SSL certificates on internal A name records

Swami_ · Dec 24, 2022, 9:45 PM

I wanted to have SSL certificates for internal domain names added via A name records in pfsense DNS Resolver.

Right now it’s got the webconfigurator certificate in DNS resolver.
If I change that certificate to a wildcard cert created by Acme package for a domain I own, then add the A name records to forward to internal IPs, will they be https secured on my internal network?

This is only meant for my own internal accessing my homelab services by domain instead of IP

I may be completely off base but wanted to ask others
Thanks

SteveITS · Dec 25, 2022, 2:53 AM

@swami_ the cert would need to be on the web server(s), unless you’re running haproxy or something to reverse proxy the https connections.

Can you explain your forwarding you mention?

Swami_ · Dec 28, 2022, 9:28 PM

@steveits
I have a DNS resolver host override for pfsense.mydomain.com that points to 192.168.1.1

I have a certificate for the domain created with acme package put in place in Advanced setup.
This is not accessible outside the local network.

I was hoping for a similar setup for other self hosted services (ex other docker apps).

I was just wondering if it’s possible to have similar setup for other self hosted services with no external access. So I can access via https domain name instead of unsecured http

johnpoz · Dec 28, 2022, 9:31 PM

@swami_ if you control the domain, then you can create a cert with acme for anything in that domain via dns.. So then sure you could use that cert on something internal that has no outside access. Just need your local dns to resolve that fqdn to your local IP - like your doing pfsense.mydomain.com pointing to 192.168.1.1

Swami_ · Dec 28, 2022, 9:36 PM

@johnpoz
How would I implement it?

I have wildcard certificates to the domains I own and can create sub domain certificates easily.

Is it enough to have them created in acme?
Would I have to use HAproxy somehow?

Just curious if anyone has tried this to use fqdn for internal network access with no external

johnpoz · Dec 28, 2022, 9:54 PM

@swami_ said in SSL certificates on internal A name records:

fqdn for internal network access with no external

yeah not sure why that is even a question? With a host override you could point www.google.com to one of your servers.. Sure you can use haproxy as a reverse proxy if you want if you want to make it easier for certs and having it do ssl offload or something.

If you have a wildcard cert for you domain.tld - then you could use anything.domain.tld or otherthing.domain.tld with the same cert that is what wildcard is.

Swami_ · Dec 29, 2022, 3:03 AM

@johnpoz
It won’t work (as I envision) because the services have port numbers involved.

I’ll have to see if HA proxy can do it and see if I can restrict that to local network

johnpoz · Dec 29, 2022, 7:33 PM

@swami_ yeah you can have ha proxy go to a different port.

But what is the big deal with just using a bookmark https://something.yourdomain.tld:8443 or https://otherthing.yourdomain.tld:9443 etc..

While I get you wouldn't want to have to tell a user what port is something is on, but if its just internal to your network - create a bookmark to whatever it is and there you go done with it.

But just because you have ha proxy doesn't mean it has to be made available to the public internet.

Swami_ · Dec 30, 2022, 2:51 AM

@johnpoz
I just wanted to see if I could use my domain to greater effect and use https for accessing the services so I could avoid the browser warning about unsecured sites

johnpoz · Dec 30, 2022, 3:11 AM

@swami_ you can - but you don't have to ha proxy to do that - unless you want haproxy to handle all the ssl traffic?

You can install the wildcard cert on all your services, even if they don't use the standard 443 ssl port.. And your dns points something.yourdomain.tld to their local IP say 192.168.1.42 or whatever

One advantage I would say ha proxy would be good is you only have 1 place to update the cert on, and have it do ssl offloading and then direct say when you get traffic to something.yourdomain.tld you send it to 192.168.1.42 on port 666 and if otherthing.domain.tld you send it to either 192.168.1.42 on port 777 or 192.168.1.52 on port 5055 etc. etc..

Once you update the amce cert every 90 days they would all get new certs so you only have to do it on haproxy.

Swami_ · Dec 30, 2022, 3:59 PM

@johnpoz
I’ll probably look more towards HA proxy like you suggested, cert management would make it worth it.

I just have to learn how to use HA proxy for LAN instead of WAN traffic

johnpoz · Dec 30, 2022, 4:04 PM

@swami_ you can setup haproxy to use your wan or you lan interface. Comes down to where the traffic is going to hit.

Even if you ha proxy listens on you wan IP, unless you open a firewall rule on the wan that would not be available to internet IPs. But your wan IP is still going to be able to be hit via your lan devices.

Comes down to where you want to point the fqdn you want to use to point to - if all your going to want it for is lan, then just use your lan IP and point all your fqdn you want to use to your pfsense lan IP.