Navigation

    Netgate Discussion Forum
    • Register
    • Login
    • Search
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search

    ACME

    ACME
    3
    15
    197
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • G
      ggzengel last edited by

      I have two pfsense with HA:
      pfsense1.domain.tld 5.5.5.1 (static)
      pfsense2.domain.tld 5.5.5.2 (static)
      pfsense-ha.domain.tld 5.5.5.3 (CARP)

      Because the two have different DNS Names the first Pfsense can't get a certificate for the second one.
      If the second one takes a new certificate the certificate is overwritten by openvpn sync.

      Why isn't it possible to pin used certificates and save them from overwriting?

      I can't use wildcards because I can't change DNS entries.

      1 Reply Last reply Reply Quote 0
      • jimp
        jimp Rebel Alliance Developer Netgate last edited by

        You put all the settings in the primary so it can handle a request for both. It's quite easy for DNS-based methods. For mine, the primary makes a cert with SAN entries for the itself, the secondary, and a hostname for the CARP VIP. That cert syncs to the secondary, and ACME restarts the GUI on the secondary after the renewal. Works perfectly every time.

        Remember: Upvote with the πŸ‘ button for any user/post you find to be helpful, informative, or deserving of recognition!

        Need help fast? Netgate Global Support!

        Do not Chat/PM for help!

        1 Reply Last reply Reply Quote 0
        • G
          ggzengel last edited by

          But I don't have access to the DNS server.

          1 Reply Last reply Reply Quote 0
          • jimp
            jimp Rebel Alliance Developer Netgate last edited by

            What ACME method are you using to obtain the certificates now?

            Remember: Upvote with the πŸ‘ button for any user/post you find to be helpful, informative, or deserving of recognition!

            Need help fast? Netgate Global Support!

            Do not Chat/PM for help!

            1 Reply Last reply Reply Quote 0
            • G
              ggzengel last edited by

              webroot local folder

              1 Reply Last reply Reply Quote 0
              • jimp
                jimp Rebel Alliance Developer Netgate last edited by

                That's not a great way to do it, especially when it comes to a cluster.

                If you aren't using that port for anything else, you could forward the port from the WAN on your secondary to an interface on the primary where it can respond to the requests when needed.

                Remember: Upvote with the πŸ‘ button for any user/post you find to be helpful, informative, or deserving of recognition!

                Need help fast? Netgate Global Support!

                Do not Chat/PM for help!

                1 Reply Last reply Reply Quote 0
                • G
                  ggzengel last edited by

                  I think it's easier and more flexible not to overwrite pinned or tagged certificates.

                  1 Reply Last reply Reply Quote 0
                  • jimp
                    jimp Rebel Alliance Developer Netgate last edited by

                    Except that breaks the entire XMLRPC sync model of the primary handling the configuration and the secondary not taking its own actions.

                    There isn't a method where the secondary can keep its own different entries in any other section. The primary can choose not to synchronize some entries (e.g. select firewall rules) but the other entries overwrite anything on the secondary in those sections still.

                    You're talking about one port forward vs a bunch of complex code that doesn't exist. I'd say the port forward is much easier.

                    And if you can find a way to use a DNS update method in ACME, which is much more secure, then it's even less of an issue.

                    Remember: Upvote with the πŸ‘ button for any user/post you find to be helpful, informative, or deserving of recognition!

                    Need help fast? Netgate Global Support!

                    Do not Chat/PM for help!

                    1 Reply Last reply Reply Quote 0
                    • G
                      ggzengel last edited by

                      We use multiple systems at our customers and they login often to the system with port 80/443.

                      1 Reply Last reply Reply Quote 0
                      • jimp
                        jimp Rebel Alliance Developer Netgate last edited by

                        Unless you're running port 80 through something else like haproxy, there isn't a way it can be used for ACME and something else like that. Even the GUI redirect would have to be disabled or ACME could never bind to the port. If you had an existing port forward it would have to be on a schedule where it's off during the ACME update, so it's unlikely that you'd already be doing that, either.

                        So your choices really are to do the port forward as I mentioned, or to not sync certs or OpenVPN.

                        Remember: Upvote with the πŸ‘ button for any user/post you find to be helpful, informative, or deserving of recognition!

                        Need help fast? Netgate Global Support!

                        Do not Chat/PM for help!

                        1 Reply Last reply Reply Quote 0
                        • G
                          ggzengel last edited by

                          I use port 80 for redirect to https. So I have to redirect to the CARP IP that always a redirect will work.

                          How does ACME restart the GUI on the second Pfsense?

                          1 Reply Last reply Reply Quote 0
                          • G
                            ggzengel last edited by

                            Only redirecting of port 80 doesn't work. Port 80 will be redirected to port 443 which is not forwarded.

                            original='{
                            "type": "http-01",
                            "status": "invalid",
                            "error": {
                            "type": "urn:ietf:params:acme:error:unauthorized",
                            "detail": "Invalid response from https://pfsense2.my.tld/.well-known/acme-challenge/jrME943Oqidig7q802SjDWxY02_OrFv1ev02WqGM8EU [5.5.5.2]: "\u003chtml\u003e\r\n\u003chead\u003e\u003ctitle\u003e404 Not Found\u003c/title\u003e\u003c/head\u003e\r\n\u003cbody bgcolor=\"white\"\u003e\r\n\u003ccenter\u003e\u003ch1\u003e404 Not Found\u003c/h1\u003e\u003c/center\u003e\r\n\u003chr\u003e\u003ccenter\u003e"",
                            "status": 403
                            },

                            1 Reply Last reply Reply Quote 0
                            • JeGr
                              JeGr LAYER 8 Moderator last edited by

                              @ggzengel said in ACME:

                              Only redirecting of port 80 doesn't work.

                              Show us your forwarding rule. It does indeed work if done correctly :)

                              Don't forget to upvote πŸ‘ those who kindly offered their time and brainpower to help you!

                              If you're interested, I'm available to discuss details of German-speaking paid support (for companies) if needed.

                              1 Reply Last reply Reply Quote 0
                              • jimp
                                jimp Rebel Alliance Developer Netgate last edited by

                                Disable the redirect. Use standalone in ACME and not webroot.
                                If someone can't remember to type https:// or use a bookmark to reach the appropriate port, you probably don't want them logging into your firewalls.

                                Remember: Upvote with the πŸ‘ button for any user/post you find to be helpful, informative, or deserving of recognition!

                                Need help fast? Netgate Global Support!

                                Do not Chat/PM for help!

                                1 Reply Last reply Reply Quote 0
                                • G
                                  ggzengel last edited by

                                  Thanks.
                                  It works now with redirect of port 80 and I found "Restart Remote Service".

                                  1 Reply Last reply Reply Quote 0
                                  • First post
                                    Last post