Letsencrypt and pfSense certificates

gschmidt · February 23, 2021, 7:59pm

Hi,

I have Letsencrypt installed on one of my raspberry pi’s which is serving Domoticz on port 443. This working for a few years now.

On my 2nd Pi I have Node-Red server running on port 1883, which I also want to access secure and encrypted.

Now I recently found out that my pfSense router/firewall also has the ability with the AMCE package to create and renew Letsencrypt certificates.

And how to use the certificates with the pfSense HAproxy package.

Does this mean that if I add both Pi’s to the HAproxy server and create proper firewall rules, both servers use the same certificate?

And if so, do I have remove/uninstall letsencrypt from the Pi running Domoticz or is removing the certificates from the domoticz folder sufficient?

rg305 · February 23, 2021, 9:10pm

To be able to fully answer your question, one would have to know exactly where you want to terminate the TLS connections.

If all will be handled by the pfSense (HAproxy), then you only need to ensure that it can handle the multiple names over the port(s).
If the TLS connections are to be terminated at the individual servers, then you need to may need to separate the secure connections via distinct ports (like: 443 & 1883).
If the TLS connections are to be terminated twice (once by the pfSense and then again by the individual servers), you may have to "share" the cert from one system to the other OR switch to DNS authentication.

In ALL cases, if you are going to use HTTP authentication, you will have to make considerations for the multiple FQDNs that will be using the same single external IP and port (TCP 80).

gschmidt · March 2, 2021, 8:44pm

My goal is to handle all by the the pfSense (HAproxy)...which should be possibe according to some tutorials.

Lets only start with the domoticz client because this is the one I frequently use and I have a paid service for which connects secured to domoticz for voice commands.

Letsencrypt was already installed on this Raspberry Pi client (raspbian buster) a few years ago by following a tutorial on the Domoticz wiki site. Domoticz listens to http 80 and https 443 ports, but I only open the http 80 port to renew the certificate. I am having difficulties to understand how ssl encryption exactly works but if I want to access my domotica system from outside, I have to.

However, if the pfSense/ACME/HAProxy is not going to work I need to go back to the old config

Current configuration:
Letseccrypt certificated created with:
sudo /etc/letsencrypt/letsencrypt-auto certonly --webroot --email <your email> -d <your complete sub.domain name> -w <user home>/domoticz/www/

With an cert-domoticz-update.sh script the created certificate server_cert.pem is added to the domoticz folder (same script is used for renewal)

The renewal I do manually instead of a cron job, because I have to open port 80 on my pfsense router anyway

My question is, do I have to uninstall letsencrypt from the Client to test it on pfSense/ACME/HAProxy or is removing the server_cert.pem file (temporarily) from the domoticz folder sufficient?

rg305 · March 2, 2021, 8:50pm

No, that has no effect to any other renewal request.

That would have no effect on any other renewal request.

gschmidt · March 2, 2021, 9:13pm

But if I leave everything on the client as it was, and add this client also to ACME/HAproxy, there are 2 certificates. One on ACME/HAproxy and one in the clients domoticz directory.

I already have tested and created in pfSense with ACME a letsencrypt certificate for subdomain.duckdns.org. (Client is not yet added to pfsense/HAproxy)
When I look at e.g. the private keys, they are different.

How will I know if ACME/HAproxy will work, if I don't remove the existing certificate from the client?

rg305 · March 2, 2021, 9:26pm

One has nothing to do with the other.
You can use the same cert even in many different places for many different programs.
And you can also use different certs with the exact same name(s) on them.

I refer you back to my first post: Letsencrypt and pfSense certificates - #2 by rg305
And ask if you truly understand:

how encryption works
where you expect to encrypt/decrypt things

gschmidt · March 2, 2021, 9:58pm

I already mentioned that it is difficult for me to understand.
That's why I am here to learn.

I hoped to do that in HAproxy server, since installing letsencrypt and creating/renewing certificates on a Pi (raspbian buster) system is time consuming considering that my Domoticz hardware is upgraded/replaced more often than my pfSense Router.
And that it is easier to add other possible webbased applications

rg305 · March 2, 2021, 10:50pm

I'm not certain this is the best place to learn.

If you are going to do ALL the encryption at that one place, then this may be simple enough to move forward.
But you must understand that means there will be no encryption (no HTTPS) done at any of the internal systems. [all will be HTTP within the directly accessible local network]
If that configuration is acceptable, then you can simply remove all the encryption form the internal systems and replace it with the HAproxy [which will then only encrypt connections from the Internet].

If you do also require encryption within the internal systems, then we need another plan.
[not so simple]

schoen · March 3, 2021, 6:03am

If you don't want to help people understand things like this, which is fine, it would be better to suggest other good resources for learning. There's nothing wrong with people asking questions, or being confused, on this forum.

The fact that web PKI certificates are independent and don't contradict or invalidate one another (or that they have semantics of "this is a valid key for this subject" rather than "this is the valid key for this subject") is a design decision for the web PKI rather than a consequence of "how encryption works". You could imagine a system where there can only be one valid certificate for a particular subject entity at a time; it would just make (very) different tradeoffs from the system we ended up with for the web.

@gschmidt, @rg305's post #2 is making the valid and helpful observation that there are many different possible ways to set up a configuration where multiple devices share a single public IP address. Some of those ways involve having a single certificate on a single device, some involve having multiple copies of the same certificates on multiple devices, and some involve having separate certificates for the same domain name on different devices, with different cryptographic keys. None of these is more correct or valid than another (although some involve different trust relationships between the different devices that make up your network, so they could be said to manage risk differently). Some of these might be much easier to set up with particular devices and software, compared to others. In all cases, you are allowed to have more than one valid certificate for a given domain name at a given time, but whether this is desirable depends on how you want to set up your network.

When a browser makes an encrypted connection over the network, there is a cryptographic "other side" in the connection which presents the certificate and possesses the corresponding private key. This is almost always a single server machine, although there are advanced configurations (not relevant to your home network!) involving content-delivery networks, or censorship circumvention technologies, where it might involve several different machines.

The server device that is the cryptographic counterpart to the web browser is said to "terminate" the TLS session. Depending on how it's set up, it might then act as a proxy in order to forward the connection to one or more other devices. This behavior might or might not be visible from outside your network.

If you want to terminate TLS on the pfSense device, it would need to act as a proxy (in this configuration, known as a "reverse proxy") to forward web requests to the internal devices. This part does not necessarily need to be done over TLS, and the pfSense device could differentiate where a given connection is forwarded either using different URL path mappings or different port numbers. Alternatively, you could use transport-layer port forwarding to the two different Pi devices, in which case the pfSense device would not terminate TLS, and therefore the Pi devices would do so themselves (therefore needing certificates of their own, or their own copies of the same certificate).

rg305 · March 3, 2021, 2:33pm

Nothing could be further from the truth.
Please don't twist my (few) words:

This is in fact NOT a place dedicated to learning.

gschmidt · March 4, 2021, 9:42pm

Thanx for the explanation!

Preferrably I want to terminate TLS on my pfSense device with ACME/HAproxy (which appears to be a reverse proxy server with TLS termination possibility). There are online tutorials how to accomplish this. I don't mind that I can't secure connect inside my home network to these webbased apps

The reason I want to (eventually) move the encryption part to the pfSense device with ACME/HAproxy is that it takes quite some steps to configure this on a RPi with raspbian OS, especially the first time certificate creation with took quite a while. And the micro-sd card the raspbian OS is installed on and the RPi pocessor are less solid and fast then the Mini PC where pfSense is installed on.

system · April 3, 2021, 9:43pm

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.