Thinking about replacing my selfsigned certificates


#1

I am still in the exploratory phase of the change over but want to know if it will work the way I am hoping. I will be using Let’s Encrypt on the following hardware / systems:
PROXMOX
QNAP TS-451
Cisco RV042G
D-Link DGS1100-16
D-Link DNS325 & 323
Ubuntu Linux for various VM servers such as web, mail, database, ftp…

I was thinking of making a VM that would run as the security hub and communicate with LE to manage updates and the sort and would then push out the certs to the various devices, hopefully automatically but i could do manual too.

not all of these are accessible outside the network but if I am going to do it for a few why not for all the devices that I can do it on.

Will this and LE work for me or am I better with another approach?


#2

@lilCDNnrg, Let’s Encrypt should be able to work for you but if “not all of these are accessible outside the network”, you would probably be best off using the DNS challenge method (where you prove your control over the servers by making publicly visible DNS record changes). That also avoids needing to make software or configuration changes on each individual machine, assuming that they all have names under a publicly-visible domain name that you control. Your “security hub” could trigger the DNS record changes in response to challenges from the Let’s Encrypt CA, and then push the private keys and certificates to each of your devices – assuming that they can all support something like scp or sftp to perform the deployments and that you can tell each of them to reload when the new certificates are provisioned.


#3

When people do have machines that are accessible to the Internet at large but that can’t necessarily run Let’s Encrypt client software themselves, one approach they’ve taken has been to redirect /.well-known/acme-challenge/ in HTTP from each machine to a central authentication server (the Let’s Encrypt CA will follow the HTTP redirect and then load the challenge file from the central server).

But when you have internal machines with public names but no Internet connectivity, the DNS challenge method is normally more appropriate.


#4

I only have the following external names setup which are mail www and cloud
I currently just have A records setup and none of my servers or machines host names are used outside my network. I have been thinking this may have to change as well too.


#5

@lilCDNnrg, for Let’s Encrypt to issue certificates, you would have to have publicly-visible DNS records for those names that the Let’s Encrypt verification process can look up.

One issue that’s come up in a few threads is that you don’t really need a publicly-trusted certificate like Let’s Encrypt can issue unless you want, effectively, strangers to be able to accept that certificate. If you’re just using it to authenticate your own computers to yourself, you can make that self-signed certificate, add trust to it in your own browsers or clients, and be done with it. For authenticating your own machines to yourself, the self-signed option can actually be considered more secure because there’s a sense in which you know much better than a CA whether those machines are “real” and what keys and certs they’re supposed to have. Let’s Encrypt can confirm whether you proved at a certain time that you controlled the publicly-visible domain name my_nas.example.com, and the general public may believe what Let’s Encrypt has to say about that question, but your own knowledge of what key should be used by my_nas on your own network is more reliable and up-to-date than Let’s Encrypt’s knowledge could ever be.


#6

What about for web and email traffic. Currently I am running an apache server and a modoboa install?

That of course does make sense and I can add the names of each machine or virtual machine to the DNS on problem. Wanting to get the best yet well rounded security option.

I access my email and website on networks outside my own quite frequently.


#7

@lilCDNnrg, it sounds like you do have a good use case for a publicly-trusted certificate if you’re using machines that you don’t control to access your site. If you’re just using your own laptop from various other networks, you could still get by with the self-signed certificate because you just need to add the self-signed certificate as trusted on your laptop once (and redo that when it expires, but you can choose how long that will be).


#8

I have done some more digging and my plan is to have my public servers added to the domain name so it would show something like:
SRVWWW001PML.example.com -> web server
SRVEML001PML.example.com -> email server
SRVSEC001PML.example.com -> security server
SRVRAC001PML.example.com -> access server (gui with vnc/ssh)

and have the www server forward requests for certificates to the sec server which would be setup with the appropriate LE client. I would then use the sec server for managing certificates for example my and also the rac server, mail and www and all my other internal devices (ie NAS drives) as well if possible though I understand not needed as I am controlling both devices and the connection to them.


#9

Cool, good luck and let us know if you run into any difficulties with your plan.


#10

An idea that I’m working on for myself:

Create a subdomain acme.example.com and delegate it to a server of yours. CNAME any _acme-challenge.foo.example.com to foo.acme.example.com. Then either run the simplest nameserver with update capability you can find or hack something together that can answer single DNS requests. I’m writing my own ACME client in Perl with the Net::DNS::Nameserver module. Preparing the challenges consists of forking a DNS server process that answers just what’s needed and is torn down afterwards.

All my servers just upload a CSR to this central ACME server and download their cert afterwards. It’s basically a “CA proxy”.


#11

So I did some digging with the hardware I have, and have found out that most of the devices do not even support / allow me to upload a different certificate other than the one it makes on its own, however a few of the devices can be modified to allow for this. The only devices that will allow for me to upload a certificate are 2 of my NAS boxes, my PROXMOX nodes and my WAPs. Of course my virtual machines will allow for this as you can do almost anything in Linux and about the same with a few more headaches in a Windows enviroment (though I’m not planning on adding any). Would it still be worth the effort to add LE to devices only on a local network that are not accessed outside of the network directly? Is it worth for added security to use LE on my NAS, WAPs and PROXMOX boxes as well?

I plan to have a VM created that will run ssh and VNC and that I plan to have a LE certificate on with auto update if possible. The only other VMs exposed to the internet are my web server and email server that I know work with LE but can they both be on auto update clients if only one has access to port 80 / 443 or should I use a proxy or other “middle man” to make that work?

I was hoping most of my network could be “properly” encrypted but is appears not.


#12

The key benefit of Let’s Encrypt certificates over those minted by yourself are that they will be trusted out of the box by most devices, a friend’s borrowed laptop, the PC in a business colleague’s office, a new iPhone you just bought, and so on. There is no benefit in terms of the quality of encryption algorithms used, protection from attackers and so on.

So I would examine your circumstances and think about whether that trust benefit is important for some or any of the devices (other than the VMs with the externally facing ports) and unless it is, I just wouldn’t bother with Let’s Encrypt. However, for the certificates that aren’t from Let’s Encrypt or another publicly trusted CA, you do need to pay extra attention for the Trust On First Use (TOFU) step where you tell a web browser or similar software to trust this unknown certificate. Avoid software that doesn’t let you apply TOFU principles, because it’s just too tiring to check carefully every single time you use a system - but paying careful attention and taking precautions just once, the first time, is do-able for a home network.

For the second half of your question, consider using DNS challenges instead of HTTP / HTTPS challenges if that’s practical for your setup. Otherwise, consider having the web server handle certificate creation and just copy certificates (securely e.g. with SFTP) and their private key to the other servers. If the web server handles HTTP traffic for example.com and www.example.com and mail.example.com, and the email server handles SMTP and IMAP for example.com and mail.example.com, well you could use the same certificate for both very easily.


#13

What trust benefit? You have it all backwards. Your cert working on your friend’s laptop is not a trust benefit, it’s a convenience benefit and a trust drawback. Did you really think long and hard about every single CA, including some from Turkey, China and who knows where, and whether you fully trust them?

Trust-wise you are best off with a single CA that you control. Every additional CA not under your control weakens trust because the number of unknown third parties increases.

So many people have their trust models completely wrong.


#14

Yup - even you. SSL does not mean trust. We’ve had this discussion before.

Anyhow - I think this is yet another argument for allowing central root domain validation and allow certs for any subdomain to be generated based on that auth. http-01 would be perfect for this - if it was pointed at https://mydomain.com/… for validation purposes.

Very minimal code changes, and instantly makes life easier for many wanting to use LE.


#15

The http-01 challenge through HTTPS is vulnerable to some sort of server misconfiguration. There has been a lot of talk about that in other threads. Conclusion: http-01 directly through HTTPS (when redirected from HTTP it’s fine apparently) is not going to happen.


#16

This gives a CDN serving for your web site power to make certificates for any arbitrary subdomain in your organisation. They can impersonate your Exchange server, your SMTP servers, anything. I doubt Let’s Encrypt would want to proceed on this basis, at least without some sort of CAA flag saying the name owner expects this to happen.


#17

I would expect this to be an account flag. No real reason to keep it within the scope of DNS / HTTP…

EDIT: On reflection, maybe we are better off having a DNS value set that will allow this behaviour. That way, you can have an easily defined set of behaviours.


#18

An account flag? But every soul on earth can make an account and try to get a certificate… Hostnames aren’t bound to accounts.


#19

Not if you rely on third parties. It can, if you don’t.


#20

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.