ACME



  • I have two pfsense with HA:
    pfsense1.domain.tld 5.5.5.1 (static)
    pfsense2.domain.tld 5.5.5.2 (static)
    pfsense-ha.domain.tld 5.5.5.3 (CARP)

    Because the two have different DNS Names the first Pfsense can't get a certificate for the second one.
    If the second one takes a new certificate the certificate is overwritten by openvpn sync.

    Why isn't it possible to pin used certificates and save them from overwriting?

    I can't use wildcards because I can't change DNS entries.


  • Rebel Alliance Developer Netgate

    You put all the settings in the primary so it can handle a request for both. It's quite easy for DNS-based methods. For mine, the primary makes a cert with SAN entries for the itself, the secondary, and a hostname for the CARP VIP. That cert syncs to the secondary, and ACME restarts the GUI on the secondary after the renewal. Works perfectly every time.



  • But I don't have access to the DNS server.


  • Rebel Alliance Developer Netgate

    What ACME method are you using to obtain the certificates now?



  • webroot local folder


  • Rebel Alliance Developer Netgate

    That's not a great way to do it, especially when it comes to a cluster.

    If you aren't using that port for anything else, you could forward the port from the WAN on your secondary to an interface on the primary where it can respond to the requests when needed.



  • I think it's easier and more flexible not to overwrite pinned or tagged certificates.


  • Rebel Alliance Developer Netgate

    Except that breaks the entire XMLRPC sync model of the primary handling the configuration and the secondary not taking its own actions.

    There isn't a method where the secondary can keep its own different entries in any other section. The primary can choose not to synchronize some entries (e.g. select firewall rules) but the other entries overwrite anything on the secondary in those sections still.

    You're talking about one port forward vs a bunch of complex code that doesn't exist. I'd say the port forward is much easier.

    And if you can find a way to use a DNS update method in ACME, which is much more secure, then it's even less of an issue.



  • We use multiple systems at our customers and they login often to the system with port 80/443.


  • Rebel Alliance Developer Netgate

    Unless you're running port 80 through something else like haproxy, there isn't a way it can be used for ACME and something else like that. Even the GUI redirect would have to be disabled or ACME could never bind to the port. If you had an existing port forward it would have to be on a schedule where it's off during the ACME update, so it's unlikely that you'd already be doing that, either.

    So your choices really are to do the port forward as I mentioned, or to not sync certs or OpenVPN.



  • I use port 80 for redirect to https. So I have to redirect to the CARP IP that always a redirect will work.

    How does ACME restart the GUI on the second Pfsense?



  • Only redirecting of port 80 doesn't work. Port 80 will be redirected to port 443 which is not forwarded.

    original='{
    "type": "http-01",
    "status": "invalid",
    "error": {
    "type": "urn:ietf:params:acme:error:unauthorized",
    "detail": "Invalid response from https://pfsense2.my.tld/.well-known/acme-challenge/jrME943Oqidig7q802SjDWxY02_OrFv1ev02WqGM8EU [5.5.5.2]: "\u003chtml\u003e\r\n\u003chead\u003e\u003ctitle\u003e404 Not Found\u003c/title\u003e\u003c/head\u003e\r\n\u003cbody bgcolor=\"white\"\u003e\r\n\u003ccenter\u003e\u003ch1\u003e404 Not Found\u003c/h1\u003e\u003c/center\u003e\r\n\u003chr\u003e\u003ccenter\u003e"",
    "status": 403
    },


  • LAYER 8 Moderator

    @ggzengel said in ACME:

    Only redirecting of port 80 doesn't work.

    Show us your forwarding rule. It does indeed work if done correctly :)


  • Rebel Alliance Developer Netgate

    Disable the redirect. Use standalone in ACME and not webroot.
    If someone can't remember to type https:// or use a bookmark to reach the appropriate port, you probably don't want them logging into your firewalls.



  • Thanks.
    It works now with redirect of port 80 and I found "Restart Remote Service".


Log in to reply