Certificat Validation Method Hosteur
-
Hello people !
I'm looking for the best method to get certificate on my pfsense 2.5.2 and acme package 0.6.10 with hosteur provider.I used to be at OVH and I could use the API for updating DNS entries and get automatically my certificates.
But I have a client which have his DNS zone at hosteur and sadly, there is no build-in API connector (not sure to use the right words here) for hosteur in the acme package.
I mean on the pfsense -> Acme Certificates -> Certificates -> Domain SAN list -> Method
There is no provider DNS-HosteurI still can use the manual DNS Method, but there is a lot of domain to get certificates (and I want to save some work !)
I'm still not an expert on pfsense / acme, so let me know your thought !
Thanks
-
Hello people !
Ok, after looking for more information on PfSense, Acme and HAProxy, I understand much more how things are working (and what I'm doing)So I found a way to get my certificate automatically with the Standalone HTTP server of acme package through my HAProxy.
I guess it obvious for some people but it was'nt for me !Here what I did :
First : Certificate
I create a certificate in acme package with the "Standalone HTTP server" validation method and using port 8080 (why 8080, no special reason, I was testing)
Second : Backend HaProxy
I create a backend with my pfsense as server (10.0.0.254 port 8080). Really simple backend : no ACL, no health check.
Third : Front-end http HaProxy
I have a front-end on port 80 that I use to redirect http 80 to https 443. I'm doing this with the action "http-request redirect" and value "scheme https"
So, I add an ACL on this front-end with "Path contain within slashes" and value "/acme-challenge/" that I call "acmechallenge".
Then I add the action "Use Backend" server "PfSense" with condition "acmechallenge"
And finally : Front-end https HaProxy
I need to have something on https:// my-domain. az , if not, the certificate is not generated. So I simply add my domain in my https front-end
Then you can Issue/Renew your certificate and it should working !
So now the real question, is it safe to do it like this ?
I don't see why it would not be as safe as a classic nat rule on the Standalone HTTP server. But I prefer to ask.Thanks
-
@wiwi-0 Thank you for sharing as I will be setting up one for a PBX phone system in DMZ. Spent the weekend researching and learning.
-
@wiwi-0 said in Certificat Validation Method Hosteur:
DNS zone at hosteur and sadly, there is no build-in API connector
You understand there is no reason you have to leave your dns there if their dns hosting is sub standard. Just move the domain dns to say cloudflare, they provide free services.. And they support pretty much anything you would want to do with dns, caa, ddns, dnssec, etc.
-
@johnpoz
Sure I know I can change provider, my own domains are in OVH. But this project was for a client which didn't want change provider for some reason. -
@wiwi-0 has nothing to do with the provider of the server, or who you registered the domain with.. It has to do with who is providing the dns for that domain..
-
@johnpoz Yeah, I was talking about the domain provider.
The client have his domain register at Hosteur, and want to keep it there.Sorry for the misunderstood.
-
@wiwi-0 said in Certificat Validation Method Hosteur:
domain register at Hosteur,
Again nothing to do with who provides the dns - I have some domains registered with dynadot and others with namecheap - and some domains of those I host dns with cloudflare.. Is as simple as pointing the NS for that domain at the registrar to the dns service you want to use.
Because - more often than not the dns provided by the registrar is sub standard.. Like no API ;)
-
@johnpoz OMG, I just understood what you mean
Sorry, it just took me few days ...I didn't knew we could do that, it's amazing !
Well, I will keep my first solution on that project as the person I'm working with also need to use domain from his clients which want keep managing their own zone.
But dame, I keep that for later !
Thanks a lot !