pfSense Settings for Caddy and Letsencrypt
-
Hi, I'm new to pfSense and I apologies if I ask obvious things or not in the appropriate way. I hope I'm giving enough info.
In my network I have TrueNAS hosting Nextcloud, which is using Caddy to get LetsEncrypt certificate via DNS validation (hosted on Clodflare). Before moving to pfSense I was able to get the certificate with the ISP router, but since I moved to pfSense I'm not able to renew it.
I'm running pfSense 2.5.2 and my actual network is as follows:
ISP-->modem-->pfSense-->switch-->NextcloudI have set an host override so that my FQDN (used by Nextcloud) resolves to my TrueNAS jail inside my network. It is obvious that the settings I have for DNS resolver and/or firewall are not correct. Is there someone who could help me in setting up pfSense correctly?
DNS settings
DNS resolver
DSN resolver options
server:
forward-zone:
name: "."
forward-ssl-upstream: yes
forward-addr: 1.1.1.1@853
forward-addr: 1.0.0.1@853
forward-addr: 2606:4700:4700::1111@853
forward-addr: 2606:4700:4700::1001@853
forward-addr: 9.9.9.9@853
forward-addr: 2620:fe::fe@853
Firewall
Any help would be really appreciated.
Thanks a lot
Nick -
The images show that you are forwarding (so, de activate DNSSEC as it it useless in such a context) and that you NATted some ports these devices devices : 192.168.178.32 - 78 and 68.
All that has nothing to do with the subject : acme/Letsencrypt troubles ?
Btw :
ISP router or ISP modem ? -
@gertjan
Hi Gertjan, thanks for te reply. As I said I'm new to pfsense, so apologies if I didn't provide stuff that might not be strictly related to the subject, I was trying to provide as much info as possible.
Anyhow to answer to your question on acme/Letsencypt, I haven't changed anything. I do have acme challenge on Cloudflare and it is working when I use my "old" ISP provided modem/router, that means:
ISP --> ISP modem/router --> NextcloudThe acme challenge query is done within Nextcloud via caddy and as well here nothing has been changed.
The actual modem (used in bridge mode) I have is different from the "old" ISP provided one and everything else is done within pfSense box.
I will disable DNSSEC as you suggest, reading the documentation I thought I had to enable it. -
@nick23369 said in pfSense Settings for Caddy and Letsencrypt:
... if I didn't provide stuff ....
No problem.
Except that you'll never receive any answers.
( so, why posting ? ;) )About 'acme' and Letsencrypt : see this first : the video created by the author of the acme package.
See the whole thing, and only then you might understand what it all does.
Add another video to the view list that explains how "Letsencrypt" decides if, and under what circumstances, it delivers you a certificate. When you know how things work, its easy to setup.@nick23369 said in pfSense Settings for Caddy and Letsencrypt:
I thought I had to enable it.
DNSSEC works out of the box - and it's enabled by default.
But it needs the resolver to be set up as a resolver, not a forwarder.
By default, the resolver is set up as a resolver ;) -
@gertjan
Thanks for the link, I'll watch the video and hope to understand how I need to set it all up. If not I might come back with few question ;)