Lets Encrypt A/AAAA record problem

_az · August 19, 2020, 6:54am

Oh, so you have some kind of proxy server (like haproxy) on pfSense?

violetdragon92 · August 19, 2020, 6:54am

No not yet that is my plan to have HAProxy and ACMe.

_az · August 19, 2020, 6:56am

OK.

Usually in these situations, you issue and use the SSL certificate on pfSense’s haproxy, not on your backend servers. Or in other words, the pfSense server terminates the SSL connection, and then proxies the HTTP connection to your backend servers.

It is sometimes possible to do SSL on your backend servers via SNI prereading on pfSense, but that is a rather complex thing to achieve.

violetdragon92 · August 19, 2020, 6:59am

Ok i get what you mean. So i take i remove all the Certbot stuff on the Mail Server then have HAproxy and ACMe package on the pfSense Firewall then. Im doing all the HTTPS SSL on the Mail Server itself.

_az · August 19, 2020, 7:00am

Yes, that’s what I would suggest.

On my own similar haproxy setup, I have it configured approximately like this:

frontend ft_http
        mode http
        bind :80
        bind :::80

        acl acl_letsencrypt path_beg /.well-known/acme-challenge/
        use_backend be_certbot if acl_letsencrypt

        use_backend be_default

backend be_certbot
        mode http
        server be_certbot 127.0.0.1:8123

and then I use Certbot to issue the certificate:

certbot certonly -d example.com --standalone --http-01-port 8123 \
--deploy-hook "service haproxy reload"

violetdragon92 · August 19, 2020, 7:03am

You not using the Acme package on pfSense? or are you running it on the Mail side with HA Proxy only?

_az · August 19, 2020, 7:05am

Oh, this was only generic haproxy + ACME advice. I am not a pfSense user and I’m not sure what is and isn’t possible there.

The general point still stands though - if you want to have domain-based routing and SSL, you must do everything on the pfSense server.

Perhaps a search engine will have some tutorials on how to do that specifically in pfSense, I’m not sure what the best implementation is there.

violetdragon92 · August 19, 2020, 7:07am

You see i followed a guide to get the mail server up and running and it works i can send and receive mail without any issues and activesync works but its just this Cert problem i am having issues with.

And my Blog site works i plan to move that to HTTPS from HTTP but this issue with the Cert is annoying.

_az · August 19, 2020, 7:09am

Do you need the certificate for the mail ports (IMAPS, SMTPS, POP3S), or just for HTTPS?

violetdragon92 · August 19, 2020, 7:10am

both need Cert for SMTP and IMAP and for web mail. I access emails by Webmail on the laptop and workstation.

_az · August 19, 2020, 7:13am

OK. Here is what I propose.

For HTTPS certificate, use pfSense ACME tool to have both www.violetdragonsnetwork.co.uk and mail.violetdragonsnetwork.co.uk on the SAN list. This should work because pfSense terminates SSL for port 443.
For secure mail ports, install Certbot and certbot-dns-rfc2136 on the mail server, and issue certificate by using that plugin against the external view of your BIND9 zone. Use that certificate for your mail servers.

So the task is split in two - HTTPS on pfSense, and secure mail on the mail server.

(This is assuming you have mail ports directly forwarded to mail server, without proxying).

violetdragon92 · August 19, 2020, 7:15am

Ok sweet will i need to add the acme challenge to my Zones in BIND9?

_az · August 19, 2020, 7:16am

Have a look at the plugin documentation. You will need to add a nsupdate key on your BIND server with permission to update the external view of your zone, and Certbot will automatically create the _acme-challenge record using that key.

violetdragon92 · August 19, 2020, 7:18am

I thought i had to add the _acme-challenge record which i haven’t. I will take a look at the plugin documentation and see what the outcome is. Hope it fixes the issue,

I do plan to add other domains to the mail server as i have parents domain and my business domain.

violetdragon92 · August 21, 2020, 6:56pm

HaProxy doesn’t work. I tried it and it doesn’t do anything. I’m kinda stuck with this lot don’t think its going to work

_az · August 21, 2020, 8:58pm

How far did you get? Are you using the built-in haproxy on the pfSense?

Another question - on your mail server, what port is nginx running on? Is it definitely port 80?

sudo ss -tlnp | grep -E ":(80|443)"

violetdragon92 · August 23, 2020, 7:47pm

Hi _az

I have been testing out HaProxy with pfSense along with Acme package and i have it working on two of the domains. I plan to setup this violetdragonsnetwork.co.uk domain up with this method it seems to work fine took some setting up but i got there next is to do this domain with websrv and mail.

violetdragon92 · August 26, 2020, 5:48am

Hi _az how do I run the certbot-dns-rfc2136? What about the TXT record?

_az · August 26, 2020, 12:03pm

https://certbot-dns-rfc2136.readthedocs.io/en/latest/ has examples of both configuring BIND and also running Certbot with the plugin.

It will create the TXT record - that’s the point of the plugin.

violetdragon92 · September 7, 2020, 8:15pm

Hi folks,

Sorry for suck a slow reply I have been busy with work.

I plan to move my BIND9 DNS to Digitaloceans DNS and use the API option in acme with HaProxy but here’s my issue that’s the Web services sorted but what mail?

Do the cert for postfix expire like it does with Web servers? Should I still use the rfc2136 method?

Thanks.

Jack.