-
Hi everybody,
for the last few months i fallowed the Let's Encrypt Project and now it s going in the final round with the project.
My question is, if there will be a package for the pfsense to be installed or a default support in future releases?
greetings
-
isn't letencrypt just another CA ?
-
yes but they are going to have some idiot proof script where user just clicks a button, runs a script sort of thing
Anyone who has gone through the trouble of setting up a secure website knows what a hassle getting and maintaining a certificate can be. Let’s Encrypt automates away the pain and lets site operators turn on and manage HTTPS with simple commands.
Getting a Certificate
The letsencrypt tool always handles the certificate request and authentication for you.
With Automatic Web Server ConfigurationThis will automatically configure Apache and Nginx servers with your new certificate.
$ letsencrypt run
Think they are asking for some sort of package to integrate the script.. Pretty pointless if you ask me..
-
@pwnd28: I already mentioned this elsewhere. This needs an existing FreeBSD port first. Cannot be intergrated in any way without that.
-
There seems to be some work on a port, looks like one even done already if not current code.
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=203405But is this something that is really needed? The ca manager could be used to install the certs and you could use anything to do the csr and get the certs.. And then just use the CA manager to install the cert into pfsense and use it..
-
There seems to be some work on a port, looks like one even done already if not current code.
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=203405But is this something that is really needed? The ca manager could be used to install the certs and you could use anything to do the csr and get the certs.. And then just use the CA manager to install the cert into pfsense and use it..
Except their certs are only good for 90 days, hence their preference of an automated renewal process rather than having to do it manually every 3 months. The short renewal length allows them to keep a small CRL.
-
90 days?? Geez, why waste time with that when you can get a freebie from StartSSL that's good for a year.
-
@KOM:
90 days?? Geez, why waste time with that when you can get a freebie from StartSSL that's good for a year.
A more appropriate place for this question would be here:
Maximum and Minimum Certificate LifetimesFor other non pfSense specific details, the Let's Encrypt and Support sites are typically better sources of information.
-
@KOM:
90 days?? Geez, why waste time with that when you can get a freebie from StartSSL that's good for a year.
If you dont know your certs have been nicked, then they are useful to hackers for a whole year.
-
Hi,
Thanks for the many answers.
I m also not sure if this is realy usefull or not. Nobody realy knows if the CA you use is trustfull or has a connection to the government or an other party.
I am exited if there will be a package or not. A lil bit better than an unsight certificate it is of course especielly through the support of 4096 bit certificates and more -
Just interchange hackers for spooks, and interchange national for foreign, their actions amount to the same either way.
With that in mind, do you trust another entity who provides the certs when you dont know the staff and/or infrastructure being used, and even if the device is good, you still then need to trust the manufacturers of the devices being used.
All in all thats a lot of trust you need to spread around, but one of the beauties of hacking is, even if you do trust an entity, considering they may use devices that then get used at home, where offspring or others who are less tech savvy exist, their devices maybe inadvertently hacking the very entity and their devices you trust, rendering them untrustworthy without their knowledge.
With this in mind do you still want to trust a third party and not your own capabilities even when you are motivated to improve your own capabilities by learning, like printing your own certs on a standalone trusted device under your supervision?
An abstract but perhaps realistic view on life.
-
If you dont know your certs have been nicked, then they are useful to hackers for a whole year.
Believe me, nobody wants my certs ;D
-
Nobody realy knows if the CA you use is trustfull or has a connection to the government or an other party.
Best practice is to generate the private key you wish to use for a certificate locally on an uncompromised machine with a cryptographically secure random number generator. In this scenario the security of the private key is entirely in your hands because the Certificate Signing Request sent to the CA does not contain the private key.
-
I see no point to support of this on pfsense to be honest.. Other than maybe captive portal. For the webgui to admin pfsense.. Just use CA on pfsense to create a cert and trust it on your machines you will admin pfsense from. This really should be a really small list of machines!!
Now using https in your captive portal, yes https could be handy to be able to use a cert that is auto trusted by your guests.. But prob going to fail anyway even if the https your serving is valid for your https captive portal page since redirect of https is tricky and browsers don't like it and balk as well they should and if the site they have been going to via https is using hsts most browsers going to prevent it.
Your best solution is to just notify users that they have to hit your captive portal directly or try and go to a http site to get redirected. You could then redirect them to a https url that you have trusted cert for.. This would really be the only reason I could see for this.. But why not just get a https for a year from free like start or there are other places they cost a whole $10 a year.
If your so cheap to not want to pay for your ssl.. Just don't bother doing your captive portal via https - or use self signed and deploy that to your users of your captive portal on the your going to have anyway on the http url for the captive portal.
-
@KOM:
If you dont know your certs have been nicked, then they are useful to hackers for a whole year.
Believe me, nobody wants my certs ;D
Fortunately the Let's Encrypt project isn't about only you.
-
But why not just get a https for a year from free like start or there are other places they cost a whole $10 a year.
Let's Encrypt cert is in essence good for as long as the automation runs.
If your so cheap to not want to pay for your ssl.. Just don't bother doing your captive portal via https - or use self signed and deploy that to your users of your captive portal on the your going to have anyway on the http url for the captive portal.
It's not always only about the money. Let's Encrypt cert automation can be very appealing too.
-
Nobody realy knows if the CA you use is trustfull or has a connection to the government or an other party.
Best practice is to generate the private key you wish to use for a certificate locally on an uncompromised machine with a cryptographically secure random number generator. In this scenario the security of the private key is entirely in your hands because the Certificate Signing Request sent to the CA does not contain the private key.
Thats the rub, even if you had an uncompromised machine so many zero days make it possible to obtain such things so if you ever get something like this in your bios http://blog.trendmicro.com/trendlabs-security-intelligence/hacking-team-uses-uefi-bios-rootkit-to-keep-rcs-9-agent-in-target-systems/ well you might just as well throw your system in the bin.
Edit. I'll chuck this link in as its useful which might be of interest. http://www.uefi.org/sites/default/files/resources/UEFI_Secure_Boot_in_Modern_Computer_Security_Solutions_2013.pdf
I see no point to support of this on pfsense to be honest.. Other than maybe captive portal. For the webgui to admin pfsense.. Just use CA on pfsense to create a cert and trust it on your machines you will admin pfsense from. This really should be a really small list of machines!!
I'm no longer using any encryption to access devices or services lan side as I cant inspect the data, any encryption found can be blocked by snort/suricata and investigated. Things like web access to secure websites now take place on a separate device from a linux live cd with no hard drive or other forms of storage and an easily flashable bios.
As to accessing pfsense, switches etc, as above but usernames/password are locally stored so no radius servers for convenience, as its all about minimising the risk of unknowns or to use a more popular phrase, zero days.
If your so cheap to not want to pay for your ssl.. Just don't bother doing your captive portal via https - or use self signed and deploy that to your users of your captive portal on the your going to have anyway on the http url for the captive portal.
Its not so much about being cheap, but trusting the other entities in the supply chain, as it is we have to trust so many people already, reducing that risk just makes sense, which is why we dont trust some people to do some things for us. Others we have to trust when we are incapable of doing something, but where possible its better to do what you can where possible.
-
Let's Encrypt cert is eventually good for as long as the automation runs.
And how often does it look to update? Every day? What if goes to update day before the cert runs out and fails to update for whatever reason - issue on their end, firewall problem on your end, etc.
I don't see the automated updating of ssl to be a good thing to be honest. While I can see this useful on say personal site on some webhost for more users to start using https for their sites. I just do not really see a need off pfsense.. Its a firewall not a WEB SERVER.. Using some automated process to use https for your webgui just seems silly. There should be what a handful of people accessing a firewall gui in the first place.. So why not just issue your own self signed and have those machines used to access it trust the CA that is completely under your control.
Now if you want to use it on your web server behind pfsense - have at it.. I will prob use this on some of my play systems.. Just don't see need/use on my firewall at all.. Especially when that firewall system has a CA..
-
John,
Please go read up on the subject before acting like an expert.
-
I think too a package would be very useful especially when you use squid reverse proxy with Apache and Exchange.
:)
Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.