SSL certificate from IONOS?

xokia

Trying to get pfsense to work with SSL. I suspect its blocking DNS rebinding.

I have IONOS as the domain name host provider. I use duckdns since I have a dynamic ip address.

I use a wildcard certificate issued from IONOS. So for instance if i run home assistant I enter ha.domainname.com ->mydomain.duckdns.org->ipaddress:80->pfsense->reverse proxy ->service running home assistant
I was able to get duckdns setup on pfsense.

I had all this working under my asus router previously. Now I can not get anything to work using https. How do I get pfsense to accept the certificate?

Your connection is not private
Attackers might be trying to steal your information from ha.domainname.com (for example, passwords, messages, or credit cards). Learn more
NET::ERR_CERT_AUTHORITY_INVALID
Subject: pfSense-760a207a13d62

Issuer: pfSense-760a207a13d62

Expires on: May 3, 2025

Current date: Apr 1, 2024

		Interface	Protocol	Source Address	Source Ports	Dest. Address	Dest. Ports	NAT IP	        NAT Ports	Description
		WAN	UDP	              *	                              *	 WAN address	  51820	        192.168.3.12    51820               VPN	  
		WAN	TCP	              *	                              *	 WAN address	  49008	        192.168.3.12	39001	         plex	  
		WAN	TCP	              *	                              *	 WAN address	  80 (HTTP)	192.168.3.12	180	                 swag http	  
		WAN	TCP	              *	                              *	 WAN address	  443 (HTTPS)	192.168.3.12	1443	         swag https	  
		WAN	TCP/UDP	      *	                              *	 WAN address	  4389	        192.168.3.12	4389	         sftp

viragomann

@xokia said in SSL certificate from IONOS?:

I use a wildcard certificate issued from IONOS. So for instance if i run home assistant I enter ha.domainname.com ->mydomain.duckdns.org->ipaddress:80->pfsense->reverse proxy ->service running home assistant

So are you running a reverse proxy on pfSense?

According your NAT rules, you're forwarding HTTP/S to a local device. So a proxy on pfSense would be bypassed.
In this case pfSense has nothing to do with the SSL certificate.

Just ensure, that the web configurator is listening on a different port than 80 and 443.
In System > Advanced > Admin Access you can specify the port. Also check "Disable webConfigurator redirect rule" to avoid that port 80 is redirected to pfSense.

xokia

@viragomann I am running reverse proxy on my server. I am just forwarding the ports from pfsense to my server. My server is sitting on 192.168.3.12

Looks like I had to check this to get it to work. Can someone explain if they understand it?

Enable automatic outbound NAT for ReflectionAutomatic create outbound NAT rules that direct traffic back out to the same subnet it originated from.
Required for full functionality of the pure NAT mode of NAT Reflection for port forwards or NAT Reflection for 1:1 NAT. Note: This only works for assigned interfaces. Other interfaces require manually creating the outbound NAT rules that direct the reply packets back through the router.

stephenw10

Because when you test from inside the firewall that traffic never hits the forwarding rules.

https://docs.netgate.com/pfsense/en/latest/recipes/port-forwards-from-local-networks.html