Which DNS validation method should I use to validate pfsense local domain on windows server?

ivanildolb · Apr 4, 2023, 1:30 PM

Hi, I'm trying to create a Let's Encrypt certificate to use in Captive Portal, but I'm not sure which DNS validation method I should use. My pfSense is hosted on a local server and I use Windows Server DNS on my LAN. I'm using the ACME package, but I got completely lost when validating the DNS, because I don't know which method I should use to validate my local pfsense domain on the windows server. Could someone guide me?

I tested nsupdate and DNS-Manual, but without success! I also didn't find anything about TXT records in Windows Server DNS...

johnpoz · Apr 4, 2023, 5:38 PM

@ivanildolb said in Which DNS validation method should I use to validate pfsense local domain on windows server?:

validate my local pfsense domain on the windows server.

Your "local" domain - acme isn't going to work unless this is public domain.. Are you trying to use a domain that is public and your windows DNS is the authoritative NS for this domain, and the internet can talk to it?

Also how are you going to use this in your captive portal.. You understand this cert wouldn't actually work for when a client tries to go to say https://www.cnn.com and they get redirected to whatever fqdn/IP your captive portal is using?

The only way this cert works is if the client is actually directly going to https://yourcaptiveportalfqdn

ivanildolb · Apr 4, 2023, 6:05 PM

@johnpoz In fact, the only thing I want is to enable HTTPS on the Captive Portal login page. For this, I need to have a valid certificate, such as the one from Let’s Encrypt. I could use pfSense's self-signed certificate, but client browsers wouldn't trust that certificate and that would give me problems.

johnpoz · Apr 4, 2023, 6:12 PM

@ivanildolb if you want public trusted cert that any client would trust, then sure you can use acme to do that.. Pfsense acme client can pull that for you, and sure you can use dns to let lets encrypt validate you own the domain.

But this domain has to be public for acme (lets encrypt) to work.. I do this for a domain I own for example, where its dns is hosted by cloudflare.. simple pointing of the pfsense acme client to cloudflare and the proper info to auth and create the record (txt) that it uses to validate you own and are in control of the domain is all that is required.

So this public domain you own, your saying that your windows DNS is the SOA for this domain on the public internet?

ivanildolb · Apr 4, 2023, 6:29 PM

@johnpoz I understand everything you said. But I don't have a public domain, my pfsense runs on a local server and all I have is a private IP and FQDN registered in my local Windows Server's DNS. I just need to generate a trusted certificate for my clients to authenticate to Captive Portal securely over HTTPS.

The ACME client seems like a great option, but I don't know if it applies to my current infrastructure. Any idea how I can do this?

johnpoz · Apr 4, 2023, 6:34 PM

@ivanildolb said in Which DNS validation method should I use to validate pfsense local domain on windows server?:

But I don't have a public domain

Then it is not possible to use acme to get a cert..

To have any web browser auto trust a cert, it has to be signed by a CA that they trust out of the box, like the lets encrypt CA, or any of the other ones out there verisign, digicert, etc. etc..

None of these public CAs are going to sign a cert for you for some non public domain..

So either get a public domain you can use for your captive portal fqdn, then you can get acme to sign it for you, and any browser will trust it out of the box.

Or create your own CA in pfsense, create whatever certs you want for any domain, or any rfc1918 IP address even via SAN added to the cert.. But for the browser to trust it, your CA would have to be added to the browsers listed trusted CAs

ivanildolb · Apr 4, 2023, 6:52 PM

@johnpoz Understood, I'll think better about what I can do... Anyway, thank you very much for the guidance!

johnpoz · Apr 4, 2023, 9:17 PM

@ivanildolb a domain can be had for very cheap, most registrars have sales so you could get somedomain.tld for like 88 cents for a year sometimes.. or 2$ etc.. that normally will go up after year 1, etc. but typically a domain only costs like 10$ a year.

But yeah it is just not possible for some browser to auto trust some cert without it being public domain.. You can use any domain you want and create certs your browser will trust - but you have to have enough control over the browser to install the CA cert as trusted source..

I do this for all my services I run locally that I access, the unifi controller web gui, my nas gui, pfsense gui, my printers gui, my switches web gui... For these I use either local.lan as the domain, or home.arpa - you can use any domain you want and your browser will trust it, as long as you tell the browser to trust the CA.. But if its just some random browser out of the box on someones machine - no they will not trust anything other than some public CA, and for this you have to have a public domain.