Netgate SG-1000 microFirewall

Show Posts

This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.

Topics - jimp

Pages: [1] 2 3 4 5 ... 32
Packages / MOVED: Password Leak In Squid Cache Log
« on: March 16, 2018, 09:46:25 am »

General Questions / MOVED: Monthly traffic reports?
« on: March 15, 2018, 02:59:40 pm »

Packages / ACMEv2 is live!
« on: March 13, 2018, 03:10:04 pm »
The wonderful crew at Let's Encrypt have officially released the ACMEv2 servers for production use!

If you have the latest version of the ACME package on pfSense, 0.2.4, you can register a new key against the ACMEv2 production server and then use it to sign a key which includes wildcard domains.

Wildcard validation requires a DNS-based method, and works similar to validating a regular domain. For example, to get a certificate for "*", you need to update a TXT record in DNS the same as you would for "", which means the DNS record (and potentially key name) would be for "".

As a reminder unrelated to ACME, but wildcard certificates in general, the wildcard only helps for one level of subdomains deep. For example, "*" will work for "" but will NOT work for "". If your hosts are structured in this way, you will need a wildcard certificate for each sub zone, e.g. "*".

For more information on how to use the ACME package on pfSense, see

EDIT: I just pushed version 0.2.5 to sync up with bugfixes for issues found after the ACME v2 launch, plus a fix for the "No Key ID in JWS header" error seen by some users when first attempting to issue a wildcard certificate.

Hardware / MOVED: Sg4680 won't boot
« on: March 13, 2018, 10:24:56 am »

General Questions / MOVED: XG-1541 Boot Error.
« on: February 28, 2018, 03:32:56 pm »

Packages / ACME package update for ACME v2
« on: February 27, 2018, 04:05:40 pm »
ACME package v0.2.1 is available now for users on 2.4.2, 2.3.5, and with the next snapshot runs of 2.4.3 and 2.3.6.

This is a sizable updated to the ACME package which includes a number of improvements, including:

* updated to support ACME v2
* Wildcard domain support
  * EXPERIMENTAL!! This requires ACME v2 and ONLY the staging server is online right now. Use for testing only.
* ACME v2 server URLs added to Account Key options
  * EXPERIMENTAL!! ONLY the staging server is online right now. Use for testing only. Let's Encrypt is launching this service for production use soon, but it has been delayed.
* E-Mail Address support added to Account Key options
* Improve key length processing when creating a new certificate ( ) -- Must be a new certificate entry, renewing a certificate will not generate a new private key even if the selected size has changed.
* Fix DNS-Manual issue/renew action ("call hook error"/no cert imported)
* Misc other bug fixes

New Providers:
* AutoDNS (InternetX)
* Azure (Microsoft)
* DreamHost
* Namesilo
* Selectel
* Zonomi

Providers with updates/bug fixes:
* Aliyuncs
* ClouDNS
* Cloudxns
* Cloudflare
* GoDaddy
* Hurricane Electric
* ISPConfig
* Luadns
* NS1
* Yandex

The methods I am able to test here all worked fine, but as with any big update there is a potential for regressions. If any setup that was working before has broken in some way, please let me know, and be sure to include log output from the screen and /tmp/acme/<name>/*.log

If you need help setting up ACME for the first time, please start a separate thread.

Packages / ACME Package for ACME v2 coming
« on: February 07, 2018, 10:54:02 am »
I am working on getting the ACME package ready for the launch of ACME v2 later this month. I have synchronized the code in the devel branch for 2.4.3 snapshots but not for other versions yet. It won't show up until the next snapshot run. Look for ACME package version

For users of existing certificates, not much will change, but it's good to make sure existing certificates still renew properly, and that new certificates on the v1 servers work as expected.

You cannot create a trusted wildcard certificate yet because Let's Encrypt does not have production ACME v2 servers online until later this month. The staging server is up, and you can use those to ensure that your validation is working properly for when the production servers go live.

Updates include

* updated to support ACME v2
* Wildcard domain support
  * EXPERIMENTAL!! This requires ACME v2 and ONLY the staging server is online right now. Use for testing only.
* ACME v2 server URLs added to Account Key options
  * EXPERIMENTAL!! ONLY the staging server is online right now. Use for testing only. Let's Encrypt is launching this service for production use later this month.
* E-Mail Address support added to Account Key options (Let's Encrypt -- NOT this package -- will send you an e-mail if your certificate is expiring and hasn't been renewed)
* Misc bug fixes

New Providers:
* AutoDNS (InternetX)
* Azure (Microsoft)
* Namesilo
* Selectel

Providers with updates/bug fixes:
* Cloudflare
* ISPConfig
* Yandex

Creating a Wildcard certificate

Wildcard certificates require ACME v2 and a DNS-based validation method. They cannot be used with other modes (e.g. standalone, webroot, webroot ftp, haproxy integration, etc).

To make a wildcard certificate, you must validate for the base domain of the wildcard. For example: To make a wildcard certificate for "*", you must be able to update the TXT record for A common practice is to setup a certificate that contains and * domains and use the same update method for both.

Special note for nsupdate/RFC2136: Set the Key Name to in this case

DHCP and DNS / MOVED: acme certificate with DNS-Manual
« on: February 06, 2018, 07:55:05 am »

Hardware / MOVED: HA : salve sg-8860 red status
« on: January 24, 2018, 07:47:17 am »

First, this is not specific to pfSense or our ACME package but to Let's Encrypt and ACME clients in general.

Security researcher Frans RosÚn found a flaw in the ACME specification for TLS-SNI-01 and TLS-SNI-02 in cases where shared hosting operates certain less-than-ideal ways with regard to certificates and serving content on port 443. Let's Encrypt followed the spec, so it was possible in certain specific shared hosting cases to obtain a certificate for another domain on the same shared hosting service. Once Let's Encrypt was alerted and confirmed the problem, they shut down TLS-SNI-01/02 validation. They have since re-enabled it in a limited capacity, mostly for renewals. All of the details are here:

What that means for LE/ACME users is that if you currently use "Standalone TLS Server" mode to validate certificates, you should move to another method as soon as possible, for example, use Standalone HTTP Server or a DNS method. Even though the problem only affects shared hosting scenarios, the specification doesn't have any way to isolate that scenario.

It will be possible to renew via TLS-SNI-01 for a short time yet, Let's Encrypt has not announced a cutoff date, but I would not count on it being active for long. Switch ASAP.

Packages / ACME Package Updates 0.1.31-0.1.34
« on: January 05, 2018, 02:25:46 pm »
I have made some updates to the ACME package over the last few days, including:

0.1.31: Convert ACME's nsupdate method to use the more reliable ddns-confgen key file syntax. Also add an optional key name field to the nsupdate method which should allow zone keys to work. Existing entries need no modifications.
0.1.32: Update to 2.7.6, Added new providers from, Servercow, and UnoEuro
0.1.33: Add a checkbox to standalone http/tls modes to optionally bind to IPv6 instead of IPv4. Implements #7519
0.1.34: Add an ACME option to write certificates to the filesystem on install/renew. Implements #7706

If any problems come up, let me know, thanks!

Hardware / MOVED: SG-1000 OpenVPN
« on: December 06, 2017, 01:27:38 pm »

Traffic Monitoring / MOVED: Anyone have a guide for FRR and OSPF?
« on: December 05, 2017, 03:25:36 pm »

Pages: [1] 2 3 4 5 ... 32