Koozali.org: home of the SME Server

2 SSL Certificate: LetEncrypt + auto signed ?

Offline Jáder

  • *
  • 1,099
  • +0/-0
    • LinuxFacil
2 SSL Certificate: LetEncrypt + auto signed ?
« on: August 31, 2018, 03:11:23 AM »
Hi,

I'm integrating PfSense with SME using LDAP auth and that requires import SSL Certificate from SME in pfSense.
That's working for now... but in 30 days my LetsEncrypt certificate will be renewed and I'm afraid this will break that integration. So I'll have to copy ssl certificate again from SME to pfSense.

Can I generate a self signed certificate (machine-name.mydomain.com) and have it active at same time than letsencrypt certificate (renewed at 60 days) ?
TIA.

...

Offline mmccarn

  • *
  • 2,626
  • +10/-0
Re: 2 SSL Certificate: LetEncrypt + auto signed ?
« Reply #1 on: August 31, 2018, 01:18:09 PM »
I don't know of any way to do this "out of the box".  Here are some ideas on how you might get it done, though:

1. Use a ".local" domain on the server, and don't include that in your letsencrypt updates
Set the primary domain name to a private value, and exclude it from letsencrypt updates.  I don't know what cert would then get used by imaps or smtps, though...

2. Customize the cert settings for ldaps
ldaps uses the certificate in /var/service/ldaps/ssl/slapd.pem.  To customize this, you would have to customize /etc/slapd.conf (specifically /etc/e-smith/templates/etc/openldap/slapd.conf/12tls) and /var/service/slapd/control/1 -- which does not appear to be templated (so your updates would be destroyed any time e-smith-ldap is updated).  You would also have to make sure that the SME self-signed cert was regenerated when needed (annually by default) or is created with a non-standard expiration date (more than 12 months?)

3. Figure out how to use the pfSense CLI to update the cert, then create a script on the SME server that connects to pfSense and updates the cert any time the LetsEncrypt cert is updated.  I couldn't find (in 5 minutes or so) anything describing this process in Googles.

4. Use a VPN or ssh tunnel between pfSense and your SME, then use unencrypted LDAP.
I have no idea if pfSense will let you do this, but I used to do it to test ldap auth against my office Active Directory from various testbeds at home.  I would create an ssl connection forwarding port 389 to the ldap server, then configure the testbed to authenticate against localhost.

5. Schedule a process to update the pfSense manually
I dreaded the 90-day LetsEncrypt expiration window when I started using it. I have a problem since I need certs on two of my home systems (SME for imaps, smtps, Ubuntu for nextcloud), but I only have one IP address. I keep meaning to roll out a "permanent" solution, but here it is a year later, and I've been doing the updates manually every 2.5 months or so (I have to change the port forwarding on my firewall for port 80, then run the letsencrypt update on the system that failed...).  Since I have a failing system I get handy reminder emails from Letsencrypt...

6. Buy a "real" 3 year or 5 year cert...

Offline ReetP

  • *
  • 3,722
  • +5/-0
Re: 2 SSL Certificate: LetEncrypt + auto signed ?
« Reply #2 on: August 31, 2018, 01:39:39 PM »
Use the hookscripts already provided in the contrib just like it says in the wiki:

https://wiki.contribs.org/Letsencrypt#Obtaining_certificates_for_other_servers

Just make sure you can do password-less scp to your pfsense box.

...
1. Read the Manual
2. Read the Wiki
3. Don't ask for support on Unsupported versions of software
4. I have a job, wife, and kids and do this in my spare time. If you want something fixed, please help.

Bugs are easier than you think: http://wiki.contribs.org/Bugzilla_Help

If you love SME and don't want to lose it, join in: http://wiki.contribs.org/Koozali_Foundation

Offline michelandre

  • *
  • 261
  • +0/-0
Re: 2 SSL Certificate: LetEncrypt + auto signed ?
« Reply #3 on: August 31, 2018, 02:01:20 PM »
Hi Jáder,

- A discussion:
Automating Certificate imports with letencrypt script,
https://forum.netgate.com/topic/95774/automating-certificate-imports-with-letencrypt-script

- update-ssl-certs-on-pfsense:
https://github.com/robinvanleeuwen/update-ssl-certs-on-pfsense

Michel-André

Offline Daniel B.

  • *
  • 1,699
  • +0/-0
    • Firewall Services, la sécurité des réseaux
Re: 2 SSL Certificate: LetEncrypt + auto signed ?
« Reply #4 on: August 31, 2018, 02:04:19 PM »
Don't bother with any of this. Just import Let's encrypt CA once on your pfsense box, and be done with it. Every 2 months sme will get a new cert, but the new one can still be validated by the same LE CA
C'est la fin du monde !!! :lol:

Offline Jáder

  • *
  • 1,099
  • +0/-0
    • LinuxFacil
Re: 2 SSL Certificate: LetEncrypt + auto signed ?
« Reply #5 on: August 31, 2018, 02:48:05 PM »
I don't know of any way to do this "out of the box".  Here are some ideas on how you might get it done, though:

1. Use a ".local" domain on the server, and don't include that in your letsencrypt updates
Set the primary domain name to a private value, and exclude it from letsencrypt updates.  I don't know what cert would then get used by imaps or smtps, though...
It appears to create a problem bigger than manual update of cert each 2 months

Quote
2. Customize the cert settings for ldaps
ldaps uses the certificate in /var/service/ldaps/ssl/slapd.pem.  To customize this, you would have to customize /etc/slapd.conf (specifically /etc/e-smith/templates/etc/openldap/slapd.conf/12tls) and /var/service/slapd/control/1 -- which does not appear to be templated (so your updates would be destroyed any time e-smith-ldap is updated).  You would also have to make sure that the SME self-signed cert was regenerated when needed (annually by default) or is created with a non-standard expiration date (more than 12 months?)
It's appear to be too complicate to be used on production server... I'm afraid to break something else.

Quote
3. Figure out how to use the pfSense CLI to update the cert, then create a script on the SME server that connects to pfSense and updates the cert any time the LetsEncrypt cert is updated.  I couldn't find (in 5 minutes or so) anything describing this process in Googles.
That's a solution IF I can find out a way... I think this is PLAN B... if I cannot find an alternative to call PLAN A...
Quote
4. Use a VPN or ssh tunnel between pfSense and your SME, then use unencrypted LDAP.
I have no idea if pfSense will let you do this, but I used to do it to test ldap auth against my office Active Directory from various testbeds at home.  I would create an ssl connection forwarding port 389 to the ldap server, then configure the testbed to authenticate against localhost.
AFAIK this will not work.
Both machines are in same network. I'm using authentication because SME do not allow authentication of users if not on SSL port (636).
Quote
5. Schedule a process to update the pfSense manually
I dreaded the 90-day LetsEncrypt expiration window when I started using it. I have a problem since I need certs on two of my home systems (SME for imaps, smtps, Ubuntu for nextcloud), but I only have one IP address. I keep meaning to roll out a "permanent" solution, but here it is a year later, and I've been doing the updates manually every 2.5 months or so (I have to change the port forwarding on my firewall for port 80, then run the letsencrypt update on the system that failed...).  Since I have a failing system I get handy reminder emails from Letsencrypt...

6. Buy a "real" 3 year or 5 year cert...
These do not apply to me... neither I wish to spend on a real certificate if I can use LetsEncrypt neither I wish to manual job if I can avoid it.

Anyways, thanks for you suggestions.
...

Offline Jáder

  • *
  • 1,099
  • +0/-0
    • LinuxFacil
Re: 2 SSL Certificate: LetEncrypt + auto signed ?
« Reply #6 on: August 31, 2018, 02:52:44 PM »
Don't bother with any of this. Just import Let's encrypt CA once on your pfsense box, and be done with it. Every 2 months sme will get a new cert, but the new one can still be validated by the same LE CA

I think this is the way I'll follow by now... I'm not willing to break something is working... I'll way till Sept 17th and see what's the pfSense response to a update of LetsEncrypt certificate.

Thanks for all suggestions... I'll keep in HOLD for 20 days and be back later next month.
Regards
...

Offline Jáder

  • *
  • 1,099
  • +0/-0
    • LinuxFacil
Re: 2 SSL Certificate: LetEncrypt + auto signed ?
« Reply #7 on: November 09, 2018, 11:21:10 PM »
Thanks for all suggestions... I'll keep in HOLD for 20 days and be back later next month.
Regards
I'm back!
I 've learned more about the problem in this time.
1) I must import external CA (not certificate!) so, I'll import LetsEncrypt CA and not any certificate.
So once it works, it will work forever! GOOD!!!
2) I've a working config on other client, but they are using SMESERVER internal CA ... and have no problem!
3) I'm using a command to get certificate from LDAP server:
Code: [Select]
openssl s_client -connect <fqdn>:636 | openssl x509
If I try to use pfSense authentication interface, I just get it working if no using SSL, so the problem is SSL certificate.
I'll need to get help from pfSense forum.

BUT if anyone has other ideas, I'm glad to ear you!
Regards,

Jáder
...