Help me understand and fix my problem


#1

I am using an ACME script embeded in OpnSense to create a LetsEncrypt certificate. I have successfully generated a certificate however it is not recognised as valid. I suspect that I am trying to do something that is not possible and would like advice. Just incase it is possible and I am doing something wrong

My domain is: baxtersnet.com

I ran this command: Not sure, I put information into the GUI

It produced this output: Produces a certificate

My web server is (include version):

The operating system my web server runs on is (include version): Linux - deployed directly as OpnSense

My hosting provider, if applicable, is: Namecheap and myself

I can login to a root shell on my machine (yes or no, or I don’t know): Haven’t tried, I think it is possible to ssh though

I’m using a control panel to manage my site (no, or provide the name and version of the control panel): OpnSense using ACME pluggin.

I have a number of devices behind the OpnSense firewall that I was planning to expose, however I want to do so with them using SSL. Also the web interface on the OpnSense switch itself also needs to have SSL working on it, at the moment it uses an internally generated certificate.

I thought I would start by generating a certificate for the router as it is probably the most straight forward. I created the certificate using the routers DNS entry. This was created using the DNS where I bought my domain and points to the IP address of my broadband router (OpnSense). The certificate had just the router.baxtersnet.com address in it and I set it to include the OSCP. The certificate was generated and added however it shows in the browser as invalid.

I understand why this might be for a browser looking from inside as it will see the internal nat’s version of the ipaddress. I am not sure why the external address would not work though. I am using Http verification so it sees the box, and I have allowed port 80 through to the firewall address.

Am I trying to do something impossible? Or am I just doing something wrong? If you can point me at any resources that might clear this up for me I would be grateful.


#2

baxtersnet.com doesn’t have an A nor AAAA record. Therefore, no IP address can be found. The same goes for router.baxtersnet.com. Without DNS verification (i.e., with http verification as you say) you couldn’t have gotten a certificate for those hostnames.

Which is corresponding with the Certificate Transparency logs: https://transparencyreport.google.com/https/certificates?hl=en&cert_search_auth=&cert_search_cert=&cert_search=include_expired:false;include_subdomains:true;domain:baxtersnet.com&lu=cert_search

Only a cert for wormhole.baxtersnet.com exists, but that hostname isn’t answering on port 80 nor 443.


#3

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.