Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    ACME: generating and managing LE-certs for internal web-services

    Scheduled Pinned Locked Moved ACME
    16 Posts 3 Posters 2.4k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • S
      sgw
      last edited by

      I'd like to generate and manage LE-Certs for devices like switches and stuff with the pfsense-ACME-package.
      Now I think about how to do that. For the challenge-handshake I would need to setup DNS records for every hostname I use internally, right? Isn't that a bit of overkill and insecure?

      Maybe I miss the obvious solution, I am thankful for any clever hint here.

      And no, I would like to avoid wildcard cert(s)  ;)

      1 Reply Last reply Reply Quote 0
      • johnpozJ
        johnpoz LAYER 8 Global Moderator
        last edited by

        You use external public domain names on your internal devices?

        For your internal devices, like switches - which I assume only access by very limited number of yours..  Why not just use internal CA, built in to pfsense?

        This allows you to create any FQDN you want for your certs… I use local.lan for example.  And also allows use to use rfc1918 address space on your san so you can access your device via either fqdn and or rfc1918 and still have trusted cert.

        I do all my internal things that serve up some sort of webgui.. switches, unifi controller, pfsense itself, etc. etc..

        Another nice thing about it - is you can setup the cert to be trusted for like 10 years if you want ;)

        exampletrustedcert.png
        exampletrustedcert.png_thumb

        An intelligent man is sometimes forced to be drunk to spend time with his fools
        If you get confused: Listen to the Music Play
        Please don't Chat/PM me for help, unless mod related
        SG-4860 24.11 | Lab VMs 2.8, 24.11

        1 Reply Last reply Reply Quote 0
        • S
          sgw
          last edited by

          Thanks for the reply.

          Maybe I over-complicate things but in this case it is a company network, 3+ sites connected via IPSEC-VPNs, and one external domain/TLD.
          So I would have to set up 3 CAs, one per site … and separate those local.lan FQDNs into site.local.lan or so?

          This leads to another issue: I'd like to be able to ask the DNS-forwarder of SiteB from Site-A: if I set up a new fixed DHCP-lease for a VM at SiteB, its hostname should be resolvable at the other sites without having to maintain this at every site.

          For now we have external names, yes. With sub-optimal success, yes ;-)

          1 Reply Last reply Reply Quote 0
          • johnpozJ
            johnpoz LAYER 8 Global Moderator
            last edited by

            Why would you need 3 CA's? Makes no sense.. You could have a 100 sites in your org, only 1 CA needed..

            Setup your dns correctly with different subdomain for each site, then setup domain overrides for your different domains and there you go all sites resolve everything through your site to site connections.

            sitea.domain.com
            siteb.domain.com
            sitec.domain.com

            You do understand 1 CA can sign off on certs for any domains you want right? Be it your public domain even. As long as you trust the CA anything it signs will be trusted.

            An intelligent man is sometimes forced to be drunk to spend time with his fools
            If you get confused: Listen to the Music Play
            Please don't Chat/PM me for help, unless mod related
            SG-4860 24.11 | Lab VMs 2.8, 24.11

            S 1 Reply Last reply Reply Quote 0
            • S
              sgw @johnpoz
              last edited by

              @johnpoz I tried something like that already but didn't get the domain overrides to work.

              I have that sitea/siteb/sitec setup already but the DNS-overrides never worked. Maybe I missed some firewall-rules or so, I have to recheck things. Is it important to use DNS resolver or forwarder, or should that work anyway?

              The one central CA would "sit" on one pfsense only right? The distribution of the certs would happen manually?

              1 Reply Last reply Reply Quote 0
              • johnpozJ
                johnpoz LAYER 8 Global Moderator
                last edited by

                Have no idea what you tried. But simple domain override is all that is needed to be able to query a specific nameserver for fqdn, etc.

                Yes the certs would be issued manually. Where the CA sits means nothing - could be on your PC, could be in the cloud.. Just pointing out that pfsense comes with a simple to use gui to a CA.. Since you have pfsense, why not leverage its CA interface if you want to create certs for your devices that your going to trust.

                Does not matter if you used forwarder or resolver or even resolver in forwarding mode. Domain override would be the same.

                An intelligent man is sometimes forced to be drunk to spend time with his fools
                If you get confused: Listen to the Music Play
                Please don't Chat/PM me for help, unless mod related
                SG-4860 24.11 | Lab VMs 2.8, 24.11

                S 1 Reply Last reply Reply Quote 0
                • S
                  sgw @johnpoz
                  last edited by

                  OK, I watch some pfsense hangouts about DNS etc to learn more of the necessary basics.
                  And then I will try to setup my internal CA etc / thanks so far

                  johnpozJ 1 Reply Last reply Reply Quote 0
                  • johnpozJ
                    johnpoz LAYER 8 Global Moderator @sgw
                    last edited by

                    @sgw

                    I have multiple posts about on how to trust cert you created.. But with the change to new forum old pictures might be gone? If you need some help on how to trust your cert just ask.

                    An intelligent man is sometimes forced to be drunk to spend time with his fools
                    If you get confused: Listen to the Music Play
                    Please don't Chat/PM me for help, unless mod related
                    SG-4860 24.11 | Lab VMs 2.8, 24.11

                    S 1 Reply Last reply Reply Quote 0
                    • S
                      sgw @johnpoz
                      last edited by

                      @johnpoz status: I set up a Root-CA and a intermediate "Sub-CA" as shown on youtube.
                      As far as I understand I now would have to import the Root-CA (and the Sub?) into each client (=PC) using all this.
                      My Fedora 28 desktop does not like to import these crt-files ... I have to research that in more detail.

                      And I tried to upload a generated cert and its key to a TP-Link switch, it accepted the cert but not the key.
                      Tried a shorter one, failed as well.

                      johnpozJ 1 Reply Last reply Reply Quote 0
                      • johnpozJ
                        johnpoz LAYER 8 Global Moderator @sgw
                        last edited by johnpoz

                        @sgw

                        Personally I don't see the need for the intermediate in such a setup..

                        Which tp-link switch do you have? Can you just create a CSR and sign it with your new CA? I have a cheap one on my shelf I could try.. My cisco sg300s were a bit picky as well on how to install certs. But the CSR was the easy way to do it.

                        As to fedora... Where are you trying to install them - it would just be done in your browser to trust the CA. Doesn't really matter what OS the browser is running on. What browser are you using.

                        An intelligent man is sometimes forced to be drunk to spend time with his fools
                        If you get confused: Listen to the Music Play
                        Please don't Chat/PM me for help, unless mod related
                        SG-4860 24.11 | Lab VMs 2.8, 24.11

                        S 1 Reply Last reply Reply Quote 0
                        • S
                          sgw @johnpoz
                          last edited by

                          @johnpoz It's a TL-SG3424P and it does not allow creating a CSR, just upload key and cert. Didn't find specs for key length or so. I will retry in the next days ... thanks so far.

                          1 Reply Last reply Reply Quote 0
                          • johnpozJ
                            johnpoz LAYER 8 Global Moderator
                            last edited by johnpoz

                            Sorry I do not have one of those to play with or would for sure.. Let me see how much they cost.. Can always throw it in my lab for testing and helping others with same model and vlans and such.

                            did you see this?
                            https://forum.tp-link.com/showthread.php?77360-Invalid-SSL-key

                            The key you export from gui will be in base64 pem and rsa.. But maybe the switch doesn't like the .key ext vs .pem?

                            BTW they are very pricey on amazon - even the non poe model. And its latest firmware is from 2015? Arrrgghh..

                            An intelligent man is sometimes forced to be drunk to spend time with his fools
                            If you get confused: Listen to the Music Play
                            Please don't Chat/PM me for help, unless mod related
                            SG-4860 24.11 | Lab VMs 2.8, 24.11

                            S 1 Reply Last reply Reply Quote 0
                            • S
                              sgw @johnpoz
                              last edited by sgw

                              @johnpoz

                              The link you posted looks promising, I will try that maybe tomorrow ...
                              Ah, what the heck: tested that, works! thanks

                              My customer bought TP-Link because they were cheap back then! ;-)

                              johnpozJ 1 Reply Last reply Reply Quote 0
                              • johnpozJ
                                johnpoz LAYER 8 Global Moderator @sgw
                                last edited by

                                @sgw

                                So you just changed the extension to pem vs key. you should not have to run that through openssl - its not going to do anything because the key is already in the correct format.

                                Glad you got it sorted... Make the certs good for 10 years so you won't have to dick with them again. And put SAN on them for IP while your at it would be my suggestion.

                                An intelligent man is sometimes forced to be drunk to spend time with his fools
                                If you get confused: Listen to the Music Play
                                Please don't Chat/PM me for help, unless mod related
                                SG-4860 24.11 | Lab VMs 2.8, 24.11

                                1 Reply Last reply Reply Quote 1
                                • S
                                  sgw
                                  last edited by

                                  Yes, thanks for the suggestion.
                                  I plan to restructure my local DNS as well and will watch a pfsense hangout around this to maybe get an idea how to do that. After DNS works -> certs ;-)

                                  JeGrJ 1 Reply Last reply Reply Quote 0
                                  • JeGrJ
                                    JeGr LAYER 8 Moderator @sgw
                                    last edited by

                                    @sgw if you've got problem importing certs or CAs into things like switches etc. make sure which format they need. Some won't like normal PEM style format and want sth like PKCS8 or PKCS12 format. Others want key+cert in the same file. :)

                                    Don't forget to upvote 👍 those who kindly offered their time and brainpower to help you!

                                    If you're interested, I'm available to discuss details of German-speaking paid support (for companies) if needed.

                                    1 Reply Last reply Reply Quote 1
                                    • First post
                                      Last post
                                    Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.