Local management of LE haproxy certificates

frankz

Hello everyone, I was able to generate LE certificates with duckdns.

These certificates generated with only one key and added to the present one (always duckdns ) but with the other 4 hostname .duckdns .

On Haproxy I have selected the destination on its server based on the source hostname and it works regularly . The problem arises from the fact that the servers are in lan, the certificates on pfsense and therefore if the internet connection goes away I can not manage the servers, unless with the dns override I declare the ip lan. If I do this, however, the certificates are not loaded because the servers of the lan are virtualhosts of a cluster server. Anyone can tell me how to get around the obstacle?

viragomann

@frankz said in Local management of LE haproxy certificates:

The problem arises from the fact that the servers are in lan, the certificates on pfsense and therefore if the internet connection goes away I can not manage the servers, unless with the dns override I declare the ip lan.

Set it to the WAN IP and ensure, that LAN firewall rules allow access to it.
This way, the local connection goes through HAproxy as well.

frankz

@viragomannYes, thank you. But it already works now , what I was writing and that if the WAN connection of the provider no ip can be solved . In short, if they are in lan and the nat in pure mode the servers are reached. If the router is down, nothing works anymore unless the configuration of the dns resolver intervenes, which as mentioned before allows me to connect to the server but the certificate is that of the pfsense on hpaproxy that to be used requires the round of the tcp packages. This does not happen on servers where the certificate is in its webtoot so with the dns override it works without problems . Yes of some users who have exported the certificates from the pfsense on the various servers, but the problem of renewal remains!

viragomann

@frankz
In simple words, you have to care, that the connections to your server from inside your LAN go over Haproxy.

If your WAN address is gone, when the internet is down, then add the LAN IP to the HAproxy frontend and configure a DNS host override for your domains and point it the the LAN address.

Where are the difficulties?

frankz

@viragomannIt's dynamic ..... so every time it changes I should go around forgiveness ... unless you know how this can be done differently or automatically.

viragomann

@frankz said in Local management of LE haproxy certificates:

It's dynamic ..... so every time it changes I should go around forgiveness

The LAN address of pfSense???

frankz

@viragomann Ip 192.168.3.2/24

viragomann

@frankz
I don't need to know which.
But you said, the LAN IP is dynamic?

frankz

@viragomann Ma no . IP of the lan firewall is 192.168.3.2 . Wan 192.168.1.2 . From the router a dmz is configured or all the traffic from the internet and I say everything , it is forwarded to 192.168.1.2 .

viragomann

@frankz
So you can add host overrides for all your hosts to your DNS and point them to the LAN IP.

Then in the respective HAproxy frontend listening table click "add another entry"

and select the LAN from the drop-down and state port 443 and check "SSL offloadind".

Then requests to your host names go to HAproxy, which manages the SSL certificates.

frankz

This post is deleted!

viragomann

@frankz
You frontends are already listening on any IPs. So you only have to configure the DNS host overrides to point to the LAN address.

Before trying to access the server from you local device, remember that you flush the DNS cache on the client.

frankz

@viragomannYes, but the certificate error occurs if the internet goes down. As I had already written, if I leave overirde as I had done, the certificates are on the pfsense and not on the servers. These servers that you have actually seen as you may have already noticed are virtualhosts , so the pfsense will fix them as 192.168.3.76 which are aliases of the 192.168.3.76 cluster. To make sure that this does not happen I had to delete the overrides so the name fdq goes to haproxy which must solve externally to the indirippo ip wan in production eg. 151.99.44.33 . If you think about it, that's how it is. As I had also written before, this does not only happen on another server, where I declared overirde but the certificate is there he has in the webroot, so the verification remains internal to the server.

A user had a similar configuration like mine and had even managed to upload pfsense certificates to the servers. The only problem remains that every 60 days you have to do the round of forgiveness to remove and update them. I apologize if the translation from Italian>English is poor, so you may have difficulty getting an exact overview.

viragomann

@frankz said in Local management of LE haproxy certificates:

As I had already written, if I leave overirde as I had done, the certificates are on the pfsense and not on the servers.

Yeah, and its provided to clients by the HAproxy frontend in the strict sense.

Then you said, your WAN IP cannot be used, when the internet goes down. Maybe.

That's why I suggested to point the DNS host overrides to the LAN address.
Since the HAproxy frontend is listening on any IP of pfSense, you can also access it though the LAN address.

Now the host name is resolved to the LAN IP inside your local network. Hence the client goes to pfSense LAN > HAproxy, get the SSL certificate, is happy, because it matches to the requested name, and HAproxy connects to the backend as it does if the request is coming from outside.
This should work as long as HAproxy is not in transparent mode.

So what are your concerns?

frankz

@viragomann Ok, then I'll try again by putting back the overides that point to 3.76. As a primary dns I use pihole which has as upstream the pfsense . Anyway, I'll try again tomorrow and let you know. Al

Moment I thank you for your patience and for helping me.