SSl certificates for all home network

bookie56

Hi guys!
I have as said before a setup with a 4 port nic and the ineternal nic is the WAN.
My computers are on the LAN_PRIVATE subnet as I have called it and my pfsense is connected to the LAN_PRIVATE subnet...

At the moment I have a selfsigned certificate in place and have added that info to my Windows computer so I don't get an unsecure network.

I would like to have all my home network servers on the LAN_PRIVATE subnet to be able to have ssl cert verification without having to add that information to all servers....

So if I login to my pfsense from any computer I can do that without security warnings and the same for all my servers...

It is only me that has access - but it would be nice to connect to all my home network servers etc and get certificates automatically for them..

I have to tried to follow so many videos and different scenarios - but it gets a bit overwhelming...

I have created a free domain with duckdns and can use that...
I have seen this can be done with let's encrypt and HAProxy....but like I have said above it just gets blurred with all the different scenarios...

I just want access to my local network servers etc with secure connections...

Is there anyone that would like to help me with this project ...not looking for the WAN just LAN...
I heard if I have a wildcard it will include all connections on LAN_PRIVATE....

I would appreciate any help I can get. I don't mind the learning curve...just someone's patience while I learn...

bookie56

Gertjan

@bookie56

The short story is : you want to know what https is all about.
What about starting at the top you are looking now ?! There is a line with (very !) important info.
Here it is :

You can see that netgate.com is more bold. You've wondered why ?
Click on 'shield' that marked green.
Continue until you see this info :

This is the server certificate that the netgate's web server gave your browser.
This certificate has build info : you can see it: "Common Name forum.netgate.com" and for https == your browser to be happy, the host name used :

must match what the browser found in the certificate.
But there is more.
The certificate was signed at the top level by :

and your browser trusts all certificates that are come from this ISRG Root X1 CA certificate.
You browser has a whole list of known trusted CA certificates.

This matches with what you've done on your own pfSense and web browser devices : you've create you own == self signed CA certificate.
You created a web server certificate for your pfSense, and the GUI == the web server of pSense uses it.
You've exported the CA certificate from pfSense to the device on which you use a browser. From then on, your browser will also trust 'your' CA as you've included it into the browser's certificate store.

The fact that you created your own CA (on pfSense) and used that in your browser and not a 'world known' CA like certificate like "ISRG Root X1" makes do difference : the connection has the same security level.
One difference : yours is free. But you had to do 'something' to make it work.

You've discovered that certificate created by Letsencrypt are trusted by all browser 'out of the box'. The one used here, for forum.netgate.com is a good example.

If you want to have a certificate from, for example, Letsencrypt, you should/could start here : How it works.
I'll boil it down to one phrase :
You need to be able to proof that you 'own' your domain name, in this case "forum.netgate.com".

Letencrypt isn't going to call someone over the phone and ask for a proof, it needs to be done by using a "script".
A know test is : The "Letencrypt test server" will check on the forum.netgate.com if a special file exists - and this file should contain a special, secret text like :

'eyJjb250YWN0IjogWyJtYWlsdG86Z3cua3JvZWJAZ21haWwuY29tIl0sICJ0ZXJtc09mU2VydmljZUFncmVlZCI6IHRydWV9'

and the file name should be : 'K7BcPJEgYGOU8w4GBkWPG5Ivc7sfHVJKXKjtt2aSCDN3E54S6ys'

Where do these cods come from ?

On your side, when you use acme.sh for example, acme.sh will ask for these two codes from Letsencrypt. It's Letsencrypt who will randomly generate them.
Your acme.sh will create the filer with the name 'K7BcPJEgYGOU8w4GBkWPG5Ivc7sfHVJKXKjtt2aSCDN3E54S6ys' and put this :
'eyJjb250YWN0IjogWyJtYWlsdG86Z3cua3JvZWJAZ21haWwuY29tIl0sICJ0ZXJtc09mU2VydmljZUFncmVlZCI6IHRydWV9'
in it as the content.
Then that's done, acme.sh tells Letencrypt : go verify me.
The "Letencrypt test server will now visit this host / file : (actually a web page) :
fouem.netgate.com/K7BcPJEgYGOU8w4GBkWPG5Ivc7sfHVJKXKjtt2aSCDN3E54S6ys

and the content should be :
'eyJjb250YWN0IjogWyJtYWlsdG86Z3cua3JvZWJAZ21haWwuY29tIl0sICJ0ZXJtc09mU2VydmljZUFncmVlZCI6IHRydWV9'

If that checked out, the Letsencrypt know you are the owner of => you showed you controlled the domain name "forum.netgate.com".

Btw : this is just a method, the so called web server method (acme.sh calls it DNS API), there are other check mechanisms also. The ones based on DNS are best.

But you need to 'own' (== rent) a domain name like forum.netgate.com. or example.com, etc.
You must be able to proof that you control you domain, or sub domain.

I might be possible (I never tried this myself) that you create a dyndns sub domain like "example.duckdns .com" and have this pointing to your WAN IP (pfSense) and have it answered by a web server that can 'serve the check file' to Letencrypt.

But wait ... You shouldn't bust the KIS rule :
Your own CA and the web server certificates you created from it, these can be valid for years.
Do you really use that many devices from which you visit pfSense GUI ? Ok, you might have to import the CA on several devices. How long did that took ? Ones done, you have the same security.

bookie56

@Gertjan Hi!
Thanks for coming buy.....funny you should ask how many devices....my partner thinks I am a hoarder
At the moment I would need to import that cert to about 14 computers...so yes....it can be done was just hoping to have pfsense control all....
Yes, I agree the self signed are fantastic....the one I have is valid to 2033...
I do appreciate your time and yes I can import the certificate to all my computers ....just with the HAProxy i was under the impression that could be automated for all the home network...

bookie56

Gertjan

@bookie56 said in SSl certificates for all home network:

just with the HAProxy i was under the impression that could be automated for all the home network...

acmes.sh, the pfSense package that handles certificate renewal for pfSense, can do this for you.
You can supply 'home made scripts' that communicate obtained certificates to other devices.

If you have a lot of time left, these are nice projects to take care of.
Take in consideration that Letsencrypt 'free' certificates are valid for 90 days max, normally you auto renew them every 60 days or so. That means you have to transfer the new certificate files to your devices 6 times per year.
It would work just fine : accept the auto signed NAS, printer, AP certificate ones, and be done with it.
But, as I had a wild card trusted signed certificate for my pfSense, I decided to automatize the transfer, see if it was possible. Loads of bash, python and other scp commands later, it worked.

Btw : I had to use a official trusted certificate, not for my, the pfSEnse admin, but because I use the captive portal for a hotel.
I can't initiate a captive portal login page over http as many (hotel client !) browsers will start yell. And a auto signed https is also not done, as this will produce even more scary browser messages.
So I had to get a domain name, and obtain a cert for it.

johnpoz

@bookie56 said in SSl certificates for all home network:

At the moment I would need to import that cert to about 14 computers...so yes

you have 14 things serving up services via ssl, or you have 14 devices that will need to access these services over ssl?

Keep in mind you only need to install the CA that signs your certs once. And you really only need that ca on machines where you will access these services.

You could go the HA reverse proxy route - but that would be more for browsers so give you warning when the services doesn't really support ssl.

bookie56

@Gertjan This looks interesting and of course I don't mind learning new things...

bookie56

bookie56

@johnpoz said in SSl certificates for all home network:

@bookie56 said in SSl certificates for all home network:

At the moment I would need to import that cert to about 14 computers...so yes

you have 14 things serving up services via ssl, or you have 14 devices that will need to access these services over ssl?

Keep in mind you only need to install the CA that signs your certs once. And you really only need that ca on machines where you will access these services.

You could go the HA reverse proxy route - but that would be more for browsers so give you warning when the services doesn't really support ssl.

Hi @johnpoz ...
Sorry...wasn't that clear...
I have serveral computers running Windows and Linux and then several severs running linux...
At the moment I have imported my self-signed certificate to 3 Windows machines....
Yes, it isn't the end of the world but when I sit at one of those machines and access my home servers which are running OMV i get the not secure window....yes...I can ignore that or do as for Windows import the certificate...
Just a bit tedious...
I have created a duckdns domain ...added acme and createted the keys and wildcard certificate just not sure how I can implement that in HAProxy to automate the whole process... or is this just over kill?

bookie56

Gertjan

@bookie56 said in SSl certificates for all home network:

I have created a duckdns domain ...added acme and createted the keys and wildcard certificate just not sure how ...

After reading acme.sh 'Use DuckDNS.org API' manual (didn't took long ) I guess you're all set up already.

If you ask for a wildcard certificate you should read also this one.

This means you have to add two (2) entries under the SAN List :
One with

your-domain-at.duckdns.org

and this one

*.your-domain-at.duckdns.org

Both use of the same DUCK token.

---

Wow.
I actually created your-domain-at.duckdns.org, and needed minutes to find the token ...
It was staring at me all the time :

I quick and dirty acme.sh setup on the pfSense side :

I did set DNS sleep to 60 - 120 or more could be better.

While waiting, I watched the progress :

[26.03-RELEASE][root@pfSense.bhf.tld]/tmp/acme/your-domain-at.duckdns.org: tail -f acme_issuecert.log

as this show you what happens.
Why looking at this log file ? As it tells you when thing go good. That's important to know, as this will your 'base-line'.
When things go bad, look at the same log, and compare with the good log.
As by magic (not at all actually) you see what went wrong.

Anyway, for me, it ended with an 'Ok'.
And the green GUI for those who love images (that don't say anything that matters) :

Now I have a cert - and it will auto renew after 120 days while me doing something else.

Note :
I didn't add any action like :

you probably want to do this.

Now the part : how to transfer this certificate (chain) over to your pother devices.
That's doesn't have a "click here and done" solution. I stole everything from the Internet (of course) and adapted modified stuff for my needs. I recall even adding scripts into Unifi key controller as I send certificate to that device also.
You've Linux boxes so that part will be easy.

Only server devices need the certificate. All your other client devices will accept your certificate out of the box.

Imho : do check ones in a while the certificate auto renewal process.
Never ever trust automated process, treat them like kids.
I've seen "duckdns issues" a bit to often here on the forum, and the subject was never 'Wow, this works great !'.... wait, yes, there is one that says exactly that : I just did !! because it did.
Less then 3 minutes (and two minutes me looking for the TOKEN) and I had a certificate

bookie56

@Gertjan
Yes, that is correct....

Gertjan

@bookie56
look above.

bookie56

@Gertjan I have my pfsense on 8443 and have tried to use my new cert with duckdns.org but it will not go there...
I am lost as to what is causing the problem...

bookie56

Gertjan

@bookie56

As shown above, I have this certificate now :

This is not ( ! ) a wild card certificate.

To use it for the GUI I have to :

(the https port 443 can be different)

but first, the SAN of the certificate has to match the host name :

bookie56

@Gertjan Hi....been busy today...It is cottage season and I am working on that for the next few weeks
I have got my wildcard working and directing to my duckdns.org domain...
One thing I am not sure about is dns resolver...
DNS-Resolver was set to my old certificate so I changed that and then things worked - but I am not certain what changes I need to make there...?
I have added /etc/rc.restart_webgui...
Still not sure about accessing my computers...but will have a look at that when I get a mo...
Thanks so much for your help!

bookie56

Gertjan

@bookie56 said in SSl certificates for all home network:

One thing I am not sure about is dns resolver..

Because you've set this :

have a look at the /etc/hosts filer, the very first 4 lines.

You can now, from any LAN device in your network, do this :

C:\Users\Gauche>ping -4 your-domain-at.duckdns.org

Envoi d’une requête 'ping' sur your-domain-at.duckdns.org [192.168.1.1] avec 32 octets de données :
Réponse de 192.168.1.1 : octets=32 temps<1ms TTL=64

@bookie56 said in SSl certificates for all home network:

DNS-Resolver was set to my old certificate so

This one :

?
DNS = Unbound doesn't deal with certificates.
If you want to have "DNS over TLS" on port 853 on your LAN, you can set that certificate.
But why bother ? You don't trust your own LAN ? ^^
I've set it to active, true, bit I'm pretty sure none of my LAN devices is using it. My DNS traffic is all 'port 53' locally.

@bookie56 said in SSl certificates for all home network:

I have added /etc/rc.restart_webgui..

Normal. When the certificate gets renewed, then the web server using that certificate needs to be told that it changed. Restating the pfSense GUI web server is the way doing so.

Check that you've set :

on the resolver settings page.

Keep in mind that "your-domain-at.duckdns.org" on your LAN will resolve to the pfSense LAN IP.
On the other side = WAN = the Internet, it will resolve to whatever WAN ISP IP you have.

bookie56

@Gertjan Yes, I have pfsense with the new cert and can login no problems from all Windows computers - but not omv computers.... I just can't seem to be able to get to them with https working...
Getting a line through https - but I can see the certificate is active...but not giving secure ssl....

Must be missing something....

bookie56

stephenw10

You shouldn't have to use HAProxy for this. Just use ACME to pull in a cert and use that for the webgui. Everything should see that as valid against the root trusted CAs. Unless they are using some subset or are out of date.

What are those clients showing as invalid for the cert?

bookie56

@stephenw10 not using HAProxy at all not been able to get anything working...
On my OMV servers I have added enable ssl and I have imported the key and certificate....but when I reload it shouldn't use the ip address...I thought it should use the name of the computer and in this case DN-Storage1..
My domain name via duckdns.org is pagenygard which I thought I would need to add as part of the address but nada....

I am just thinking as you say an there must be an easier way?

bookie56

stephenw10

If you're using ACME/LetsEncrypt you don't need to import anything into the client. Any recent OS will already trust the root CA used by LE. That's the whole point of using it.

I would guess that you're trying to access it using a hostname that doesn't match the cert. I don't see 'dn-storage5' listed there.

Try accessing it using the full FQDN.

bookie56

@stephenw10 sorry don't understand...
I have created a wildcard for pfsense that is for pagenygard.duckdns.org...
I can access webui for pfsense - but how do I use the certificate to access other computers on my network with https....at the moment that isn't working ...
I don't understand how importing the key and certificate would have any information about dn-storage5?

bookie56

johnpoz

@bookie56 couple of things, the hostname only dn-storage5, sure isn't going to match a cert. Also your cert should have san values. not just a CN

So here is a domain I use with a wildcard, the CN is just the domain.tld, then there are 2 san entries

*.domain.tld
domain.tld