Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Certificat Validation Method Hosteur

    Scheduled Pinned Locked Moved ACME
    9 Posts 3 Posters 1.2k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • W
      Wiwi 0
      last edited by Wiwi 0

      Hello people !
      I'm looking for the best method to get certificate on my pfsense 2.5.2 and acme package 0.6.10 with hosteur provider.

      I used to be at OVH and I could use the API for updating DNS entries and get automatically my certificates.

      But I have a client which have his DNS zone at hosteur and sadly, there is no build-in API connector (not sure to use the right words here) for hosteur in the acme package.

      I mean on the pfsense -> Acme Certificates -> Certificates -> Domain SAN list -> Method
      There is no provider DNS-Hosteur

      I still can use the manual DNS Method, but there is a lot of domain to get certificates (and I want to save some work !)

      I'm still not an expert on pfsense / acme, so let me know your thought !

      Thanks

      johnpozJ 1 Reply Last reply Reply Quote 0
      • W
        Wiwi 0
        last edited by Wiwi 0

        Hello people !
        Ok, after looking for more information on PfSense, Acme and HAProxy, I understand much more how things are working (and what I'm doing)

        So I found a way to get my certificate automatically with the Standalone HTTP server of acme package through my HAProxy.
        I guess it obvious for some people but it was'nt for me !

        Here what I did :

        First : Certificate
        I create a certificate in acme package with the "Standalone HTTP server" validation method and using port 8080 (why 8080, no special reason, I was testing)
        Capture du 2021-12-31 13-57-25.png

        Second : Backend HaProxy
        I create a backend with my pfsense as server (10.0.0.254 port 8080). Really simple backend : no ACL, no health check.
        Capture du 2021-12-31 14-01-11.png

        Third : Front-end http HaProxy
        I have a front-end on port 80 that I use to redirect http 80 to https 443. I'm doing this with the action "http-request redirect" and value "scheme https"
        So, I add an ACL on this front-end with "Path contain within slashes" and value "/acme-challenge/" that I call "acmechallenge".
        Then I add the action "Use Backend" server "PfSense" with condition "acmechallenge"
        Capture du 2021-12-31 14-07-38.png

        And finally : Front-end https HaProxy
        I need to have something on https:// my-domain. az , if not, the certificate is not generated. So I simply add my domain in my https front-end
        Capture du 2021-12-31 14-25-07.png

        Then you can Issue/Renew your certificate and it should working !

        So now the real question, is it safe to do it like this ?
        I don't see why it would not be as safe as a classic nat rule on the Standalone HTTP server. But I prefer to ask.

        Thanks

        NollipfSenseN 1 Reply Last reply Reply Quote 0
        • NollipfSenseN
          NollipfSense @Wiwi 0
          last edited by

          @wiwi-0 Thank you for sharing as I will be setting up one for a PBX phone system in DMZ. Spent the weekend researching and learning.

          pfSense+ 23.09 Lenovo Thinkcentre M93P SFF Quadcore i7 dual Raid-ZFS 128GB-SSD 32GB-RAM PCI-Intel i350-t4 NIC, -Intel QAT 8950.
          pfSense+ 23.09 VM-Proxmox, Dell Precision Xeon-W2155 Nvme 500GB-ZFS 128GB-RAM PCIe-Intel i350-t4, Intel QAT-8950, P-cloud.

          1 Reply Last reply Reply Quote 0
          • johnpozJ
            johnpoz LAYER 8 Global Moderator @Wiwi 0
            last edited by

            @wiwi-0 said in Certificat Validation Method Hosteur:

            DNS zone at hosteur and sadly, there is no build-in API connector

            You understand there is no reason you have to leave your dns there if their dns hosting is sub standard. Just move the domain dns to say cloudflare, they provide free services.. And they support pretty much anything you would want to do with dns, caa, ddns, dnssec, etc.

            An intelligent man is sometimes forced to be drunk to spend time with his fools
            If you get confused: Listen to the Music Play
            Please don't Chat/PM me for help, unless mod related
            SG-4860 24.11 | Lab VMs 2.7.2, 24.11

            W 1 Reply Last reply Reply Quote 0
            • W
              Wiwi 0 @johnpoz
              last edited by

              @johnpoz
              Sure I know I can change provider, my own domains are in OVH. But this project was for a client which didn't want change provider for some reason.

              johnpozJ 1 Reply Last reply Reply Quote 0
              • johnpozJ
                johnpoz LAYER 8 Global Moderator @Wiwi 0
                last edited by

                @wiwi-0 has nothing to do with the provider of the server, or who you registered the domain with.. It has to do with who is providing the dns for that domain..

                An intelligent man is sometimes forced to be drunk to spend time with his fools
                If you get confused: Listen to the Music Play
                Please don't Chat/PM me for help, unless mod related
                SG-4860 24.11 | Lab VMs 2.7.2, 24.11

                W 1 Reply Last reply Reply Quote 0
                • W
                  Wiwi 0 @johnpoz
                  last edited by

                  @johnpoz Yeah, I was talking about the domain provider.
                  The client have his domain register at Hosteur, and want to keep it there.

                  Sorry for the misunderstood.

                  johnpozJ 1 Reply Last reply Reply Quote 0
                  • johnpozJ
                    johnpoz LAYER 8 Global Moderator @Wiwi 0
                    last edited by

                    @wiwi-0 said in Certificat Validation Method Hosteur:

                    domain register at Hosteur,

                    Again nothing to do with who provides the dns - I have some domains registered with dynadot and others with namecheap - and some domains of those I host dns with cloudflare.. Is as simple as pointing the NS for that domain at the registrar to the dns service you want to use.

                    Because - more often than not the dns provided by the registrar is sub standard.. Like no API ;)

                    An intelligent man is sometimes forced to be drunk to spend time with his fools
                    If you get confused: Listen to the Music Play
                    Please don't Chat/PM me for help, unless mod related
                    SG-4860 24.11 | Lab VMs 2.7.2, 24.11

                    W 1 Reply Last reply Reply Quote 0
                    • W
                      Wiwi 0 @johnpoz
                      last edited by

                      @johnpoz OMG, I just understood what you mean 😳
                      Sorry, it just took me few days ...

                      I didn't knew we could do that, it's amazing !

                      Well, I will keep my first solution on that project as the person I'm working with also need to use domain from his clients which want keep managing their own zone.

                      But dame, I keep that for later !
                      Thanks a lot !

                      1 Reply Last reply Reply Quote 0
                      • First post
                        Last post
                      Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.