HAProxy, Letsencrypt and synology

  • So I am looking to implement letsencrypt on my synology box. I know this can be done directly via the synology dsm. However, i ready somewhere its preferable to use the acme and haproxy packages in pfsense to manage letsencrypt certificates for all clients hanging off my pfsense firewall. ( I have synology, a unifi cloudkey etc). This is where my understanding and capability ends.

    I have installed the acme package and setup letsencrypt certificates for the domains I want to use. I have setup dyn dns for the domain. I have installed haproxy. Then i have tried a million different things from various blog posts - none worked!

    So i am reaching out here. I am not technical. I could do with a simple set of instructions ( preferably with screenshots!) of how to use letsencrypt certificates issued and managed by my pfsense box for my synology box.

  • hello - anyone?

  • LAYER 8 Global Moderator

    I was using ssl offload with acme on ha proxy.. So sure I could walk through some screenshots if need be.

    But have to ask why would you need access to your cloudkey from outside? Same goes for your dsm as well.

    I have synology nas (ds918+) and run unifi controller. And not understand why you would need external access to these to be honest.

    While I do access them both from work - this is via a vpn, etc.

    Your not opening these up to the public internet are you? If only for your own access there is a much easier way then acme ;) I access both dsm and unifi cntrl via trusted certs that are good for 10 years and don't have to be renewed.. FREE.

    Not using it for offload with acme any more - but still use offload for my my plex request system to friend and family, I just moved to putting it behind cloudlfare and using their free origin certs in ha proxy vs having to have acme renew every 90 days, etc. their certs which is what clouldflare talks to pfsense with good for 15 years ;)

    If you can tell me exactly what your trying to accomplish be happy to help.. I use ha proxy for being able to use port 443 for multiple uses.. Openvpn, My plex server behind cloudflare and ombi.. It routes the traffic to where it needs to go. Just don't have need of acme for any of it any more.

  • @johnpoz - you have simplified it for me. For the dsm, I dont need external access. For the unifi controller, I think I will - but i can access it via the cloud account, correct?

    Seems I have the same items you have - synology box and unifi controller ( gen 2) and openvpn. I dont have plex.

    So just walk me through how to set these up they way you have. that should be good enough for me. Lets start with the dsm, please.

  • LAYER 8 Global Moderator

    Well if you don't access your nas from outside, and you want a cert... Just create a CA in your pfsense and create a cert... I can for sure walk you through that with screenshots. There are few threads around here were I have done it for other things.. You just want your browser to then trust your CA you created and you can use that to create any ssl certs you need that you want your browser to trust.

    Unifi is a bit trickier - not sure why they have not put in a gui for managing the certs. But they have cmd line tool ketool.. If you know the password its much easier "aircontrolenterprise"

    I can walk you through that as well.. Let me see if can one of my threads about having your browser trusting the web gui cert, which will get you through the CA part, and then can walk you through how to do your nas and your unifi... What do you use for your local domain, I use local.lan..

    edit: here you go one most recent threads where went over this

    Get that working for pfsense web gui, and then when I get home or this weekend will walk through with pictures how to use that CA you created for your nas and unifi controller.

  • @johnpoz apologies for dropping off for awhile there. business travel. back home now.

    You asked what i use for my local domain. I had a domain registered and also setup wildcard acme certs for it in pfsense. Works well. I got stuck when trying to use haproxy and the wildcard cert for nas.mydomain.com and unifi.mydomain.com. hence my questions here.

    If going the route of using my internal CA in pfsense, then I'd like to use a .home local domain. I learnt that icann has decided not to issue it anymore so it safe ( right?)

  • LAYER 8 Global Moderator

    Even if they use it public - not like you couldn't use it local.. Only issues you could run into is not being able to get to the exact domain name.. But normally in transparent mode of unbound, if not local it will ask public, etc.

    I use .lan for my local domain since I find it highly unlikely that will ever become a public tld.

  • @vacquah you don't have to install letsencrypt cert to your synology. Just put it to haproxy frontend and set SSL offloading on. Synology ip address and port should be added as haproxy backend.

  • LAYER 8 Global Moderator

    he is not wanting to access it remote - he is wanting to access via other local machines.. Atleast that is my take on what he is wanting to do.

  • @johnpoz I see... So, anyway, cert manager + haproxy could be used as internal proxy. Easy cert issuing procedure, easy publishing etc.

  • LAYER 8 Global Moderator

    @Renat said in HAProxy, Letsencrypt and synology:

    Easy cert issuing procedure, easy publishing etc

    Maybe you think that is easy ;) But think it through - its not compared to 1 time install of cert on nas that is trusted for 10 some year and done that is only accessed by 1 guy anyway ;) And no need to bounce off a proxy for something that is right next to the client.

    Its utterly pointless to hit reverse a reverse proxy to hit something that is next to you. Its also pointless to have name resolution point to the IP the proxy is listening on, etc. etc. And now you have to use a public name, and can not use rfc1918 as san, etc. etc.

    Yes acme is great, ha proxy is great - for the proper use cases.. Getting rid of browser warning about cert issue for something that is local to you, and not needed to be accessed by public browsers, etc.

    You could also just not use https locally - but many devices kind of force even now, etc. And your browser can bitch you even then, etc. There are many devices locally that are never going to be accessed remotely, etc. Where having your own local CA, that can create certs for whatever fqdn you might want to use and can be trusted for YEARS without having to change it out is the easier solution for this use case.

  • @johnpoz you're right) all things should be reasonable) But now more and more apps requires ssl connection. And most browsers warn non https connection)
    By the way, one synology device don't need such activity))

  • Will be nice to learn how to do it both ways - using haproxy and just using the internal CAs as @johnpoz proposes. I went the haproxy route and couldnt get it to work. I have the certs issued and haproxy setup. Perhaps @Renat you can provide a guide how to do it and I will see if that can get me over the hump since I have already done most of the steps? ( some screenshots of haproxy setup). Also anything has to be done on the synology side?

Log in to reply