Running pfense, enable Lets Encrypt free SSL cert with Cloudfare

Discussion in 'Networking & Security' started by MrGuvernment, Sep 1, 2018.

  1. MrGuvernment

    MrGuvernment PM Kyle for the TItle You Pick.

    Messages:
    19,777
    Joined:
    Aug 3, 2004
    dawsonkm and goodcooper like this.
  2. goodcooper

    goodcooper [H]ardForum Junkie

    Messages:
    10,268
    Joined:
    Nov 4, 2005
    Thanks for posting this, I've been wondering how I might do let's encrypt with some intranet type sites... I realized it would be best with the DNS challenge, unless you want to be opening http stuff to the internet... But you need some way for the server being secured to be able to change some sort of challenge mechanism... I was wondering if you could do something with just like an s3 bucket

    Cool to have a good real world example of how you would do this for a more specific use case,

    And cloudflare is a solid product
     
    MrGuvernment likes this.
  3. PaulTech

    PaulTech [H]Lite

    Messages:
    83
    Joined:
    Jan 20, 2004
    I don't understand where cloudflare is involved? Are you using cloudflare to proxy the entire pfsense interface? If so that sounds serious overkill.

    You can run letsencrypt on pfsense via the Acme package built into pfsense. No requirement for cloudflare and limits exposure.
     
  4. goodcooper

    goodcooper [H]ardForum Junkie

    Messages:
    10,268
    Joined:
    Nov 4, 2005
    Cloudflare provides the API so your secured endpoint can dymanically update it's dns-01 challenge, no exposure to the internet needed
     
  5. PaulTech

    PaulTech [H]Lite

    Messages:
    83
    Joined:
    Jan 20, 2004
    That's what ACME protocol does; provided naively by pfsense package.

    Nothing against cloudflare, Use it extensively but this seems like a strange use case to me.

    And excluding use of argo tunnels, of course your box has internet exposure. That's how cloudflare proxies/caches it.
     
  6. Meeho

    Meeho 2[H]4U

    Messages:
    3,894
    Joined:
    Aug 16, 2010
    Noob question here, but why go through this instead of self signed CAs?
     
  7. PaulTech

    PaulTech [H]Lite

    Messages:
    83
    Joined:
    Jan 20, 2004
    Easier to validate as being unchanged. Most people won't remember the fingerprint given by a cert so would not notice if it was replaced.

    On the wire? same security is provided by both methods, one is just backed by a system of a trust.
     
  8. FNtastic

    FNtastic Gawd

    Messages:
    796
    Joined:
    Jul 6, 2013
    You can also install your own self-signed CA into your browser if you're really that serious about the little green lock. I did it just to try it. Super easy. Doesn't require a domain name or DNS...
    There are plenty of guides on doing it. Just make sure it's newer than one year old. Because the minimum requirements for FF and chrome changed around a year ago, and it can cause you to still see the red lock if everything isn't "just right" the way those browsers want it
     
  9. goodcooper

    goodcooper [H]ardForum Junkie

    Messages:
    10,268
    Joined:
    Nov 4, 2005
    no, no http exposure, your pfsense box doesn't have to http challenge like your typical internet facing web site, no web ports need to be exposed on the internet facing interfaces... allows you to stay masked if you so desire... this is about challenge response part of the auto-renewal process, not automatic cert downloading/binding

    outbound client traffic out to the LE servers is a given (as is traffic out to the cloudflare API in this case)
     
  10. MrGuvernment

    MrGuvernment PM Kyle for the TItle You Pick.

    Messages:
    19,777
    Joined:
    Aug 3, 2004
    You use ACME in doing this, read the guide and it explains what Cloudfare is used for.