Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    ACME/Letsencrypt: generate certs for VMs in LAN

    Scheduled Pinned Locked Moved ACME
    12 Posts 4 Posters 3.6k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • S
      sgw
      last edited by

      I have the request to provide Certs for multiple VMs behind pfsense. Doing multiple port forwardings is too messy, so I would like to generate the certs on pfsense and take it from there, for a start doing it manually.

      I successfully generated such a cert and now have to import it into a Java keystore.

      This tool asks for a "srckeystore password" when I try something like:

      /usr/bin/keytool -destkeystore /etc/demo/keystore.jks  -noprompt -importkeystore -srckeystore /etc/intranet/my_example_com_LE.p12  -srcstoretype PKCS12

      I took the p12 from the pfsense-webgui …. how to do that? Do I have to generate my own p12 and assign a password first?
      please advise, thanks

      1 Reply Last reply Reply Quote 0
      • jimpJ
        jimp Rebel Alliance Developer Netgate
        last edited by

        Why bother with all of that? Setup HAProxy and keep all of the LE and certificates on pfSense, and let HAProxy talk to the backends.

        Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

        Need help fast? Netgate Global Support!

        Do not Chat/PM for help!

        1 Reply Last reply Reply Quote 0
        • S
          sgw
          last edited by

          I never thought that this package might help here.
          Would that work for webservers accessed within LAN only as well?
          We have VMs for intranet etc there which are not accessible from outside but need SSL anyway.
          And I am looking for the most efficient way to automate SSL-Cert-Renewal.

          thank you for the pointer, I will look for beginner's howtos etc

          1 Reply Last reply Reply Quote 0
          • jimpJ
            jimp Rebel Alliance Developer Netgate
            last edited by

            That's all up to however you set it up and however you have your DNS/links/bookmarks/etc set.

            If the hostname resolves to an address on the firewall, the firewall has haproxy setup on that address, and the firewall can reach the target servers then haproxy can work fine for that.

            But you will want to be extra careful if you mix public and private services on haproxy, you will need to make sure you don't accidentally expose anything to the Internet that should be internal.

            Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

            Need help fast? Netgate Global Support!

            Do not Chat/PM for help!

            1 Reply Last reply Reply Quote 0
            • S
              sgw
              last edited by

              on my way, that triggers new ideas …

              One question: can I have HAproxy run on a second (virtual IP) on WAN interface?
              Otherwise I would have to move pfsense-GUI to some other https-port, right?

              1 Reply Last reply Reply Quote 0
              • jimpJ
                jimp Rebel Alliance Developer Netgate
                last edited by

                The GUI will want to bind to everything on its port, so it's best to move the GUI and let haproxy take over 443.

                Or you can run haproxy on an alternate port on localhost and port forward in on WAN:443 to haproxy.

                Lots of different ways around that.

                Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

                Need help fast? Netgate Global Support!

                Do not Chat/PM for help!

                1 Reply Last reply Reply Quote 0
                • S
                  sgw
                  last edited by

                  set up haproxy as local root for ACME: helpful ;)
                  And figured out my first SSL-passthrough after moving the pfsense-https-port: first tests look good.

                  thanks for that pointer and providing these features.

                  In this specific environment I will at first move things from plain portforwardings to haproxy-only: everything cached and configured in there.
                  2nd step: move single VMs to SSL-termination maybe. Got to learn more at first.

                  We have 2 sites there, 2 pfsenses connected via IPSEC, I wonder if it makes sense to proxy http(s)-traffic between the 2 sites …. at first I have to come up with 2 local DNS-zones in form of local zones -> that is another topic/thread, I assume  ;)

                  1 Reply Last reply Reply Quote 0
                  • S
                    sgw
                    last edited by

                    If I want to run the connection from HAproxy to the backend encrypted as well, I assume I could create a selfsigned and long-life cert on pfsense for that?
                    And then edit the backend to make HAproxy use that cert as its client cert? Is that correct?

                    1 Reply Last reply Reply Quote 0
                    • M
                      Mats
                      last edited by

                      @sgw:

                      If I want to run the connection from HAproxy to the backend encrypted as well, I assume I could create a selfsigned and long-life cert on pfsense for that?
                      And then edit the backend to make HAproxy use that cert as its client cert? Is that correct?

                      I belive that should work.
                      I Had an internal PKI in place so I just added a cert from that PKI chain to my PFsense box + the root cert for the chain.

                      1 Reply Last reply Reply Quote 0
                      • S
                        sgw
                        last edited by

                        I have no internal PKI yet, so I am unsure how to start here. Generate a cert based on the pfsense original CA? With 5 yrs lifetime or so and only use it internally …

                        And 2nd question:

                        does that self-signed internal cert also have to "point to" the same FQDN as the one the haproxy runs with? That would mean I have to have 2 certs per target machine, one for the external HA-proxy-frontend, and one for the connection between HA-proxy and the individual backend. Maybe use DNS-aliases for the internal one?

                        sorry for being slow here ...

                        1 Reply Last reply Reply Quote 0
                        • H
                          homer2320776
                          last edited by

                          I don't use any self signed certs on the Haproxy side, Acme takes care of it all for the VM's, basically just a passthrough. All you should need to do is create an account key in acme and it'll add itself as a CA in your Cert Manager.

                          After than, you can go under certificates in Acme and add one. I use a single certificate for all the VM's behind Haproxy.

                          I also add an action at the bottom to restart Haproxy after renewal, but I forgot to SS that.

                          Here is an album that I put together too, showing how HAproxy forwards the traffic.

                          https://imgur.com/a/FCre3

                          1 Reply Last reply Reply Quote 0
                          • S
                            sgw
                            last edited by

                            thanks for that informative feedback, will pick up some of your suggestions as soon as I find the time to continue that project.

                            Edit:

                            You use SSL-Offloading for all VMs, OK, same as here. My additional wish is to encrypt the traffic from HAproxy to the backends as well, with a separate SSL-cert with long lifetime, ideally also generated/refreshed on pfsense. So the config of these backends is my current issue.

                            1 Reply Last reply Reply Quote 0
                            • First post
                              Last post
                            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.