Using Acme for TLS Certificate for NextCloud and VPN in a Domestic Setting

rjarratt

I use pfSense at home and I am not a networking professional, so please be gentle as I suspect I may not be doing some things the right way and I am looking for advice on how to do it better.

Apart from as a general firewall I use pfSense for two internet-facing applications:

1. NextCloud, hosted on a virtual machine. I use LetsEncrypt via an ACME tool built into NextCloud to manage this certificate. I do not use a proxy. Instead what I do is just forward ports 443 and 80 straight to the NextCloud VM. I suspect this may not be recommended?
2. VPN. For this I went down the self-signed route, which is clumsy, but at the time was the easy way to just get it going.

I want to use ACME to manage the certificate for both applications. By this I mean that I would like to:

1. Have pfSense use ACME to automatically manage the certificate used for my VPN. I think this needs to be done using the DNS challenge for validation.
2. Have NextCloud use its own ACME implementation to manage its certificate directly. This uses the HTTP challenge for validation, as the ports are forwarded directly to NextCloud.

So I have a the following questions:

1. Can a certificate obtained through the ACME process be used for the VPN?
2. Do I need to do anything to have pfSense IPSEC pick up the certificate automatically when it is renewed?
3. Both applications use the same domain. Can these two different ACME instances co-exist?

johnpoz

@rjarratt To be honest using a public CA for vpn not really good practice.. Just use self signed, your own ca you create on pfsense fine here.

And would prob be better to use ha proxy for your nextclould, can go 2 routes here you can offload the ssl to haproxy. Or just let the server your sending 2 do its own cert.

I do all my ssl offloading in ha proxy. One advantage of the proxy is ability to then use multiple different fqdn that you send to different backends, even though you only have 1 public IP you can leverage multiple services behind same port 443 or 80

Also security aspects of proxy vs direct talking to the service behind pfsense.

tinfoilmatt

@johnpoz said in Using Acme for TLS Certificate for NextCloud and VPN in a Domestic Setting:

To be honest using a public CA for vpn not really good practice

Even from Let's Encrypt? Genuinely curious about this take.

johnpoz

@tinfoilmatt users could create trusted certs from some public CA that your vpn server allows since you do not control the CA

In no scenario would such setups ever require a 3rd party ca to sign certs. You should always be in control of the CA and the certs in such setups.

rjarratt

@johnpoz yes I think HAproxy would give me better flexibility, so I can do that independently of the TLS issue I suppose. But I do wonder if it is overkill for a low traffic personal site. I guess it may offer a bit more security though.

tinfoilmatt

@johnpoz said in Using Acme for TLS Certificate for NextCloud and VPN in a Domestic Setting:

users could create trusted certs from some public CA that your vpn server allows since you do not control the CA

But with LE specifically, wouldn't a malicious actor need to be able to pass one of the ACME challenge types?

rjarratt

@johnpoz I am confused by this. I am talking about the certificate installed on my VPN server. Anyone can create a cert issued by the LetsEncrypt CA of course, but I don't understand how that can be a problem for my VPN?

tinfoilmatt

@rjarratt Ah, right. John may be referring to user certificates and not server certificates.

johnpoz

@rjarratt Overkill? It should take you all of few minutes to setup.

And while you might only use this site for a few users, it gives you flexibility in the future for adding more services, etc. Even if only a few users ever actually use the site.

I have a service that users can use to request shows and movies on my plex server, maybe 5 users ever use it - even though I have sent emails and instructions and why its better all the way around to use the service. They get an email when I see the request and approve it, and then get an email when its available. It puts it on the list so I don't forget about it.

Yet still many just text me or email or call me directly..

This is for sure only a personal use sort of site, but haproxy makes it more secure and simple to setup, and let the acme package handle the cert, and haproxy the offload of the ssl connection. It pretty much a set and forget sort of setup.

It is also now a one stop shop for your ssl settings, tls 1.3 only, which ciphers you use, etc. Where you service your exposing might not even allow for that sort of settings. Or more difficult. In my example the service its pita to even setup ssl.. So while user to haproxy is secure https connection, from plex to the service is only http - this traffic is only over my network so it be encrypted make little sense.

rjarratt

@johnpoz I only said overkill because the docs emphasize that it is particularly suited to high traffic web sites and load balancing. These things don't apply to me. But I am keen to try it anyway :-)

rjarratt

@johnpoz said in Using Acme for TLS Certificate for NextCloud and VPN in a Domestic Setting:

It is also now a one stop shop for your ssl settings, tls 1.3 only, which ciphers you use, etc. Where you service your exposing might not even allow for that sort of settings. Or more difficult. In my example the service its pita to even setup ssl.. So while user to haproxy is secure https connection, from plex to the service is only http - this traffic is only over my network so it be encrypted make little sense.

Yes I wondered about terminating TLS at HAProxy and then using straight HTTP to my NextCloud server, but it might mess with my NextCloud client on my phone if HTTPS is not available when I am using it inside the house. So I would prefer to have a certificate on the NextCloud server. I don't know if that would mean it is better to terminate TLS at the server rather than at the HAProxy though.

johnpoz

@rjarratt here is a question for you - since you say your server is currently doing the ssl.. What sort of score do you get here?

https://www.ssllabs.com/ssltest/index.html

I would hope at least and A

You could do both - you can have haproxy use ssl to talk to the backend.. If you have some issue with phone - but you could also just have your phone bounce off the haproxy while its internal to your network via wifi.

rjarratt

@johnpoz said in Using Acme for TLS Certificate for NextCloud and VPN in a Domestic Setting:

https://www.ssllabs.com/ssltest/index.html

I get A+, but this is for the LetsEncrypt certificate used by NextCloud, obtained using ACME. I don't know how to test my VPN server.

johnpoz

@rjarratt you wouldn't test your vpn

But good that nextcloud is getting A,A+ = if you were not, using haproxy can make it easier to set your ssl settings to be more secure. But seems nextclould is going it out of the box good.

rjarratt

@tinfoilmatt said in Using Acme for TLS Certificate for NextCloud and VPN in a Domestic Setting:

@rjarratt Ah, right. John may be referring to user certificates and not server certificates.

@johnpoz can you confirm that you were talking about user certificates? Or do you have concerns about the VPN server certificate being issued by LetsEncrypt?

johnpoz

@rjarratt it is a 2 way street..

Here this came up 8 years ago in a redmine request.. Read the why it was rejected.

https://redmine.pfsense.org/issues/8281

What advantage do you think using a public signed cert would bring you?? Create your CA, issue your certs..

But hey you do you.. Good luck with that.

rjarratt

@johnpoz said in Using Acme for TLS Certificate for NextCloud and VPN in a Domestic Setting:

What advantage do you think using a public signed cert would bring you?? Create your CA, issue your certs..

The advantage I see is that there is less management needed. My self-signed CA cert is expiring (I made it last only 2 years) and I will have to deploy a new one to all my devices. I will also need to manually generate a new cert and deploy it to my VPN. With a Let's Encrypt cert I don't have to install a new CA certificate on my client devices and new certs are generated automatically.

But hey you do you.. Good luck with that.

I am happy to learn something because I know that I am not a security expert, so I am keen to understand the reasoning. I still don't understand why a server cert issued by Lets Encrypt is worse than one issued by me. The link you provide also seems to be referring to user certs. Anyone can still access my VPN if they are prepared to ignore certificate errors in the trust chain for me server certificate. They wouldn't be able to successfully connect though without the authentication details. What am I missing here?

Sorry if this is a naive question.

johnpoz

@rjarratt said in Using Acme for TLS Certificate for NextCloud and VPN in a Domestic Setting:

Anyone can still access my VPN if they are prepared to ignore certificate errors in the trust chain for me server certificate.

Not how it works dude.. They can not access your server unless your server trusts their cert.

Again asking you what advantage do you think using some 3rd party CA (acme in this case) would bring to the table.. This isn't a server open to any browser out on the internet.. This is your vpn server, which clients only you will be giving the details too..

Are you just going to let any Tom, Dick and Harry connect to your vpn and only require that they know some password?

rjarratt

@johnpoz said in Using Acme for TLS Certificate for NextCloud and VPN in a Domestic Setting:

Not how it works dude.. They can not access your server unless your server trusts their cert.

Again asking you what advantage do you think using some 3rd party CA (acme in this case) would bring to the table.. This isn't a server open to any browser out on the internet.. This is your vpn server, which clients only you will be giving the details too..

Are you just going to let any Tom, Dick and Harry connect to your vpn and only require that they know some password?

Not if I have a choice I suppose. As far as I can remember I only needed to install the CA certificate on my clients though. I assumed the CA certificate needed to be on the client just so that the client would trust the server. Maybe I have set up my VPN incorrectly, or at least not as securely as perhaps I could/should.

johnpoz

@rjarratt you should really be creating a cert for your users..

You should be at min be using remote access (ssl/tls) or better yet remote access (ssl/tls) + user auth. You should be using a tls key for auth and encryption

You should have
Client Certificate Key Usage Validation

enabled, etc.

With how a vpn is setup - I just don't see why anyone would think using a 3rd party CA makes any sense.. Not unless you just were doing some sort of web based vpn where all a user had to do was auth with username and password.. That sure wouldn't be very secure method of controlling who can vpn into your network.