Well the problem is that I don’t want to open the PFSense WebUI to the WAN. So, it would be nice if I could, but from what I know about using Certbot on my HomeLab, it requires access on port 80.
That isn’t how that works. You can use API’s like cloudflare or whatever DNS provider you use to get a certificate. No open ports necessary.
1 Like
Oh nice. I do use Cloudflare. Can I use my local area network URL, home.arpa? (The full URI is https://tanwenfirewall.home.arpa).
That you cannot do. You need a public domain that you own for LE to work. If you plan on not doing that then you would generate your own self signed CA and generate certificates from there. You’ll have to install your CA on all your devices though to trust it.
Well, I own several domains that I can use. However, those domains have public access. I like keeping my Firewall WebUI inaccessible from the WAN. I use Wireguard for remote management if I need that.
Again, if you are using the API it won’t need access to your WAN interface. It is all done through your DNS provider.
1 Like
K, it seems to work, but routing doesn’t work. Do I need to add an entry in my /etc/hosts file? I do have hairpen NAT enabled.
You have to have proper DNS records for your local services, otherwise you will run into DNS rebind attack.
I added these to the DNS resolver settings in PFSense:
But I also had to do this in System > Advanced > Admin Access:
Not sure that that’s the right way to do things.
@LTS_Tom has an excellent video on HAProxy and Let’s Encrypt certificates: https://youtu.be/bU85dgHSb2E Give it a watch; I’m sure it can point you in the right direction.
While HAProx is great, I don’t put that for the only access pfsense web UI because if something goes wrong in HAProxy you will be locked out.
1 Like
I’ve tried following it, even before @trentc suggested that video, honestly. But I am doing something wrong. I don’t have a TrueNAS system, so I am using my OpenWRT WAP as the guinea pig, and I keep getting served the self-signed cert when I try to access it from the URI I’m using: https://openwrt.homelab.codedragon.dev