How to access pfsense GUI via hostname and let's encrypt

How can I access the pfsense GUI using the hostname and let’s encrypt?

Currently I access my pfsense GUI from https://192.168.3.1 but it uses the default self-signed cert. I’d rather use let’s encrypt to access it via https://home.domain.com or pfsense.domain.com or whatever is the right way to do it. I don’t want the GUI exposed to the outside world, only from within the LAN.

I’ve been studying,
How To Create pfsense Let’s Encrypt Wildcard Certificates using HAProxy
and
How To Setup ACME, Let’s Encrypt, and HAProxy HTTPS offloading on pfsense
but still can’t figure it out.

Seems like you guys would already have a video covering this specifically, but I can’t seem to find it.

Tips?

-Willie

in the pfsense under “System” -> “Advanced” choose the proper certificate from Let’s Encrypt. Then under “Services” -> “DNS Resolver” add a host entry for the host as shown in my “How To Create pfsense Let’s Encrypt Wildcard Certificates using HAProxy” video.

home.YourDomain.com, pfsense.YourDomain.com, or WhatEverYouWant.YourDomain.com is fine if you have a wildcard cert.

1 Like

One way to do it is through a reverse proxy so the connection would kind of go like:

client----encrypted—>ssl reverse terminating proxy------> unencrypted----->freenas

or you could just install the LE cert directly on FreeNAS and just skip the reverse proxy all together so it would be:

client---------encrypted------>FreeNAS

The tutorial on how to install LE certs on FreeNAS is here (and I’ve verified it actually works) https://www.ixsystems.com/community/resources/lets-encrypt-with-freenas-11-1-and-later.82/

The only issue with obtaining LE certs – is that the cert provider (Let’s Encrypt in this case) has to verify that you “own” the domain or in other words need some mechanism of proof of identity. Let’s Encrypt validation boils down in a nutshell to either placing a file on your local server (either through a web page or directly on the computer) or being able to write a temporary DNS record into your DNS host. Personally I believe the DNS method is far easier and “possibly safer — use that term loosely” since nothing is being written to your computer. In order to use DNS validation however, your domain name must be serviced with one of the providers supported by Let’s Encrypt (there about 20 of them). Personally I use Cloudflare (I’m not sponsered by Cloudflare). For basic usage its free and its easy to configure DNS records and obtain LE certs.

The freenas tutorial with Lets Encrypt specifically talks about Cloudflare validation, however just be aware this isn’t the only mechanism that could be utilized.

If you are accessing your freenas box from inside your LAN (which it sounds like you are since you are using the 192.168.3.x address block, the only other thing I’d probably recommend is adding a DNS Host Override at the bottom of the pfsense Server/Resolver section. You basically would add an entry that would say pfsense.domain.com–>(IP address of FreeNas box). This alone would allow you to access your pfsense box by hostname rather than IP address.

The pfsense tutorial on LetsEncrypt uses the acme.sh client for obtaining new certificates and for certificate renewal. The other popular client you’ll here a lot about is certbot which I think is written by the people at Let’s Encrypt. I use both clients on various machines however in my humble opinion I really like the acme client. The syntax is a tad more challenging in you’ve never used it before, but what I like about it is that it initially sets up a crontab entry for automatic renewal. I think with certbot you have to set this up manually, however even that isn’t that difficult.

If you need more instructions, let me know. There are many ways to solve the answer the question you are proposing.

This is an older video from Netgate. The GUI cert instructions start at 49:17 or slide 18 if you just want to read them. There is a built in script that you can trigger after ACME renews the cert to restart the GUI and apply the updated cert.

It kind of depends if he wants to keep the certs on the reverse proxy (pfsense/ha proxy) or on FreeNAS itself.

He wants a cert for the pfsense GUI not freenas.

@mouseskowitz

Thats what I thought. It just depends if he wants the certs installed on FreeNAS itself, or the certs are installed on the reverse proxy which would proxy for freenas. Either would be technically valid – it just depends on whether he wants to introduce a reverse proxy. I think we are talking about the same thing here.

Based on Tom’s suggestions above I can now access pfsense via hostname like this:

Screenshot from 2020-03-17 19-14-27

However, as you can see, I still have to add the port. I guess I can live with that.

Here are the relevant settings:

System --> Advanced --> Admin Access

Services --> DNS Resolver --> General Settings


Do this look correct?

Thanks,

-Willie

Your host override section is correct (if you are using HA as the reverse proxy for pfsense). I’m guessing you are probably doing that.

Why not run over port 443 and avoid typing the port number?

The one potential issue I see with using the reverse proxy is access control. The limitation is probably my knowledge of haproxy. With the traditional GUI config it’s easy to limit per subnet access with firewall rules. I’m not sure how to limit per subnet access per url in haproxy. If this doesn’t apply to your use case, you can just ignore my over thinking things.

Yeah, I tried unsetting the TCP port on the webConfigurator page, but pfsense locks me out.

Screenshot from 2020-03-18 00-32-44
The only way back in is to tty usb into the actual Netgate box, choose option 15, revert last change and reboot router.

Hmm the more I think about it

Can you describe your setup exactly? I believe you are using HAProxy?

Do you need HA proxy in the mix?

Can you not just obtain the LE certs directly within pfsense using ACME? Do you have a DNS provider where you could do DNS challenge with Acme for your domain?

I think whats happening is HA proxy is binding ports 80/443 which isn’t making these ports available for the webGUI.

Yes I am using HAProxy. And I do obtain my LE certs via the ACME plugin. Also, I use DigitalOcean for DNS challenge.

Do I need HA proxy in the mix? maybe, maybe not. I want to be able to hit all my LAN server GUI’s (anything that matches *.wbm4.com domain) via https, but only from the LAN side, i.e. behind the firewall. I want them completely hidden on the WAN side. The only way I’ve been able to get this to work is with HAProxy and DNS Resolver and help from Tom’s videos.

How can I check if HAProxy is binding ports 80/443? I can send screenshots if there is something specific you’d like to see.

Thanks for the feedback!

Ok - I didn’t know DIgitial Ocean worked with ACME – good information.

Ok. So it looks like you have your SSL certs installed on pfsense.
Awesome

So - just to clarify – do you have any other listening services either on pfsense itself or a server within your LAN that is listening on port 443 for SSL connections?

Even with HA proxy in the mix I would think technically you could leave your webGUI listening on port 443 (but then your telling me that doesn’t work either so what do I know).

So try this experiment.

Backup current working configuration. (just in case we have to revert)

Verify a few things on pfsense:
Under Services->Acme Certificates —Make sure your certificate is shown
Under System->Advanced->Admin Access->SSL certificate-> Make sure your certificate is selected
Under System->Certificate Manager ->Certificates — You’ll see current and old certificates. Look at the in Use column and make sure Acme and webConfigurator is listed attached to the SSL LE cert. HA proxy will probably also be listed with this cert
Under Service->HA proxy->Settings -> Make sure Enable HA proxy is disabled.

Make sure you can still access pfsense via an IP address (it will bitch about cert name doesn’t match name – which yes your SSL cert doesn’t have the IP address attached – but just choose to bypass and proceed). Just make sure you can do that.

Also as precaution I’d just make sure you can SSH into pfsense box (in case you need to do some “rescue”). You could restore working configuration if needbe this way

AND finally System->Advanced->Admin Access->change TCP port to 443. You might need to SSH into pfsense to restart webConfigurator (maybe not). And just see what happens.

Your firewall rules will actually dictate if your pfsense Webgui is accessible from outside.

To listening services on ports
ssh into pfsense, pick 8 for shell
Then netstat -l -4 will show all listening services on ipv4 ports.

Does that help?

I looked at your post you seems to have correct settings. For it to work you need to change a settings

db4e9bb6d804089f759e8ef7f637f585103326e4_2_515x500

check this option. Let me know if it works after that I might have few other suggestions for you.

Checking this option and removing the TCP port above still locks me out of pfsense.

I have the option checked on that box. What is your TCP port? It should be 443.

It says it defaults to 443 so I just removed 10443 and left it blank. Result: Lockout.

Do you have an antilock rule on the firewall?

Type 443 for the web address. Don’t leave it blank.

Yes I have a lockout rule:

I assume you mean “TCP port” and not “web address”. Manually setting the TCP port to 443 still results in lockout.

As for your longer post above…

I have 5 servers listening on port 443, each of which has a web GUI that I only want accessible via https from the LAN side. Which is the whole reason for using HAproxy in the first place.

Hence, I’ve verified all your checks above up to disabling HA proxy.