Netgate SG-1000 microFirewall

Author Topic: ACME/Letsencrypt: generate certs for VMs in LAN  (Read 362 times)

0 Members and 1 Guest are viewing this topic.

Offline sgw

  • Jr. Member
  • **
  • Posts: 77
  • Karma: +1/-0
    • View Profile
ACME/Letsencrypt: generate certs for VMs in LAN
« on: November 20, 2017, 04:29:07 am »
I have the request to provide Certs for multiple VMs behind pfsense. Doing multiple port forwardings is too messy, so I would like to generate the certs on pfsense and take it from there, for a start doing it manually.

I successfully generated such a cert and now have to import it into a Java keystore.

This tool asks for a "srckeystore password" when I try something like:

/usr/bin/keytool -destkeystore /etc/demo/keystore.jks  -noprompt -importkeystore -srckeystore /etc/intranet/my_example_com_LE.p12  -srcstoretype PKCS12

I took the p12 from the pfsense-webgui .... how to do that? Do I have to generate my own p12 and assign a password first?
please advise, thanks

Offline jimp

  • Administrator
  • Hero Member
  • *****
  • Posts: 21404
  • Karma: +1437/-26
    • View Profile
Re: ACME/Letsencrypt: generate certs for VMs in LAN
« Reply #1 on: November 20, 2017, 10:00:20 am »
Why bother with all of that? Setup HAProxy and keep all of the LE and certificates on pfSense, and let HAProxy talk to the backends.
Need help fast? Commercial Support!

Co-Author of pfSense: The Definitive Guide. - Check the Doc Wiki for FAQs.

Do not PM for help!

Offline sgw

  • Jr. Member
  • **
  • Posts: 77
  • Karma: +1/-0
    • View Profile
Re: ACME/Letsencrypt: generate certs for VMs in LAN
« Reply #2 on: November 20, 2017, 10:23:02 am »
I never thought that this package might help here.
Would that work for webservers accessed within LAN only as well?
We have VMs for intranet etc there which are not accessible from outside but need SSL anyway.
And I am looking for the most efficient way to automate SSL-Cert-Renewal.

thank you for the pointer, I will look for beginner's howtos etc

Offline jimp

  • Administrator
  • Hero Member
  • *****
  • Posts: 21404
  • Karma: +1437/-26
    • View Profile
Re: ACME/Letsencrypt: generate certs for VMs in LAN
« Reply #3 on: November 20, 2017, 10:24:54 am »
That's all up to however you set it up and however you have your DNS/links/bookmarks/etc set.

If the hostname resolves to an address on the firewall, the firewall has haproxy setup on that address, and the firewall can reach the target servers then haproxy can work fine for that.

But you will want to be extra careful if you mix public and private services on haproxy, you will need to make sure you don't accidentally expose anything to the Internet that should be internal.
Need help fast? Commercial Support!

Co-Author of pfSense: The Definitive Guide. - Check the Doc Wiki for FAQs.

Do not PM for help!

Offline sgw

  • Jr. Member
  • **
  • Posts: 77
  • Karma: +1/-0
    • View Profile
Re: ACME/Letsencrypt: generate certs for VMs in LAN
« Reply #4 on: November 20, 2017, 01:51:54 pm »
on my way, that triggers new ideas ...

One question: can I have HAproxy run on a second (virtual IP) on WAN interface?
Otherwise I would have to move pfsense-GUI to some other https-port, right?

Offline jimp

  • Administrator
  • Hero Member
  • *****
  • Posts: 21404
  • Karma: +1437/-26
    • View Profile
Re: ACME/Letsencrypt: generate certs for VMs in LAN
« Reply #5 on: November 20, 2017, 01:53:41 pm »
The GUI will want to bind to everything on its port, so it's best to move the GUI and let haproxy take over 443.

Or you can run haproxy on an alternate port on localhost and port forward in on WAN:443 to haproxy.

Lots of different ways around that.
Need help fast? Commercial Support!

Co-Author of pfSense: The Definitive Guide. - Check the Doc Wiki for FAQs.

Do not PM for help!

Offline sgw

  • Jr. Member
  • **
  • Posts: 77
  • Karma: +1/-0
    • View Profile
Re: ACME/Letsencrypt: generate certs for VMs in LAN
« Reply #6 on: November 20, 2017, 04:16:39 pm »
set up haproxy as local root for ACME: helpful ;)
And figured out my first SSL-passthrough after moving the pfsense-https-port: first tests look good.

*thanks* for that pointer and providing these features.

In this specific environment I will at first move things from plain portforwardings to haproxy-only: everything cached and configured in there.
2nd step: move single VMs to SSL-termination maybe. Got to learn more at first.

We have 2 sites there, 2 pfsenses connected via IPSEC, I wonder if it makes sense to proxy http(s)-traffic between the 2 sites .... at first I have to come up with 2 local DNS-zones in form of local zones -> that is another topic/thread, I assume  ;)

Offline sgw

  • Jr. Member
  • **
  • Posts: 77
  • Karma: +1/-0
    • View Profile
Re: ACME/Letsencrypt: generate certs for VMs in LAN -> HAproxy
« Reply #7 on: November 21, 2017, 08:06:07 am »
If I want to run the connection from HAproxy to the backend encrypted as well, I assume I could create a selfsigned and long-life cert on pfsense for that?
And then edit the backend to make HAproxy use that cert as its client cert? Is that correct?

Offline Mats

  • Jr. Member
  • **
  • Posts: 76
  • Karma: +7/-1
    • View Profile
Re: ACME/Letsencrypt: generate certs for VMs in LAN -> HAproxy
« Reply #8 on: November 22, 2017, 03:08:22 am »
If I want to run the connection from HAproxy to the backend encrypted as well, I assume I could create a selfsigned and long-life cert on pfsense for that?
And then edit the backend to make HAproxy use that cert as its client cert? Is that correct?

I belive that should work.
I Had an internal PKI in place so I just added a cert from that PKI chain to my PFsense box + the root cert for the chain.

Offline sgw

  • Jr. Member
  • **
  • Posts: 77
  • Karma: +1/-0
    • View Profile
Re: ACME/Letsencrypt: generate certs for VMs in LAN
« Reply #9 on: November 26, 2017, 04:33:50 am »
I have no internal PKI yet, so I am unsure how to start here. Generate a cert based on the pfsense original CA? With 5 yrs lifetime or so and only use it internally ...

And 2nd question:

does that self-signed internal cert also have to "point to" the same FQDN as the one the haproxy runs with? That would mean I have to have 2 certs per target machine, one for the external HA-proxy-frontend, and one for the connection between HA-proxy and the individual backend. Maybe use DNS-aliases for the internal one?

sorry for being slow here ...
« Last Edit: November 27, 2017, 07:58:48 am by sgw »

Offline homer2320776

  • Newbie
  • *
  • Posts: 5
  • Karma: +1/-0
    • View Profile
Re: ACME/Letsencrypt: generate certs for VMs in LAN
« Reply #10 on: December 01, 2017, 01:36:15 pm »
I don't use any self signed certs on the Haproxy side, Acme takes care of it all for the VM's, basically just a passthrough. All you should need to do is create an account key in acme and it'll add itself as a CA in your Cert Manager.

After than, you can go under certificates in Acme and add one. I use a single certificate for all the VM's behind Haproxy.


I also add an action at the bottom to restart Haproxy after renewal, but I forgot to SS that.

Here is an album that I put together too, showing how HAproxy forwards the traffic.

https://imgur.com/a/FCre3

Offline sgw

  • Jr. Member
  • **
  • Posts: 77
  • Karma: +1/-0
    • View Profile
Re: ACME/Letsencrypt: generate certs for VMs in LAN
« Reply #11 on: December 02, 2017, 12:58:36 pm »
thanks for that informative feedback, will pick up some of your suggestions as soon as I find the time to continue that project.

Edit:

You use SSL-Offloading for all VMs, OK, same as here. My additional wish is to encrypt the traffic from HAproxy to the backends as well, with a separate SSL-cert with long lifetime, ideally also generated/refreshed on pfsense. So the config of these backends is my current issue.
« Last Edit: December 03, 2017, 05:26:03 am by sgw »