.. Which could give you a faulty response since you would get back something you didn't ask for.. example

ping pfsense

Pinging pfsense.local.lan [192.168.9.6] with 32 bytes of data:

I just asked for the hostname and get back the fqdn since the client auto added the domain suffix when it did its query..  But what if I really wanted.

ping pfsense.dtv.local.lan

Pinging pfsense.dtv.local.lan [192.168.5.6] with 32 bytes of data:

This was my point that you could get back the wrong answer to what your actually looking for..

mikeisfly

@johnpoz:

" if a hostname couldn't be resolved it would result in a "no host found error" unicast packet back to the requestor"

Yes it does in a sense.. It would send back no error, it wouldn't send back NX..  Since its not FQDN..

dig testhost

; <<>> DiG 9.11.2 <<>> testhost
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 20634
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;testhost.                      IN      A

;; Query time: 2 msec
;; SERVER: 192.168.3.10#53(192.168.3.10)
;; WHEN: Tue Nov 14 06:19:23 Central Standard Time 2017
;; MSG SIZE  rcvd: 26

My point is if you just put in a hostname and your client is setup with a suffix it would ask for host name in that suffix added.. Which could give you a faulty response since you would get back something you didn't ask for.. example

ping pfsense

Pinging pfsense.local.lan [192.168.9.6] with 32 bytes of data:

I just asked for the hostname and get back the fqdn since the client auto added the domain suffix when it did its query..  But what if I really wanted.

ping pfsense.dtv.local.lan

Pinging pfsense.dtv.local.lan [192.168.5.6] with 32 bytes of data:

This was my point that you could get back the wrong answer to what your actually looking for..

Gotha. I agree 100%. I just thought this would be understood. But you are totally right, if you are not careful you could get back a answer that you didn't actually want.

johnpoz

"if you are not careful you could get back a answer that you didn't actually want."

Which is why is best to always use FQDN ;)  Which is also why I am not personally a fan of search suffix even ;)  You should always use fqdn to be sure!