Replacing the Self Signed Certificate in OPNsense with Let's Encrypt

You’re welcome! Glad you found them helpful for your transition!

Thanks! I know you've had quite a backlog of reviews to finish, but I see you have been working through several recently!

Nice! I'm glad that it worked for you once you got that sorted out!

Thanks! Lots more to come!

Glad it helped you make the move! I do this same basic process for my reverse proxy on my DMZ network so I can have legitimate certificates for all my apps/services.

​@@homenetworkguy That's awesome you've done legitimate certificates for all your services! Your "Deploy Nginx Proxy Manager in a DMZ with OPNsense" is great!
I've dreaded properly deploying and hardening a CA for my homelab. Finishing off my remaining cert needs with a reverse proxy, Let's Encrypt and ACME is a much better phased approach.
PS: Your blog posts have really helped me over the years and I've recommended them to many people who've made the switch over to OPNsense!

You're welcome! I'm glad it has helped! I'm just getting started with the video content, but I'm trying to get more of it produced for those who prefer videos over written content.

You're welcome!

Nice! It happened to me while editing the video. Don’t think it has to be like that normally but I may have copied the wrong key or something.

Thanks! You’re welcome! Glad you found it helpful.

Thanks! I’m working on it! Sometimes I focus on a slightly different topic than what I’ve written about so they’re not always exactly the same as the written guides.
For new guides, I try to do both a written and a video version around the same time to keep them more consistent and saves some time as well.

You’re welcome!

Thanks! Glad you found it helpful!

You're welcome!

I’m happy to have saved you some effort! Hmm, I’m not quite sure why it would work for some and not the other networks without more info and digging in. I did notice that if I tried to use the hostname of the router but tried to access it on a different network (such as accessing 192.168.1.1 from the 182.168.20.1 network which is a VLAN), it would work because the router’s hostname represents all IP addresses of all the interfaces. So it was using the IP address of 192.168.20.1 instead of 192.168.1.1 but I only had the OPNsense interface listening on the 192.168.1.1 interface.

Thanks! Glad you found it easy. I’ll try to slow down a bit but I know I’m still slower than some other videos I’ve watched from other content creators. There’s a fine line between slow and boring. Haha.

@@homenetworkguy hehe! yes, there is a fine line. since you are slower and your choice of words and devliery is more easy to understadn the experience to watch your content is edifying. And a reason to be watching your channel than going to some other channel!

Thanks!

You’re welcome!

No, you can use the same token. If you're using Nginx Proxy Manager for instance, you can use the same token for Cloudflare to generate and renew certificates for apps/services behind your proxy. I use a wildcard certificate for all my apps/services behind my proxy.

@@homenetworkguy Both opensense and the webserver run in a virtual environment. No Nginx PM. It would be great a video on wild certificates as well, I have never used one. I don't know how to set it up actually. Thanks

It sounds like you have NAT reflection enabled. I doubt your web interface is exposed to the Internet unless you created firewall wall rules to open access. Look under the Firewall > Settings > Advanced to see if you have any options checked under the “Network Address Translation” section.
You could always test connecting to your web interface from your phone using the external IP (from your Cellualr connection) to verify if your web interface is actually exposed to the Internet or not.

@@homenetworkguy Thanks for your quick reply. I don't have any options checked there. I tested from my phone and was indeed able to access the GUI. I found in one of your other videos to change the web GUI listen interface which I think fixed the issue.
system > settings > administration > webgui > Listen interfaces

Ohh, if you had the web interface listening on the WAN that could explain the problem (although I would think you would still need firewall rules to allow access). You may want to review the firewall rules just to make sure you don't have more access allowed than necessary (like allowing port 443 on the WAN interface).

I haven't touched the WAN firewall rules. I don't see anything allowing port 443, but I'm still wrapping my head around firewall rules in general. I can see that there are 24 rules that are there by default.

What IP address does your router's domain name point to? I typically like to only have my web UI in OPNsense listen to the management interface but I have one PC on a different network so I encounter an issue where it wants to use the gateway IP address for that PC network rather than 192.168.1.1. I created an entry in the hosts file to point to 192.168.1.1 on my PC to resolve the issue, but there are other ways to handle that. Someone emailed me and tried explain a complicated way to resolve the issue but I didn't fully understand all the details. I took the simplest approach and added the hosts entry since there's only one machine on a different network that needs access.

@@homenetworkguy Yeah, I saw that you mentioned that in the guide. For now I haven't spent any time with vlans so everything is on LAN on 192.168.10.x

That is very strange. I don’t know exactly what that means. You may have to consult the ddclient documentation or examples on how to set it up with your DNS provider of choice (unless you are also using Cloudflare). I know the other day when Cloudflare had some outages, I was getting some errors accessing their API to update the DNS records.

Yes you can import other certificates but those don’t auto-renew so you would have to import new ones manually (but you can set a longer expiration date than the shorter lives Let’s Encrypt certificates).

If you registered your DNS through Cloudflare, you should have sites listed under "Websites". Otherwise, if you are registered elsewhere and have your nameservers pointed to Cloudflare's servers, you will need to add your domain on the "Websites" page so you can see your Zone/Account ID for that domain.

Sorry, didn’t see this earlier because it held the comment for review.
I meant that you don’t need to create a subdomain with your registrar if you only are using the hostname internally on your network.
Unbound DNS in OPNsense will be able to resolve your router’s hostname.

Thanks!

1. You don’t really need to do anything for a domain name you own if you only want to use it internally. If you are using an external email provider with your custom domain name, you would want to set up the appropriate settings for that provider (DKIM, etc) to prevent spoofing emails from your domain and other abuse. If you’re not using external email, you don’t really need to do anything for internal use.
2. You don’t really need to manage Lets Encrypt from a centralized location on your network especially since they are autogenerated. I have my OPNsense box generate LE certs and I also have a reverse proxy that generates certs. The reverse proxy can be an automatic centralized location for certs for any apps/services running behind the proxy so in a way it could be your centralized location (but you don’t need to manually copy paste certs to servers that need new certs).
3. If you use a DNS challenge with LE, you can make use of wildcard certs on your reverse proxy and I imagine also with Kubernetes (I haven’t tried Kubernetes before to know how to set it up).

@@homenetworkguy One nasty thing I discovered is that Opnsense registers the same internal name for all (v) lans it has the web interface enabled as well as for the external wan interface. Since DNS works Round Robin random in my browser the web interface is partially not usable by internal domain name. I solved this by disabling unbound on the wan side and having the web interface only listen on LAN. It can be accessed from some vlans by setting firewall rules.

I think for Let’s Encrypt certificates you need to use real domains so you need to have hostname + domain name.
I saw someone mention on Reddit that one of the advantages of using a traditional certificate authority (that isn’t free) is that you can assign certificates to .local and other internal host names: www.reddit.com/r/opnsense/s/Fw70ffAs6H

Really? I haven't heard of that yet but I also haven't updated to the 23.7.3 yet because I like to wait a few days or a week before updating to the latest version to make sure all is good (mostly with Zenarmor since OPNsense doesn't test out all of the 3rd party plugins).

Some of the other proxy plugins in OPNsense like HAProxy support using certificates generated from the ACME Let’s Encrypt plugin so you could put websites behind that. I personally prefer to put the reverse proxy in the DMZ network so if a compromise occurs, it’s not on the router/firewall system. Not sure how much security it buys you but makes me nervous to run the reverse proxy on the firewall box itself (unless perhaps they were virtualized on the same system and in separate VMs/CTs). There’s nothing preventing you from using ACME on multiple systems generating Let’s Encrypt certificates for the same domain name. I do it for various reasons and it works great.

Haha, thanks. I’m glad you like the video.

Hmm, really? At 10:52, I haven't even switched over to use the new certificate so nothing should have changed with the web interface. I have rarely encountered 503 issues but I think some could have been due to other services I had running and something was a bit wonky (so I restarted the services or rebooted the machine and all was well).

@@homenetworkguy sorry router froze at that point. I rebooted it and got back into router, then completed it. All up and running. Thank you for all your great videos

Ohh good, I'm glad it worked properly!

As you can see in the outtakes, that happened to me, but after copying pasting the API key, account ID, and zone ID again, it worked for me. I believe validation failed means there is something wrong with the credentials or the permissions assigned to the ones you are using (or you are using the wrong zone ID). Not sure if the logs can help explain the issue in more detail.

I don't have UPnP installed so I haven't experimented with that yet since NAT-PMP works well enough for my purposes but I know many that want to use UPnP is for their game consoles.

@@homenetworkguy Exactly... I started the endeavor yesterday following a Reddit post on the OPNSense sub... Had to set Outbound NAT to Hybrid, etc... Let's see how it goes haha. Thanks again.