Letsencrypt + DigitalOcean = problems for me
-
Hi Gertjan
Thanks for your replyI'm horrified ;) you mention "checked enabled", Jim P did not do that in the instructions,- I tried everything except that.
Usually,- in pfSense, mikrotik etc .. checking boxes usually means "do something special with this one", I did not think about it.Thanks a lot. :)
It made the certificate smoothly,- but it ends with this one. Do you know if it's good or bad?
![Skærmbillede 2018-02-12 kl. 09.55.47.png](/public/imported_attachments/1/Skærmbillede 2018-02-12 kl. 09.55.47.png)
![Skærmbillede 2018-02-12 kl. 09.55.47.png_thumb](/public/imported_attachments/1/Skærmbillede 2018-02-12 kl. 09.55.47.png_thumb) -
I'm using DigitalOcean for DNS, the webpages resides on my Intel NUC in my home.
DigitalOcean DNS is free :)Perhaps this log is a sign of the web pages is not hosted on DigitalOcean? No idea.
-
The log said where the log file is, somewhere in /tmp/acme/….
Use that, instead of the unreadable copy-screen.You are trying to obtain a cert for your pfsense device (GUI), right ? Or some LAN devices behind pfSense ?
If it is for 'some where else', run a acme script from that place. -
Hi
Thanks for your interest, I'm looking at the logging right now (quite large) trying to find relevant info. I come back with it.
I have one static public ip
pfSense as gateway
4 web servers on LAN with private ip addresses.Right now HAProxy looks at port 80 traffic and directs to the right web server. Works fine.
I want Letsencrypt for webservers
pfSense stripping of the encryption
HAProxy identifying the requested web server
HAProxy forwarding the traffic on port 80 to requested server/private ipSome friends say that I should fire up a Nginx server on the LAN, and let it do the encryption/decryption/identifying/forwarding job.
I just think it would be nice if pfSense could do it. It's allready doing OpenVPN and other good stuff :)
-
Time to read the manual (again) : https://doc.pfsense.org/index.php/ACME_package
Because you have a web server behind pfSense, what about the "FTP Webroot" method ? Seems the most simple one for you.Btw :
@Biker:4 web servers on LAN with private ip addresses.
Right now HAProxy looks at port 80 traffic and directs to the right web server. Works fine.
…
Some friends say that I should fire up a Nginx server on the LAN, and let it do the encryption/decryption/identifying/forwarding job.Why friends ?
You said yourself that you have already several web servers running on LAN, and because your were talking about ha-proxy (don't know what that is) I presume that at least one of these web servers is 'visitable' from the outside, aka the Internet, thus the servers from Letsenscrypt could visit this (these) server(s) to do the checking stuff which means : checking the existence of a special file, which is put in place by the FTP webroot method proposed by acme. -
Hi
I presume that at least one of these web servers is 'visitable' from the outside, aka the Internet,
No, all 4 webservers are running private ip's on the LAN,- port 80 only.
Only 1 public WAN address.PfSense uses HAProxy, looks at the header, and based on this, forwards the traffic to the appropriate web server/ip.
Now,- I want https and certificates,- but HAProxy can't analyze encrypted traffic. 2 solutions:
1. Forward 443 to a box on LAN, could be a Nginx server, it strips the SSL and forwards traffic on port 80.
2. pfSense holds the certificates, strips the SSL and uses HAProxy on the header to forward to webservers.I can't use ssl/certificates on the webservers, because I only have 1 public ip. HAProxy can't forward on encrypted headers.
Quite funny job :D
I think I have the tools now, - with your help, I just need to make Letsencrypt, HAProxy and firewall/NAT talk together …
checking the existence of a special file, which is put in place by the FTP webroot method proposed by acme
This is true … makes me think, if I can't make my setup run, I could try that way.
-
@Biker:
HAProxy can't forward on encrypted headers.
True, but, HAProxy CAN forward to a specific backend based on SNI ServerNameIndication from the SSL layer.
-
HAProxy CAN forward to a specific backend based on SNI ServerNameIndication from the SSL layer
Wow,- this one blew me away, I had no idea !!
Is it a proper and steady solution?
-
Pretty much all decent browsers and other SSL clients send SNI. Lots of webservers running multiple sites and multiple certificates, need it to pick the right certificate to return to the client.
(IE on XP was notorious a few years ago, but that shouldn't be connected to the internet anyhow these days..)It should be working OK, if you do experience issues please do tell though.
-
I would recommend to use DigitalOcean through Cloudways platform as Cloudways takes care of this hassle through their excellent support team and you don't have to worry about any server related issues