Letsencrypt + DigitalOcean = problems for me



  • Hi
    It's my first run at this, but I faithfully follow Jim P's "Let's Encrypt" hangout.
    I tried some 10 times now, want to let my pfSense 2.4.2-RELEASE-p1 run the certificates for my 4 backend web servers.

    The "Account Key" part => no problems
    But hitting "save" after filling in the "Certificates" part looks strange, the window close, and no certificate is generated.

    I get a message in the bell, top right corner: pfSense is restoring the configuration /cf/conf/backup/config-1518027159.xml @

    In the log this is generated:
    86019 /acme/acme_certificates_edit.php: XML error: Undeclared entity error at line 1550 in /conf/config.xml

    <a_acl></a_acl>  (this is line 1550)
    <a_actionitems></a_actionitems>
    <advanced></advanced>

    I can't figure this one out,- but I'm new to this.

    Any ideas?

    Cheers
    Biker



  • @Biker:

    ….
    In the log this is generated:
    86019 /acme/acme_certificates_edit.php: XML error: Undeclared entity error at line 1550 in /conf/config.xml

    <a_acl></a_acl>  (this is line 1550)
    <a_actionitems></a_actionitems>
    <advanced></advanced>

    That part isn't related to acme, I guess ha_server stands for "ha proxy" or something like that.

    When you hit "Save", it's normal the "window closes". You can start to Issue afterwards.

    Can you show us your entry fields for "Digital Ocean" as a method,the the domain name, checked "enabled" and filled in the correct API code ?

    I do not have any relationship with "Digital Ocean", so I used existing domain name and a random API key like "12345678912312" and saving was possible (Issuing will a problem of course).

    You are using the latest version of pfSEnse, right ?,



  • Hi Gertjan
    Thanks for your reply

    I'm horrified  ;)  you mention "checked enabled", Jim P did not do that in the instructions,- I tried everything except that.
    Usually,- in pfSense, mikrotik etc .. checking boxes usually means "do something special with this one", I did not think about it.

    Thanks a lot.  :)

    It made the certificate smoothly,- but it ends with this one. Do you know if it's good or bad?

    ![Skærmbillede 2018-02-12 kl. 09.55.47.png](/public/imported_attachments/1/Skærmbillede 2018-02-12 kl. 09.55.47.png)
    ![Skærmbillede 2018-02-12 kl. 09.55.47.png_thumb](/public/imported_attachments/1/Skærmbillede 2018-02-12 kl. 09.55.47.png_thumb)



  • I'm using DigitalOcean for DNS, the webpages resides on my Intel NUC in my home.
    DigitalOcean DNS is free  :)

    Perhaps this log is a sign of the web pages is not hosted on DigitalOcean? No idea.



  • The log said where the log file is, somewhere in /tmp/acme/….
    Use that, instead of the unreadable copy-screen.

    You are trying to obtain a cert for your pfsense device (GUI), right ? Or some LAN devices behind pfSense ?
    If it is for 'some where else', run a acme script from that place.



  • Hi

    Thanks for your interest, I'm looking at the logging right now (quite large) trying to find relevant info. I come back with it.

    I have one static public ip
    pfSense as gateway
    4 web servers on LAN with private ip addresses.

    Right now HAProxy looks at port 80 traffic and directs to the right web server. Works fine.

    I want Letsencrypt for webservers
    pfSense stripping of the encryption
    HAProxy identifying the requested web server
    HAProxy forwarding the traffic on port 80 to requested server/private ip

    Some friends say that I should fire up a Nginx server on the LAN, and let it do the encryption/decryption/identifying/forwarding job.

    I just think it would be nice if pfSense could do it. It's allready doing OpenVPN and other good stuff  :)



  • Time to read the manual (again) : https://doc.pfsense.org/index.php/ACME_package
    Because you have a web server behind pfSense, what about the "FTP Webroot" method ? Seems the most simple one for you.

    Btw :
    @Biker:

    4 web servers on LAN with private ip addresses.
    Right now HAProxy looks at port 80 traffic and directs to the right web server. Works fine.

    Some friends say that I should fire up a Nginx server on the LAN, and let it do the encryption/decryption/identifying/forwarding job.

    Why friends ?
    You said yourself that you have already several web servers running on LAN, and because your were talking about ha-proxy (don't know what that is) I presume that at least one of these web servers is 'visitable' from the outside, aka the Internet, thus the servers from Letsenscrypt could visit this (these) server(s) to do the checking stuff which means : checking the existence of a special file, which is put in place by the FTP webroot method proposed by acme.



  • Hi

    I presume that at least one of these web servers is 'visitable' from the outside, aka the Internet,

    No, all 4 webservers are running private ip's on the LAN,- port 80 only.
    Only 1 public WAN address.

    PfSense uses HAProxy, looks at the header, and based on this, forwards the traffic to the appropriate web server/ip.

    Now,- I want https and certificates,- but HAProxy can't analyze encrypted traffic. 2 solutions:

    1. Forward 443 to a box on LAN, could be a Nginx server, it strips the SSL and forwards traffic on port 80.
    2. pfSense holds the certificates, strips the SSL and uses HAProxy on the header to forward to webservers.

    I can't use ssl/certificates on the webservers, because I only have 1 public ip. HAProxy can't forward on encrypted headers.

    Quite funny job  :D

    I think I have the tools now, - with your help, I just need to make Letsencrypt, HAProxy and firewall/NAT talk together …

    checking the existence of a special file, which is put in place by the FTP webroot method proposed by acme

    This is true … makes me think, if I can't make my setup run, I could try that way.



  • @Biker:

    HAProxy can't forward on encrypted headers.

    True, but, HAProxy CAN forward to a specific backend based on SNI ServerNameIndication from the SSL layer.



  • HAProxy CAN forward to a specific backend based on SNI ServerNameIndication from the SSL layer

    Wow,- this one blew me away, I had no idea !!

    Is it a proper and steady solution?



  • Pretty much all decent browsers and other SSL clients send SNI. Lots of webservers running multiple sites and multiple certificates, need it to pick the right certificate to return to the client.
    (IE on XP was notorious a few years ago, but that shouldn't be connected to the internet anyhow these days..)

    It should be working OK, if you do experience issues please do tell though.


Log in to reply