{"id":1216,"date":"2021-06-01T19:17:45","date_gmt":"2021-06-01T17:17:45","guid":{"rendered":"https:\/\/www.boettrich.info\/blog\/?p=1216"},"modified":"2021-09-29T16:01:33","modified_gmt":"2021-09-29T14:01:33","slug":"lets-encrypt-on-pfsense-haproxy","status":"publish","type":"post","link":"https:\/\/www.boettrich.info\/blog\/beitrag\/lets-encrypt-on-pfsense-haproxy\/","title":{"rendered":"Let’s encrypt on PFsense & HAproxy"},"content":{"rendered":"\n

I got this running for a couple of years now and i’m pretty satisified. The main goal is to have the pfsense handle all the certificate stuff like issuing and renewing the lets-encrypt certificates and not to have those tasks on the backend servers. This includes having the pfsense and the HAproxy handling the acme-challenges as well.<\/p>\n\n\n\n

pfSense does not do this out of the box – one has to install a package and and additional script for handling the validation process. <\/p>\n\n\n\n

Unfortunatelly i never documented the setup nor did i save the links to some usefull sites….<\/p>\n\n\n\n

So here we go to have at least some links and information saved. <\/p>\n\n\n\n

To have the pfSense box getting a certificate by itself one has to install the „ACME“-client in the package manager of the web ui. The intallation should be a straightforward process as the installer takes care of all the dependencies. Next is the creation of an account in the acme client.<\/p>\n\n\n\n

The ACME client is cappable of renewing certificates about to expire – but we need to handle the validation process – at least once for issuing a new certificate. To process acme challenges\/ validations automated with pfsense and HAproxy we need to configure a local lua script served by HAproxy.<\/p>\n\n\n\n

Right now i use this ACME domain validation plugin:<\/p>\n\n\n\n

GitHub – janeczku\/haproxy-acme-validation-plugin: Zero-downtime ACME \/ Let’s Encrypt certificate issuing for HAProxy<\/a><\/p>\n\n\n\n

The haproxy-acme-validation plugin already has a good documentation about how and why one needs this kind of script.<\/p>\n\n\n\n

So in the first step we need to register a new account key – i choose „testing“ in the ACME Server Section:<\/p>\n\n\n\n

<\/p>\n\n\n\n

  1. Fill in the marked fields<\/li>
  2. Click „Create new account key“<\/li>
  3. „Register ACME account key“<\/li>
  4. „Save“<\/li><\/ol>\n\n\n\n
    \"\"<\/a><\/figure>\n\n\n\n

    Now your newly created key should appear in th list:<\/p>\n\n\n\n

    \"\"<\/a><\/figure>\n\n\n\n

    Before we can issue a new TLS certificate with this key, we need to make sure that the CA can verify we are authorized to issue certificates for this domain. Usually you do this by signing a contract and name persons to do that – these persons authenticate theirselfes to the CA using apporpriate means, for example a smartcard or a certificate. <\/p>\n\n\n\n

    Let’s Encrypt provides multiple ways to prove your’re authorized to issue certificates for this domain – in this case here i choose to use the „HTTP-01 challenge“ type. For this validation mechanism type we need to „install“ the mentioned „haproxy-acme-validation plugin“.<\/p>\n\n\n\n

    For this we go to the haproxy configuration and define a http-only frontend for this:<\/p>\n\n\n\n

    \"\"<\/a><\/figure>\n\n\n\n

    In this frontend we define the following settings:<\/p>\n\n\n\n

    <\/p>\n\n\n\n

    \"\"<\/a><\/figure>\n\n\n\n

    And actions:<\/p>\n\n\n\n

    <\/p>\n\n\n\n

    \"\"<\/a><\/figure>\n\n\n\n

    Afterwards we have to „install“ the script handling the validation challenge – this can be found under HAproxy -> Files . We do make a copy of the „errorfile“ (which should already be there in a default setup i guess :-) ) ….<\/p>\n\n\n\n

    \"\"<\/a><\/figure>\n\n\n\n

    … and make the following changes and copy\/paste the script in into the large textbox:<\/p>\n\n\n\n

    \"\"<\/a><\/figure>\n\n\n\n

    As we are using a pfSense here, haproxy run’s in a chroot-environment so we don’t have to configure the path inside the script :<\/p>\n\n\n\n

    8<<\n-- When HAProxy is *not* configured with the 'chroot' option you must set an absolute path here and pass \n-- that as 'webroot-path' to the letsencrypt client\n\nacme.conf = {\n\t[\"non_chroot_webroot\"] = \"\"\n}\n>>8<\/code><\/pre>\n\n\n\n
    So with this we’re now able to request a new certificate :-)<\/p>\n\n\n\n
    Create a new one – fill in the fields as shown and click save.<\/p>\n\n\n\n
    The „Root folder:“ path here has to be: \/tmp\/haproxy_chroot\/.well-known\/acme-challenge\/<\/p>\n\n\n\n
    \"\"<\/a><\/figure>\n\n\n\n
    Afterwards click „Issue\/Renew“ and a couple of seconds later you should see an output reporting the successfull issue of a certificate:<\/p>\n\n\n\n
    \"\"<\/a><\/figure>\n\n\n\n
    So that’s it – we setup the acme plugin, installed the haproxy-acme-validation plugin and issued a certificate :-) <\/p>\n\n\n\n
    From now on – if configured in the „general settings“ tab – the certificate(s) will be renewed automatically.<\/p>\n","protected":false},"excerpt":{"rendered":"
    I got this running for a couple of years now and i’m pretty satisified. The main goal is to have the pfsense handle all the certificate stuff like issuing and renewing the lets-encrypt certificates and not to have those tasks on the backend servers. This includes having the pfsense and the HAproxy handling the acme-challenges… Weiterlesen »Let’s encrypt on PFsense & HAproxy<\/span><\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"neve_meta_sidebar":"","neve_meta_container":"","neve_meta_enable_content_width":"","neve_meta_content_width":0,"neve_meta_title_alignment":"","neve_meta_author_avatar":"","neve_post_elements_order":"","neve_meta_disable_header":"","neve_meta_disable_footer":"","neve_meta_disable_title":"","footnotes":""},"categories":[1,6],"tags":[],"class_list":["post-1216","post","type-post","status-publish","format-standard","hentry","category-beitrag","category-technik"],"_links":{"self":[{"href":"https:\/\/www.boettrich.info\/blog\/wp-json\/wp\/v2\/posts\/1216","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.boettrich.info\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.boettrich.info\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.boettrich.info\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.boettrich.info\/blog\/wp-json\/wp\/v2\/comments?post=1216"}],"version-history":[{"count":21,"href":"https:\/\/www.boettrich.info\/blog\/wp-json\/wp\/v2\/posts\/1216\/revisions"}],"predecessor-version":[{"id":1448,"href":"https:\/\/www.boettrich.info\/blog\/wp-json\/wp\/v2\/posts\/1216\/revisions\/1448"}],"wp:attachment":[{"href":"https:\/\/www.boettrich.info\/blog\/wp-json\/wp\/v2\/media?parent=1216"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.boettrich.info\/blog\/wp-json\/wp\/v2\/categories?post=1216"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.boettrich.info\/blog\/wp-json\/wp\/v2\/tags?post=1216"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}