Running pfense, enable Lets Encrypt free SSL cert with Cloudfare

[MrGuvernment]

May think it is trival, putting HTTPS on your pfsense GUI while it is not accessible to the world (hopefully) but why not if you can do it for free? Just did this myself and now have HTTPS:// with a valid SSL cert on my home pfsense box

http://www.wolffhaven45.com/pfsense...te-for-pfsense-using-lets-encrypt-cloudflare/

 

[goodcooper]

Thanks for posting this, I've been wondering how I might do let's encrypt with some intranet type sites... I realized it would be best with the DNS challenge, unless you want to be opening http stuff to the internet... But you need some way for the server being secured to be able to change some sort of challenge mechanism... I was wondering if you could do something with just like an s3 bucket

Cool to have a good real world example of how you would do this for a more specific use case,

And cloudflare is a solid product

 

[PaulTech]

I don't understand where cloudflare is involved? Are you using cloudflare to proxy the entire pfsense interface? If so that sounds serious overkill.

You can run letsencrypt on pfsense via the Acme package built into pfsense. No requirement for cloudflare and limits exposure.

 

[goodcooper]

Cloudflare provides the API so your secured endpoint can dymanically update it's dns-01 challenge, no exposure to the internet needed

 

[PaulTech]

Cloudflare provides the API so your secured endpoint can dymanically update it's dns-01 challenge, no exposure to the internet needed

That's what ACME protocol does; provided naively by pfsense package.

Nothing against cloudflare, Use it extensively but this seems like a strange use case to me.

And excluding use of argo tunnels, of course your box has internet exposure. That's how cloudflare proxies/caches it.

 

[Meeho]

Noob question here, but why go through this instead of self signed CAs?

 

[PaulTech]

Noob question here, but why go through this instead of self signed CAs?

Easier to validate as being unchanged. Most people won't remember the fingerprint given by a cert so would not notice if it was replaced.

On the wire? same security is provided by both methods, one is just backed by a system of a trust.

 

[FNtastic]

You can also install your own self-signed CA into your browser if you're really that serious about the little green lock. I did it just to try it. Super easy. Doesn't require a domain name or DNS...
There are plenty of guides on doing it. Just make sure it's newer than one year old. Because the minimum requirements for FF and chrome changed around a year ago, and it can cause you to still see the red lock if everything isn't "just right" the way those browsers want it

 

[goodcooper]

That's what ACME protocol does; provided naively by pfsense package.

Nothing against cloudflare, Use it extensively but this seems like a strange use case to me.

And excluding use of argo tunnels, of course your box has internet exposure. That's how cloudflare proxies/caches it.

no, no http exposure, your pfsense box doesn't have to http challenge like your typical internet facing web site, no web ports need to be exposed on the internet facing interfaces... allows you to stay masked if you so desire... this is about challenge response part of the auto-renewal process, not automatic cert downloading/binding

outbound client traffic out to the LE servers is a given (as is traffic out to the cloudflare API in this case)

 

[MrGuvernment]

That's what ACME protocol does; provided naively by pfsense package.

Nothing against cloudflare, Use it extensively but this seems like a strange use case to me.

And excluding use of argo tunnels, of course your box has internet exposure. That's how cloudflare proxies/caches it.

You use ACME in doing this, read the guide and it explains what Cloudfare is used for.