Problems with webroorFTP method

chudak · Jan 16, 2019, 9:14 PM

I think I moved ahead a bit but still incomplete win :(

I added NAT to open ports 22,80, 443 and was able to issue/renew certificate.

I see error:

[Wed Jan 16 13:11:55 PST 2019] new-authz error: {"type":"urn:acme:error:malformed","detail":"Error creating new authz :: Name does not end in a public suffix","status": 400}
[Wed Jan 16 13:11:55 PST 2019] Please check log file for more details: /tmp/acme/ACME_WAWONA_TEST/acme_issuecert.log

My router name is like pfsense.<blah>.<blah>

WTH??

Gertjan · Jan 16, 2019, 11:20 PM

Where is you webroot situation ? On what device ?

chudak · Jan 16, 2019, 11:25 PM

@gertjan

I am trying to issue ACME certificate on my pfsense router box

Gertjan · Jan 17, 2019, 3:54 AM

Then hat are you doing with NAT etc ?
the local webroot is ... local.

See here : https://www.netgate.com/docs/pfsense/certificates/acme-validation.html

This method works similar to FTP Webroot but with the files hosted on the firewall itself. This method cannot be utilized by the WebGUI web server as that would mean exposing the GUI to the Internet, which is a major security issue.
This method can, however, be used in conjunction with the HAProxy package to host the files on the firewall itself in some circumstances. See https://forum.netgate.com/post/677786 for details.

IMHO : Not a good solution.

Grimson · Jan 16, 2019, 11:31 PM

@chudak said in Problems with webroorFTP method:

Name does not end in a public suffix

Is pretty self-explanatory, you can't create LE certs for private TLDs.

chudak · Jan 16, 2019, 11:52 PM

@grimson said in Problems with webroorFTP method:

@chudak said in Problems with webroorFTP method:

Name does not end in a public suffix

Is pretty self-explanatory, you can't create LE certs for private TLDs.

So what @gertjan pointed to See here : https://www.netgate.com/docs/pfsense/certificates/acme-validation.html can NOT be used for local domains ?

Just to confirm ....

chudak · Jan 16, 2019, 11:58 PM

@chudak

I guess https://community.letsencrypt.org/t/can-i-create-a-cert-for-a-private-domain/27264

Grimson · Jan 16, 2019, 11:59 PM

https://letsencrypt.org/how-it-works/ to get a cert your domain needs to be properly registered in the public DNS system and reachable over the internet. Private TLDs will not work.

chudak · Jan 17, 2019, 12:01 AM

@grimson said in Problems with webroorFTP method:

TLD

Well, that's good news !

Painful but useful

Thank you !

chudak · Jan 17, 2019, 3:54 AM

@gertjan

To be frank, I think that the fact that Acme can’t be used for local TLD must be underlined in the docs more clearly !

Gertjan · Jan 17, 2019, 6:33 AM

Of course you can't ask for a certificate for a domain like network.local. or something like that.

The TLD should exist, or, said otherwise, should be able to resolved on the Internet (not only your LAN). The domain name should exists, or registered against one of the exiting registrars.

You have to buy (actually : rent) a real domain name, or at least control directly or underlying its nae servers (DNS), a service that most registrars offer these days.

Btw : If you use something like a DDNS read this : https://community.letsencrypt.org/t/letsencrypt-https-ssl-for-ddns-net/40263
Some famous laws do apply : because it's free things are extra complicated.
The "webroot method " can be used here.
This webroot, some Internet server, could be local - on your LAN, or elsewhere, as long as the A record of
yourdomaine.ddns.net
points to it.

Btw : This

@gertjan said in Problems with webroorFTP method:

Then hat are you doing with NAT etc ?

was me not understanding you.
You where right, you have to NAT if your web server (webroot) is local for you. Which means that your domain that point to your WAN IP will pass through ports like "443" so the LE server can gain access to the web server to do it's work.
This could be, in a worst case, be the GUI of pfSense. You can see above what has been said about that "solution".
You should NAT to an existing internal web server (the web root method).
This means that acme running on pfSense should place a directory structure and file on that web server. It will be using ssh or sftp so it can do it's magic.

chudak · Jan 17, 2019, 9:22 PM

@gertjan

I really want to make sure to get to the bottom of it!

See detail steps: https://pastebin.com/7imkJw6p

jimp · Jan 17, 2019, 9:30 PM

Using the webroot method, you'd need to expose your firewall GUI to the web directly, which is dangerous, and it would need to use HTTP not HTTPS, which is insecure for the firewall GUI. Don't do that. There are ways to hook it into haproxy like that, but it is still not ideal.

If you must use a web-based method on the firewall itself, try the "standalone" method instead. You'll probably want to run it on another port (e.g. 8080) and then port forward wan:80 to 127.0.0.1:8080, to avoid a conflict with other services on the firewall itself. There are docs around that describe how to do that in more detail.

tl;dr: You're going about it the wrong way, use a more appropriate method.

chudak · Jan 17, 2019, 10:14 PM

@jimp

Thx

Looks like this link is accurate and worked fine

https://blog.artooro.com/2017/02/16/quick-easy-lets-encrypt-setup-on-pfsense-using-acme/

I need to address error:

Potential DNS Rebind attack detected, see http://en.wikipedia.org/wiki/DNS_rebinding
Try accessing the router by IP address instead of by hostname.

Can you confirm that these steps correct to fix this issue, please?

Go to System > Advanced, Firewall/NAT tab. then you need to enable three options:

Pure NAT for NAT Reflection mode for port forwards
Enable NAT Reflection for 1:1 NAT
Enable automatic outbound NAT for Reflection

chudak · Jan 17, 2019, 10:40 PM

I checked Disable DNS Rebinding Checks and added the host name to Alternate Hostnames and it ... worked !

As @jimp suggested here https://forum.netgate.com/topic/38870/how-to-get-rid-of-potential-dns-rebind-attack-detected/3